In cooperation with my friends at Aspida, here’s the next article in the Compliance Corner series. Each quarter, we’ll feature a new article about HIPAA compliance, regulatory news, keeping patient data private & secure, and other topics to help keep dental practices and their patients safe. In this article, Laura Miller, Compliance Manager at Aspida, provides important information on Business Associate Agreements. Enjoy!
Think about any entity, or individual, you allow access to your patient information (Protected Health Information or PHI) in order to facilitate their job. This could be anyone from an IT company, your practice management system, even your collections agency. Wouldn’t it be nice to know these companies are taking precautions to safeguard your patient PHI? This is exactly what a Business Associate Agreement (BAA) is!
We’re going to delve into the ins and outs of BAAs and who exactly you need them with. There are several standards in the Federal Register to address what these are and why they’re needed.
Administrative Safeguards – § 164.308(b)(1) Business Associate Contracts and other Arrangements – A covered entity, in accordance with §164.308 may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity’s behalf only if the covered entity obtains satisfactory assurances, in accordance with §164.314(a) that the business associate will appropriately safeguard the information.
Implementation Specifications – § 164.314 (a)(2)(i) Business Associates Contracts – The contract between a covered entity and a business associate must provide that the business associate will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the covered entity as required by this subpart.
With the HIPAA Omnibus rule, Business Associates are more responsible and accountable than ever before to protect your data. It’s integral to have a contract in place to ensure your Business Associate is responsible in obtaining, maintaining and protecting your patient’s electronic protected health information (ePHI).
Below is a great start* on whom you should have a BAA with:
Absolutely Not Necessary IT Service Provider Another Covered Entity (Doctor or Vendor Support (i.e. Schein, Patterson, Etc.) Specialist you’re referring to)
Appointment Reminder Company Cleaning Crew
Document Shredding Company Consultants not interacting with PHI
Email Provider Insurance Companies
Collections Agency Dental Labs
*Not to be considered a complete list
Some larger companies may provide their own to you. This is normal, but beware of loopholes! You will want to ensure a couple of things:
- The BAA is updated with the latest amendments (including the Final Omnibus Rule in 2013).
- Subcontractor Clause: Best to confirm your BAAs are taking responsibility to execute a BAA with their own subcontractors.
- Liability/assumption of financial responsibility in the event they cause a breach due to their mishandling of PHI.
Covered entities and business associates may be in violation of HIPAA if there is no required BAA in place! For more info, and sample BAA templates, check out www.hhs.gov/hipaa.
About the Author:
Laura Miller is Compliance Manager of Aspida, which has quickly established itself as an industry leader in providing compliance security products and services for healthcare providers. Their first product to market, Aspida Mail, offers medical practices affordable Encrypted Email without compromising security.
Miller has over 8 years of experience in the healthcare industry including 3 years with a primary focus on HIPAA Compliance procedures.
Thank you for reading! And as a special Thank You, Aspida is offering readers of this site an exclusive discount on your first three months of Aspida Mail – get the first three months for $3 with Promo Code “DUNN”.