When you're busy performing all of the steps that go into creating a HIPAA-compliant medical practice, you may overlook your business associates. Under the Health Insurance Portability and Accountability Act (HIPAA), however, all covered entities must create a Business Associates Agreement (BAA) for each third-party organization that accesses or otherwise uses its Protected Health Information (PHI).
What is a Business Associate?
Let's first go over the basic definition of a business associate, because this is something that confuses many people. According to the Department of Health and Human Services (HHS), a business associate is any person or organization outside from the covered entity that performs functions on behalf of the covered entity involving Protected Health Information (PHI).
“In general, a business associate is a person or organization, other than a member of a covered entity's workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information,” wrote the HHS on its website.
Requirements of a Business Associates Agreement
- Disclose permissions of how PHI will be used by the business associate.
- Specify that the business associate will not use the PHI outside of the boundaries set forth in the BAA.
- Require the business associate to implement its own safeguards to prevent the unauthorized use or disclosure of PHI.
- Require the business associate to report disclosure of PHI that's not included in the BAA.
- Require the business associate to disclose PHI when requested by the respective patient or covered entity.
- Require the business associate to comply with requirements applicable to the obligation.
- Require the business associate to provide the HHS with its internal practices, records and other documents pertaining to PHI.
- Require the business associate to completely destroy PHI at the end of its contract.
- Require the business associate to ensure subcontractors under its employment will adhere to the same policies set forth in the BAA.
- Authorize termination of the contract when a business associates is found in violation of one or more elements within the contract.
Technical lingo aside, a BAA is essentially a document that outlines the way in which a third-party organization that is not the covered entity will use Protected Health Information (PHI). Some people assume that only doctors and similar covered entities are required to follow the HIPAA Rules, but this isn't the case. If a business associate handles PHI on behalf of a covered entity, then it too must abide by HIPAA.