Compliance Corner: With This Contract, I Thee Enter Into Business With

Aspida Ad Oct2015

In cooperation with my friends at Aspida, here’s the next article in the Compliance Corner series.  Each quarter, we’ll feature a new article about HIPAA compliance, regulatory news, keeping patient data private & secure, and other topics to help keep dental practices and their patients safe. In this article, Laura Miller, Compliance Manager at Aspida, provides important information on Business Associate Agreements.  Enjoy!

Think about any entity, or individual, you allow access to your patient information (Protected Health Information or PHI) in order to facilitate their job. This could be anyone from an IT company, your practice management system, even your collections agency. Wouldn’t it be nice to know these companies are taking precautions to safeguard your patient PHI? This is exactly what a Business Associate Agreement (BAA) is!

We’re going to delve into the ins and outs of BAAs and who exactly you need them with. There are several standards in the Federal Register to address what these are and why they’re needed.

Administrative Safeguards – § 164.308(b)(1) Business Associate Contracts and other Arrangements – A covered entity, in accordance with §164.308 may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity’s behalf only if the covered entity obtains satisfactory assurances, in accordance with §164.314(a) that the business associate will appropriately safeguard the information.

Implementation Specifications – § 164.314 (a)(2)(i) Business Associates Contracts – The contract between a covered entity and a business associate must provide that the business associate will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the covered entity as required by this subpart.

With the HIPAA Omnibus rule, Business Associates are more responsible and accountable than ever before to protect your data. It’s integral to have a contract in place to ensure your Business Associate is responsible in obtaining, maintaining and protecting your patient’s electronic protected health information (ePHI).

Below is a great start* on whom you should have a BAA with:

Absolutely                                                                    Not Necessary                                           IT Service Provider                                                         Another Covered Entity  (Doctor or         Vendor Support (i.e. Schein, Patterson, Etc.)             Specialist you’re referring to)
Appointment Reminder Company                               Cleaning Crew
Document Shredding Company                                    Consultants not interacting with PHI
Email Provider                                                                  Insurance Companies
Collections Agency                                                           Dental Labs
*Not to be considered a complete list

Some larger companies may provide their own to you. This is normal, but beware of loopholes! You will want to ensure a couple of things:

  • The BAA is updated with the latest amendments (including the Final Omnibus Rule in 2013).
  • Subcontractor Clause: Best to confirm your BAAs are taking responsibility to execute a BAA with their own subcontractors.
  • Liability/assumption of financial responsibility in the event they cause a breach due to their mishandling of PHI.

Covered entities and business associates may be in violation of HIPAA if there is no required BAA in place! For more info, and sample BAA templates, check out

About the Author:
Laura Miller is Compliance Manager of Aspida, which has quickly established itself as an industry leader in providing compliance security products and services for healthcare providers.  Their first product to market, Aspida Mail, offers medical practices affordable Encrypted Email without compromising security.
Miller has over 8 years of experience in the healthcare industry including 3 years with a primary focus on HIPAA Compliance procedures.

Thank you for reading!  And as a special Thank You, Aspida is offering readers of this site an exclusive discount on your first three months of Aspida Mail – get the first three months for $3 with Promo Code “DUNN”. 


About jmichaeldunn

A self-proclaimed "dental geek", I am passionate about the dental industry, oral health, and dental technology marketing. I have spent the last decade in various marketing capacities for dental technology companies. I enjoy talking about dental marketing with just about anyone and helping companies grow through developing innovative and integrated marketing communications campaigns.
This entry was posted in Business of Dentistry, Dental Technology, Guest Contributors, Products and tagged , , , , , , . Bookmark the permalink.

1 Response to Compliance Corner: With This Contract, I Thee Enter Into Business With

  1. Pingback: Compliance Corner: Data Breach – The 4 Million Dollar Man | The Dunn Show

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s