A Business Associate Agreement (BAA) legally defines a third-party company's role and obligations in protecting Protected Health Information (PHI) under HIPAA, thereby reducing the legal liability of the primary entity.
If your organization is a “covered entity” subject to HIPAA's Privacy Rule, it's important that you understand what a Business Associate Agreement (BAA) is and why it's necessary to protect you from liability.
A Business Associate Agreement (BAA) is a legally binding document that establishes the terms of a working relationship between the covered entities such as medical practices and a third-party company that may come into contact with protected health information (PHI) entrusted to them.
For the sake of clarity, let's begin with a few definitions:
As a covered entity, you are responsible for ensuring that the PHI entrusted to you is safeguarded from unauthorized access. A Business Associate Agreement (BAA) documents the fact that your business associates understand their obligation to safeguard any PHI that is shared with them. When a business associate signs a BAA with you, they are agreeing to take all necessary measures to protect the security and privacy of patient information. They acknowledge their responsibility to maintain certain standards concerning technical, physical, and procedural safeguards.
An e-mail service provider, for example, should affirm that they encrypt data both “in transit” and “at rest” so that messages are protected from unauthorized access. They should also warrant that data centers are subject to exacting security measures such as 24x7 surveillance, with strict access control to physical servers and storage devices. By getting these guarantees in the form of a written legal agreement, you are protecting your organization from potential liability under HIPAA's Privacy Rule.
A BAA should include a description of the PHI that will be shared with the business associate, along with guidelines for how it may be used by the third party. The document should also clarify that unpermitted use of the information is strictly prohibited, and that information may not be shared except as stipulated by contract, or as required by law.
A BAA may also help to clarify the nature and degree of safeguards necessary to prevent inappropriate disclosure of PHI. It may, for example, establish specific technical and physical security protocols such as data encryption, surveillance standards, or required employee training. In the case of transcription services or CPA firms, a BAA might prohibit the transmission of PHI via e-mail, even among internal users with legitimate purposes for accessing the information. If a covered entity prefers more secure means of communication such as cloud-based fax services, that may be stipulated is a requirement in the BAA.
The US Department of Health and Human Services provides a sample BAA that can be useful in crafting an agreement to meet your specific needs.
A BAA codifies the business associate's responsibilities with respect to handling PHI. As such, it shifts considerable legal liability from the covered entity to the business associate. Violations of the HIPAA Privacy Rule can lead to both civil and criminal penalties, which can be substantial. A well-crafted BAA provides a critically important safeguard for the covered entity.
A covered entity is still responsible for taking all reasonable steps necessary to cure a breach or resolve a violation if one should occur, but the BAA establishes the responsibility of the business associate to do everything in its power to protect the privacy of PHI.
For customers using our HIPAA-compliant Healthcare Fax, WestFax provides an industry-standard Business Associate Agreement that satisfies the Health and Human Services (HHS) standards for Health Information Privacy (HIP). To learn more about BAA and WestFax, contact us via e-mail or at 800-473-6208 to discuss your needs. We'll work with you to make sure your compliance requirements are fully satisfied.