Business Associate Agreements Made Easy

MARLENE MAHEU

January 4, 2017 | Reading Time: 2 Minutes

 5

Please support Telehealth.org’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker. How

In 2016, The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) levied millions in fines for the unlawful disclosure of protected health information (PHI) to Business Associates (BAs) and the Business Associate Agreements (BAAs) that they are required to use. HHS defines PHI as any health information that can be used to personally identify an individual patient. PHI often comes in the form of health records that contain demographic information such as a patient’s name, date of birth, address, social security number, telephone number, or financial information.

Under federal HIPAA regulation, Covered Entities (CEs) are required to execute contracts with their BAs in order to keep their patients’ data from being breached and distributed on the black market. Covered Entities are defined under HIPAA regulation as any health care provider, health plan, or clearinghouse that produces, stores, or maintains PHI.

These contracts, called Business Associate Agreements (BAAs), must be exchanged when a BA is hired to handle PHI in any way over the course of services they’ve been payed to provide for the health care provider. Common examples of BAs include lawyers, IT services, billing companies, cloud storage providers, and email encryption services, among others.

What should a good Business Associate Agreement contain?

BAAs should clearly identify the responsibilities of the health care provider and the business associate in regards to PHI. If a breach occurs, the federal government will look at these BAAs to determine liability. That’s why it’s essential for behavioral health specialists to have lawful and up-to-date BAAs to protect their practices and organizations from OCR’s record enforcements and fines.

For easy reference, here’s a quick list of features that every good Business Associate Agreement must contain:

The Health Care provider is identified as the Covered Entity
The Vendor is identified as the Business Associate
Liability in the event of a breach is clearly defined and belongs to whichever party is responsible for the source of the breach

Introduction to Telehealth Theory & Practice

Enjoy a fast-moving overview of telebehavioral and telemental health. Understand the key points related to telehealth clinical, legal, ethical, technology, reimbursement, social media and other pivotal issues.

Disclaimer: Telehealth.org offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. Some of Telehealth.org’s blog content is generated with the assistance of ChatGPT. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Telehealth.org Privacy Policy and Terms and Conditions.