The recent HITECH Act and Omnibus Rule have amended the Health Insurance Portability and Accountability Act (HIPAA) to include business associated of covered entities. Previously, business associates were not responsible for implementing measures to prevent disclosure of PHI. With these new changes, however, business associates found in violation of the HIPAA Privacy and/or Security Rule could face penalties ranging anywhere from $100 to $50,000 per violation.
What Is a Business Associate?
Let's first discuss the definition of a “business associate,” as the term is somewhat confusing. When used in the context of HIPAA, a business associate is a person, organization or entity that performs a job or service on behalf of a covered entity. An example of a business associate is an Informations Technology (IT) specialist for a local doctor's office. While the IT specialist doesn't perform medical services, he or she is equally responsible for implementing measures to protect patient information.
With the passing of the Omnibus Rule, BAs now include subcontractors working for covered entities, as well other entities that handle or transmits patient information.
Business Associates Agreement
HIPAA states that covered entities and their respective business associates must enter into a contract stating that the business associate will implement measures to safeguard PHI. This contract, known as a Business Associates Agreement (BAA) also clarifies how the business associate will use the information (if applicable). Business associates are only allowed to use PHI as outlined in the BAA; otherwise, the business associate could be found in violation of HIPAA.
What Do Should I Include In a BAA?
Now for the million dollar question: what type of information do I need to include in my BAA? According to the Department of Health and Human Services (HHS), the BAA must define what type of PHI the business associate is permitted to use and how the business associate can use it. Furthermore, it should also outline safeguards and other security measures used to prevent disclosure of PHI.
Additionally, the BAA should include instructions for the business associate regarding how to keep PHI safe and secure. This may include the use of encryption, firewalls, password controls, user identification numbers, etc.
This should give you a better understanding of Business Associates Agreements and what to include in them. For more information on this topic, check out the official HHS webpage on covered entities and business associates at http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/.