Does your healthcare practice have the necessary Business Associates Agreements (BAA)? Unless your facility handles all of its operations internally (which is unlikely), you'll need a BAA for each and every third-party agency that has access to your Protected Health Information (PHI). The Health Insurance Portability and Accountability Act (HIPAA) requires all covered entities to create such agreements for any outside organization that has access to their PHI.
You can learn more about BAAs by visiting this page, but it's basically a written document between a covered entity and third-party business associate that explains how PHI will be used.
Are BAAs Really Necessary?
The Office for Civil Rights (OCR) can and will issue fines to covered entities for failure to create BAAs. Earlier this year, the Hartford Hospital of Connecticut and EMC Corporation agreed to pay $90,000 for a violation stemming from a 2012 incident. Reports indicate that Hartford Hospital had hired EMC to help analyze its patient data without creating the appropriate BA. Not long after, an EMC worker discovered his laptop on which some 8,883 unencrypted patients' records had been stolen. While EMC and Hartford Hospital contacted the OCR to notify them on the incident, they were still required to pay a $90,000 fine.
Restrict Usage of PHI
Aside from remaining compliant with HIPAA and avoiding fines, creating BAAs is also necessary to establish permissible use guidelines regarding how third-party organizations may access and use your PHI. Unless this information is clearly explained, the third-party organization (business associate) may assume that it has full authorization to use your practice's PHI anyway it sees fit. As a result, they may share the data with other provides or even sell it.
Protect Patient Privacy
Of course, the primary goal of creating BAAs is to protect the privacy of healthcare patients. Most third-party organizations that work with healthcare practices are fully aware of the importance of keeping patient records confidential, but mistakes do happen. With a BAA in place, there's a lower risk of PHI being unintentionally disclosed.
Start and End Date
BAAs must include both a start and end/termination date in the agreement. This means the business associate may access and use the entity's PHI, in the manner described in the BAA, starting on the effective begin date and ending on the date of termination. Covered entities may also include wording in the BAA to allow them to terminate the agreement at any time of their choosing.