Deep within the confines of all that is compliance lies the Health Insurance Portability and Accounting Act (HIPAA). Often referred to, rarely read, and virtually never understood by many, HIPAA was enacted in 1996, its primary purpose being to protect a patient’s sensitive information from being disclosed without proper consent or knowledge.
The HIPAA Privacy Rule was issued to implement the requirements of HIPAA. The Privacy Rule addresses using and disclosing individuals’ health information, more commonly known as protected health information or PHI.
The Privacy Rule also contains standards for individuals’ rights to understand and control how their health information is used. A key goal of the Privacy Rule is to ensure that individuals’ health information is protected while allowing the necessary health information to get into the proper hands to ensure high-quality healthcare is delivered. The Privacy Rule permits important uses of information while protecting the privacy of people who seek care and healing.
As part of that protection, all Covered Entities are required to have a signed Business Associate Agreement (BAA). What is this document, who does it apply to, and is it necessary?
Employers generally need some assistance from a third party to run their business. Outside help makes good business sense but comes with a few concerns, including potential HIPAA violations.
The BAA is a written arrangement that specifies each party’s responsibilities when it comes to PHI. HIPAA requires Covered Entities to work with Business Associates who can ensure complete protection of PHI. The assurances must be in writing as a contract or other agreement between the Covered Entity, the Business Associate, and sub-contractors.
The actual agreement must:
As with any of these subject matters, a glossary of terms usually helps to understand who these regulations and laws apply to. So, let’s define the parties involved.
Covered Entity – An organization that provides a product or service for medical treatment or collects health information about an individual. Some examples of a Covered Entity include physicians, dentists, health insurance carriers, or a health plan.
Business Associate – An organization that creates, receives, maintains, or transmits PHI for a Covered Entity. Some examples include attorneys, accountants, shredding companies, third-party administrators, and brokers/consultants.
Business Associate Subcontractor - An organization that creates, receives, maintains, or transmits PHI on behalf of a Business Associate. Examples include email encryption providers, backup storage services, and attorneys.
Inevitably, there will be an instance where a Business Associate/sub-contractor discloses PHI. A failure to meet the requirements of an agreement is beset with serious ramifications. When there is a breach or a violation of a BAA, the Covered Entity must take reasonable steps to cure the breach or end the violation. If it comes to pass that such steps are unsuccessful, then the contract or arrangement should be terminated.
Employers should review their BAAs to ensure they comply with the law and are up to date. Some helpful tips include:
Whether or not you consider BAAs a necessary evil, they are a requirement that shouldn’t be overlooked. There should be no shortcuts when reviewing the document to ensure all parties are adequately protected. Breaches have consequences. Covered Entities, employers, and Business Associates should familiarize themselves with BAAs and their uses.
For any questions or concerns, please reach out to MZQ Consulting.