In 2016, The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) levied millions in fines for the unlawful disclosure of protected health information (PHI) to Business Associates (BAs) and the Business Associate Agreements (BAAs) that they are required to use. HHS defines PHI as any health information that can be used to personally identify an individual patient. PHI often comes in the form of health records that contain demographic information such as a patient’s name, date of birth, address, social security number, telephone number, or financial information.
Under federal HIPAA regulation, Covered Entities (CEs) are required to execute contracts with their BAs in order to keep their patients’ data from being breached and distributed on the black market. Covered Entities are defined under HIPAA regulation as any health care provider, health plan, or clearinghouse that produces, stores, or maintains PHI.
These contracts, called Business Associate Agreements (BAAs), must be exchanged when a BA is hired to handle PHI in any way over the course of services they’ve been payed to provide for the health care provider. Common examples of BAs include lawyers, IT services, billing companies, cloud storage providers, and email encryption services, among others.
What should a good Business Associate Agreement contain?
BAAs should clearly identify the responsibilities of the health care provider and the business associate in regards to PHI. If a breach occurs, the federal government will look at these BAAs to determine liability. That’s why it’s essential for behavioral health specialists to have lawful and up-to-date BAAs to protect their practices and organizations from OCR’s record enforcements and fines.
For easy reference, here’s a quick list of features that every good Business Associate Agreement must contain:
- The Health Care provider is identified as the Covered Entity
- The Vendor is identified as the Business Associate
- Liability in the event of a breach is clearly defined and belongs to whichever party is responsible for the source of the breach