As a health care provider, you already understand the importance of maintaining HIPAA compliance pertaining to patient records. But did you know about HIPAA BAA?
The HIPAA Omnibus Rule, as part of the HITECH Act of 2009, requires many of your business associates to maintain HIPAA compliance as well.
In order to ensure HIPAA compliance by all parties, the HIPAA Omnibus Rule also requires health care providers to sign a HIPAA BAA (Business Associates Agreement) with each associate who handles patient records.
While a HIPAA BAA agreement is required by law, you should not enter into this legal agreement lightly. It is important to know the facts before signing any such agreement.
Here is a look at the five most important points you should know before signing a HIPAA BAA with any business associate.
#1 What Is a HIPAA BAA All About
Under HIPAA laws, business associates must sign a HIPAA BAA if they will have access to any PHI (protected health information) data. This may include a variety of business associates, such as IT support, HIPAA hosting providers, attorneys, consultants, email providers and more. It does not typically include health insurance providers, HMOs, Medicare agents or other health care providers when discussing patient treatment.
It is important not to make the mistake of having every business associate sign a HIPAA BAA on a just-in-case basis. Instead, closely evaluate your business relationships with all third-party vendors and determine which associates will have access to PHI records.
#2 Have an Experienced Attorney Review Document
At its core, a HIPAA BAA is a legal document with legal repercussions. It is vital that you do not sign this document without having your attorney review it first. If your current attorney does not have previous experience with HIPAA BAAs, ask for a referral to one that does.
Ask the HIPAA attorney to review the document and explain what your specific responsibilities are within the agreement. This will ensure that you meet all your HIPAA compliance responsibilities.
#3 Evaluate Business Associates Compliance
Having a HIPAA BAA in place does not necessarily replace your responsibility as a health care provider for the HIPAA compliance of your business associates. Before you enter into an agreement with third-party vendors who will have access to your PHI data, take the time to evaluate their ability to maintain HIPAA compliance.
Perform a risk assessment analysis to ensure your business associates have the experience, policies and reputation to maintain compliance.
#4 Does All Business Dealings Fall Under HIPAA Compliance
One mistake many health care providers make is that they assume all their business dealings fall under HIPAA compliance. The only data that falls under the HIPAA regulations is PHI records, such as patient contact information, social security numbers and medical records.
With this information, determine if there is a way to segregate parts of your business practice. This can make maintaining HIPAA compliance more manageable and may eliminate the need to obtain a HIPAA BAA from all your business associates.
#5 Do You Already Have an Established BAA Partnership
You may think that signing a HIPAA BAA formalizes the relationship with your business partners. Legally, however, if any of your current business associates already have access to your PHI data, you already have an established BAA partnership.
The fact that both parties did not sign the required HIPAA BAA documents puts your business out of HIPAA compliance and puts your company at risk of hefty governmental fines. It vital that you evaluate your relationships with all business associates and determine if a HIPAA BAA is necessary.
Understanding your obligations and legal rights pertaining to the HIPAA BAA is crucial for protecting not just your business from hefty fines, but also for protecting your patient PHI data.
Don’t feel pressured to sign a HIPAA BAA. Instead, take your time, read through the document, have it reviewed by legal professionals, and make changes if necessary before signing.