Everything You Need to Know About BAA
A Business Associate Agreement (BAA) legally defines a third-party company's role and obligations in protecting Protected Health Information (PHI) under HIPAA, thereby reducing the legal liability of the primary entity.
A Business Associate Agreement (BAA) is a legally binding document that spells out the terms of the working relationship between a HIPAA “covered entity” — a healthcare provider, health plan, or other organization that handles patient information — and a “business associate,” any third party the covered entity engages that may come into contact with protected health information (PHI) in the process. If your organization is a covered entity subject to HIPAA’s Privacy Rule, understanding what a BAA is and why it’s required protects you from liability if a business associate mishandles that data. Business associates can include email providers, secure cloud fax services, CPA firms, consultants, or medical transcription services — any vendor that touches PHI on the covered entity’s behalf.
For clarity, here are two related terms:
- A covered entity is any individual or organization that handles private patient information. Some examples include healthcare professionals, medical practices, hospitals, health insurance companies, and HMOs.
- Protected health information (PHI) includes any patient information that may be identified as belonging to a specific individual. When it is in electronic form, it may also be referred to as ePHI.
What is a Business Associate Agreement?
As a covered entity, you are responsible for ensuring that the PHI entrusted to you is safeguarded from unauthorized access. A Business Associate Agreement (BAA) documents the fact that your business associates understand their obligation to safeguard any PHI that is shared with them. When a business associate signs a BAA with you, they are agreeing to take all necessary measures to protect the security and privacy of patient information. They acknowledge their responsibility to maintain certain standards concerning technical, physical, and procedural safeguards.
An e-mail service provider, for example, should affirm that they encrypt data both “in transit” and “at rest” so that messages are protected from unauthorized access. They should also warrant that data centers are subject to exacting security measures such as 24x7 surveillance, with strict access control to physical servers and storage devices. By getting these guarantees in the form of a written legal agreement, you are protecting your organization from potential liability under HIPAA's Privacy Rule.
What's in a Business Associate Agreement?
A BAA should include a description of the PHI that will be shared with the business associate, along with guidelines for how it may be used by the third party. The document should also clarify that unpermitted use of the information is strictly prohibited, and that information may not be shared except as stipulated by contract, or as required by law.
A BAA may also help to clarify the nature and degree of safeguards necessary to prevent inappropriate disclosure of PHI. It may, for example, establish specific technical and physical security protocols such as data encryption, surveillance standards, or required employee training. In the case of transcription services or CPA firms, a BAA might prohibit the transmission of PHI via e-mail, even among internal users with legitimate purposes for accessing the information. If a covered entity prefers more secure means of communication such as cloud-based fax services, that may be stipulated is a requirement in the BAA.
The US Department of Health and Human Services provides a sample BAA that can be useful in crafting an agreement to meet your specific needs.
Why is a Business Associate Agreement So Important?
A BAA codifies the business associate's responsibilities with respect to handling PHI. As such, it shifts considerable legal liability from the covered entity to the business associate. Violations of the HIPAA Privacy Rule can lead to both civil and criminal penalties, which can be substantial. A well-crafted BAA provides a critically important safeguard for the covered entity.
A covered entity is still responsible for taking all reasonable steps necessary to cure a breach or resolve a violation if one should occur, but the BAA establishes the responsibility of the business associate to do everything in its power to protect the privacy of PHI.
For customers using our HIPAA-compliant online fax service, WestFax provides an industry-standard Business Associate Agreement that satisfies the Health and Human Services (HHS) standards for Health Information Privacy (HIP). To learn more about BAA and WestFax, contact us or call 800-473-6208 to discuss your needs.
