As the fines from data breaches continue to increase, it is especially important to understand how personal health information is protected in every aspect. The Health Insurance Portability and Accountability Act of 1996 (HIPPA) set requirements as to how to protect information, but often covered entities resort to a contractual relationship, between a covered entity and a vendor, through a business associate agreement to ensure this protection stays intact at all times.
Often times this security makes or breaks the survival of a covered entity. As technicalities of the business associate’s agreement are often self-taught and with limited resources, it’s difficult to understand what is expected of both parties.
Below we’ll define what really is a Business Associate Agreement, how it can greatly reduce risks but also some Common Misconceptions.
What is a Business Associate Agreement?
A HIPAA Business Associate Agreement (BAA) is a contract between a HIPAA-covered entity, i.e a hospital, and the organization providing services to the covered entity, i.e. business associate.
Essentially, the BAA is a legal contract that describes how the business associate adheres to HIPAA along with the responsibilities and risks they take on.
The BAA also typically defines the services that the business associate is providing; the type of data they are interacting with and addresses areas around breach notification, such as timelines and penalties.
The contract creates accountability and liability between both parties who may handle PHI on behalf of the other entity.
Managing Risk When Implementing a Business Associate Agreement
When implementing a BAA, the goal is to both secure personal health information as well as meet HIPPA compliance standards.
Five considerations for implementing a BAA:
1. Sign a BAA!
This should be prior to any PHI being transmitted between parties.
2. Keep a firm grasp on security.
Encrypt all transmitted PHI in your network.
3. Understand the risks.
Require best practices regarding the transmission, storage, and destruction of a BAA
4. Require and conduct regular risk analyses
Be sure to regularly scan computers and other information systems to identify potential security risks and respond accordingly.
5. Regularly review BAAs with vendors
Remember to identify changes in business processes that would require alterations to the current BAA.
While there is a ton of information out there concerning how to be HIPPA compliant through a business associate agreement- there are also many conflicting suggestions.
Five Common Misconceptions debunked:
While achieving HIPPA compliance can sometimes feel like a maze, remembering the necessary considerations, as well as misconceptions to avoid, can save you many headaches down the road! Remember, take an informed approach to security and compliance-- uphold trust among business associates and the patients who trust that their data is secure.
LACyber is a division of Lincoln Archives providing comprehensive Data Breach Defense Services. Lincoln Archives and LACyber are proud to be a part of Lincoln Family of Companies serving the Western New York Community since 1914.