As a HIPAA covered entity, behavioral health professionals have an obligation to vet their business associates. Vetting associates ensures that the protected health information (PHI) that they create, receive, transmit, maintain, or store on behalf of the covered entity is secure.
What is a Business Associate?
A business associate is any vendor that a covered entity contracts that may come into contact with PHI over the course of work they are hired for.
A business associate for a behavioral health professional may include:
- Electronic Medical Record (EHR) platforms
- Teleconferencing tools (i.e. Zoom, GoToMeeting, Skype, etc.)
- Email providers (if email is used in conjunction with PHI)
- Cloud service providers (i.e. AWS, Microsoft Azure, etc.)
- Medical billing services
How to Vet Associates
The Department of Health and Human Services (HHS) requires covered entities to vet their business associates. Failure to adequately vet associates leaves covered entities liable should their associate experience a healthcare breach. To avoid costly HIPAA fines, covered entities must vet vendors before sharing PHI.
The best way to vet these individuals is to send them vendor questionnaires. HIPAA standards mandate that the confidentiality, integrity, and availability of PHI is maintained through the implementation of HIPAA safeguards. Vendor questionnaires measure administrative, physical, and technical safeguards against HIPAA standards.
Upon completion of a vendor questionnaire, gaps in the business associate’s safeguards are identified. Before covered entities can work with the associate, they must address their gaps with remediation efforts. If a business associate is unwilling to address gaps, the covered entity should choose another vendor to work with.
In addition to vetting vendors, before covered entities can share PHI with their associates, they must have a signed business associate agreement (BAA). A BAA is a legal document that mandates the safeguards the vendor must implement. A BAA also limits the liability for both singing parties as it states that each party is responsible for maintaining their own HIPAA compliance.