Ensuring HIPAA Compliance with a Business Associate Agreement
With the September 23, 2013 trigger date for the Omnibus rule of the HITECH act, many healthcare providers are trying to come to terms with the requirements for documenting business arrangements with vendors. The term Business Associate refers to any entity that provides supporting products and services that are related to Protected Health Information (PHI). This is a broad reaching definition.
Business Associate Agreements are formalized documents where these entities acknowledge their responsibility for maintaining security standards as part of the provider’s service.
For example, if a Hospital has adopted an Electronic Medical Records (EMR) solution, the software vendor would need to complete a Business Associate Agreement (BAA). If the provider uses cloud-based services to store PHI data or documents containing PHI, they need to have a BAA. These requirements are fairly straightforward. It gets a bit more convoluted when vendors are used to transmit data. Just take a look at the FAQ section on the Health and Human Services site:
It can be hard to follow, and there is no rhyme or reason to some of the provisions, or the structure of BAA documents for that matter. As they constitute legally binding documents, with substantial liability, BAAs are a cause of consternation. Some covered entities (providers) will take the “make everyone we deal with sign a BAA, that way we’ve covered our bases.” However this approach diminishes the value of the BAAs, and what should be considered the due care associated with them.
In this webinar featuring Ross Leo from www.training-hipaa.net and technology analyst Chris Dawson, the panelists discuss examples, exceptions and challenges associated with BAAs and PHI.