Lee Slaton, Vice President of Healthcare at Smart Training, writes, “Business Associate Agreements (BAAs) can be get-out-of-jail-free cards in worst-case HIPAA scenarios.” A BAA is a document between covered entities and business associates. The BAA ensures the business associates are compliant with HIPAA.
Are BAAs required by HIPAA?
Yes. HIPAA requires BAAs.
As a reminder, HIPAA is the Health Insurance Portability and Accountability Act of 1996. Both covered entities and business associates are required to abide by HIPAA. Both are legally required to safeguard protected health information (PHI).
The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 expanded HIPAA. The U.S. Department of Health & Services (HHS) enforces HIPAA. In 2009, the HHS developed regulations under the HITECH Act relating to business associates. These regulations cover business associate obligations and BAAs.
BAAs are required under the HIPAA Security Rule. Not complying with HIPAA can lead to costly fines.
What is a Covered Entity?
HIPAA-covered entities include health plans, clearinghouses, and health care providers. The Centers for Medicare & Medicaid Services has a free tool to help you figure out if your practice is a covered entity.
What is a Business Associate?
With whom do covered entities need signed BAAs with? Business associates (BAs). A business associate is a person or entity that performs functions for a covered entity that involve the use or disclosure of PHI.
Here are some examples of business associates:
- Medical transcription companies
- Data conversion, de-identification, and data analysis service providers
- Software solutions that touch PHI
- Document storage or disposal companies
- Law firms
- Companies involved in claims processing, repricing, or collections
- Telehealth providers
Whether a company is considered a business associate or not depends on if they are performing business associate activities. If the company needs to access PHI, it’s considered a business associate.
Keep in mind that a covered health care provider, health plan, or health care clearinghouse can be a business associate of another covered entity. For example, Jim Moore, Smart Training’s Certified HIPAA Professional, writes of laboratories:
Many times, the lab has told our client that the lab is a Covered Entity under HIPAA, and that a BAA is not required. However, if the lab isn’t actually owned by a healthcare provider, then the lab is not a Covered Entity. Even if it were a Covered Entity, the law specifically states that “a Covered Entity may be a Business Associate of another Covered Entity.” Just being a Covered Entity doesn’t get the lab off the hook.
Jim Moore continues, “If a lab you use will not sign a BAA with your office, find another lab!”
What does my BAA need?
Covered entities can be fined for not having a BAA at all. But an incomplete BAA can also cause a HIPAA fine. Your BAA must include:
- The types of PHI the covered entity will provide the business associate
- Allowable uses and disclosures of PHI
- Measures to protect PHI
- The actions the business associate must take in the event of a PHI security breach
- The HIPAA Security Rule safeguards the business associate must implement
- Timescale and responsibilities for notification requirements (telling the covered entity about a breach)
- Consequences for failing to comply with HIPAA
Tips from Smart Training’s Lee Slaton: “Check the documents and make sure they were written after September 2013, and make the business associate directly subject to the HIPAA Security Rule.”
Will BAAs Indemnify my Practice?
BAAs help to indemnify your practice. Indemnify means to secure against legal liabilities. If you do not have BAAs in place, your practice can suffer a HIPAA fine.
One of the worst HIPAA fines for lack of BAAs took place in 2016. The practice, North Memorial Health Care of Minnesota, also failed to conduct a risk assessment. The covered entity had to pay $1.55 million to the Office for Civil Rights (OCR) to settle the case.
Another example shows that the cost of not having a BAA, without the risk assessment violation, is $31,000.
But does a BAA completely indemnify a covered entity? No. HIPAA Journal writes,
Unlike most contracts, a HIPAA Business Associate Agreement does not necessarily indemnify a covered entity against financial penalties for a breach of PHI. If a covered entity fails to obtain “satisfactory assurances” that a BA is HIPAA-compliant prior to entering into a contract, and a breach of PHI subsequently occurs, the covered entity may be considered liable for the breach.
The BAA is still legally required. But it might not completely save you from HIPAA fines. A business associate also needs to conduct a HIPAA risk assessment.
Do Business Associates need to be HIPAA Trained?
According to the HIPAA Security Rule, business associates should implement a security awareness and training program. But there are no specific HIPAA training requirements.
However, business associates are responsible for 22% of HIPAA breaches. The best way to reduce breaches and the risk of fines is to provide in-depth BA HIPAA training.
Smart Training Helps you Reach HIPAA Compliance
If you need more HIPAA help, Smart Training’s Essentials and Platinum+ provide written HIPAA-compliant Business Associate Agreements.
It’s never too late to reach HIPAA compliance, and Smart Training can help.