We discussed HIPAA Business Associates in our last post and listed some examples you might have in your Practice.
If you have Business Associates, then HIPAA requires you have Business Associate Agreements (BAA) in place. A Business Associate Agreement is a contract between covered entity (CE) and a business associate (BA) that details the permitted and required use of protected health information (PHI) by the business associate.
A business associate contract is a required implementation in the HIPAA Administrative Safeguards. Some details of a business associate contract are:
- Establish permitted use and disclosure of PHI by the BA.
- Provide that the BA will not use or further disclose the information other than as permitted or required by the contract or as required by law.
- Require the BA to implement appropriate HIPAA safeguards to protect PHI.
- Require the BA to report any PHI breaches to the covered entity.
- Require the BA to ensure that any subcontractors it engages that will access PHI agree to the same restrictions apply to the business associate.
Having the right business associate contract in place can potentially protect your organization from breaches caused by a Business Associate.
A business associate agreement is a legal contract between two parties and should be treated as such. The contract should be reviewed by your lawyer to make sure you are protected as much as possible from any Business Associate mishaps.
The department of health and human services (HHS) website has a sample business associate contract you can modify to suit your practice needs.