Whether you a family care physician, a surgeon, chiropractor, dentist or any other entity covered under the Health Insurance Portability and Accountability Act (HIPAA) of 1996, you need to familiarize yourself with the business associates agreement (BAA). This legally binding document is required by law when a covered entity facilitates Protected Health Information through a third-party company or organization. To learn more about BAAs, including frequently asked questions and answers pertaining to them, keep reading.
What is the Purpose of a BAA?
Generally speaking, a BAA is a requirement of HIPAA whenever a third-party entity, such as a contractor, performs services that use or otherwise involve the disclosure of PHI for a covered entity. Failure to create BAAs is among the most common HIPAA violations. You can protect yourself from this violation, however, by knowing when and how to create them.
Are BAAs Necessary When Submitting PHI to Researchers?
In most cases, a BAA must be created anytime that a covered entity transmits PHI to a third-party organization. There are exceptions, however, one of which is when the third-party organization intends to use the PHI for research purposes. As noted on the Department of Health and Human Services (HHS) website, covered entities are not required to create BAAs when submitting PHI to researchers, although the Privacy Rule does not prohibit them from doing so.
Will an Electronic BAA Satisfy HIPAA?
It's a common assumption that BAAs must be in written, paper form, but this isn't necessarily true. Assuming the document contains all of the requirements, BAAs in either paper or electronic form can satisfy HIPAA. Many covered entities are now opting for the latter, as it's easier and more convenient to create electronic documents.
For How Long Does a BAA Last?
This varies depending on the covered entity's specific needs and wording used in the document. When creating a BAA, the covered entity must specify a date of termination, at which point the document will no longer be valid and the covered entity may no longer transmit PHI to the business associate.
Are Business Associates Required to Implement Safeguards?
Yes. Business Associates are required to implement meaningful and appropriate safeguards to protect against the unauthorized use and/or access of PHI. This requirement must also be specifically included in the BAA, complete with the requirements of the HIPAA Security Rule when Electronic Protected Health Information (EPHI) is being used.