HIPAA Compliance

What is a Business Associate Agreement and Why Do I Need It?

If you are a healthcare provider, insurance company, or other entity covered under the Health Insurance Portability and Accountability Act (HIPAA) of 1996, you may have heard of something called a Business Associate Agreement (BAA).

A Business Associate Agreement (BAA) is a legally required contract between a HIPAA-covered entity — a healthcare provider, health plan, or clearinghouse — and any vendor, or “business associate,” that creates, receives, transmits, or stores protected health information (PHI) on that entity’s behalf. The agreement obligates the business associate to apply the same administrative, physical, and technical safeguards HIPAA demands, and to report any breach of PHI back to the covered entity. Vendors that typically need a BAA include billing companies, IT and cloud-hosting providers, email services, and HIPAA-compliant fax providers like WestFax. Without a signed BAA in place, sharing PHI with that vendor is a compliance violation, not just a business risk.

Why a BAA Matters for HIPAA

The BAA is a critical part of making sure that you are meeting HIPAA requirements; and if you don’t have a BAA in place, it could end up costing you a lot of money.

Who Counts as a Business Associate

Whenever you share a patient’s protected health information (PHI), you are ultimately responsible for making sure that it remains secure according to HIPAA guidelines. Information may be shared with other healthcare providers, billing companies, and third party service providers in conformance with HIPAA guidelines; but there are often intermediaries who have access to the information along the way. This could include companies that host e-mail servers, third-party billing companies, or providers of HIPAA Compliant fax services like WestFax.

In short, a business associate (as defined under HIPAA regulations) could be any contractor (an organization or person) that creates, transmits, receives, or maintains PHI on your behalf. (Your employees are not classified as business associates, so they don’t need to sign a BAA.)

Your Responsibility to Safeguard PHI

Legally, it’s your responsibility to make sure that your business associates understand the obligation to safeguard PHI, and agree to take the appropriate measures themselves to protect the PHI entrusted to you. Such safeguards include both physical and technical measures to ensure the security and privacy of patient information.

Companies hosting servers that store electronic PHI, for example, must implement physical security measures to prevent unauthorized access. At WestFax, we host our systems in SOC 2 compliant data centers with 24×7 guards, advanced video surveillance, biometric ID access, and server cages. We use the latest technical security controls to prevent unauthorized access to archived faxes and to in-transit data when faxes are being sent and received.

Because you’re ultimately responsible for safeguarding PHI in your custody; you need to get all that in writing. That’s where the BAA comes into play.

What the BAA Covers and Why It Is Required

The Business Associate Agreement is a legal agreement that outlines the responsibilities of each party in ensuring the security of PHI, both “in transit” and “at rest”. When WestFax signs a BAA, we are legally acknowledging our responsibilities to maintain our high standards for keeping PHI secure. We understand HIPAA compliance in detail, and we are willing to demonstrate our commitment to security in writing.

Having a signed Business Associate Agreement is not optional; it protects you from legal liability and potential compliance penalties. HIPAA rules require a BAA from every third-party contractor who could potentially have access to PHI in your custody.

Getting a BAA from WestFax

As part of our HIPAA-compliant Healthcare Fax, WestFax provides an industry-standard Business Associate Agreement. Our BAA agreement satisfies the Health and Human Services (HSS) standards for Health Information Privacy (HIP).

If you prefer a custom BAA agreement tailored to your needs, contact us via e-mail, or call us at 800-473-6208 to discuss your needs. We’ll work with you to make sure your compliance requirements are fully satisfied.