What is a Business Associate Agreement and Why Do I Need It?

If you are a healthcare provider, insurance company, or other entity covered under the Health Insurance Portability and Accountability Act (HIPAA) of 1996, you may have heard of something called a Business Associate Agreement (BAA).

What is a BAAThe BAA is a critical part of making sure that you are meeting HIPAA requirements; and if you don’t have a BAA in place, it could end up costing you a lot of money.

Whenever you share a patient’s protected health information (PHI), you are ultimately responsible for making sure that it remains secure according to HIPAA guidelines. Information may be shared with other healthcare providers, billing companies, and third party service providers in conformance with HIPAA guidelines; but there are often intermediaries who have access to the information along the way. This could include companies that host e-mail servers, third-party billing companies, or providers of HIPAA Compliant fax services like WestFax.

In short, a business associate (as defined under HIPAA regulations) could be any contractor (an organization or person) that creates, transmits, receives, or maintains PHI on your behalf. (Your employees are not classified as business associates, so they don’t need to sign a BAA.)

Legally, it’s your responsibility to make sure that your business associates understand the obligation to safeguard PHI, and agree to take the appropriate measures themselves to protect the PHI entrusted to you. Such safeguards include both physical and technical measures to ensure the security and privacy of patient information.

Companies hosting servers that store electronic PHI, for example, must implement physical security measures to prevent unauthorized access. At WestFax, we host our systems in SOC 2 compliant data centers with 24×7 guards, advanced video surveillance, biometric ID access, and server cages. We use the latest technical security controls to prevent unauthorized access to archived faxes and to in-transit data when faxes are being sent and received.

Because you’re ultimately responsible for safeguarding PHI in your custody; you need to get all that in writing. That’s where the BAA comes into play.

The Business Associate Agreement is a legal agreement that outlines the responsibilities of each party in ensuring the security of PHI, both “in transit” and “at rest”. When WestFax signs a BAA, we are legally acknowledging our responsibilities to maintain our high standards for keeping PHI secure. We understand HIPAA compliance in detail, and we are willing to demonstrate our commitment to security in writing.

Having a signed Business Associate Agreement is not optional; it protects you from legal liability and potential compliance penalties. HIPAA rules require a BAA from every third-party contractor who could potentially have access to PHI in your custody.

As part of our HIPAA-compliant Healthcare Fax, WestFax provides an industry-standard Business Associate Agreement. Our BAA agreement satisfies the Health and Human Services (HSS) standards for Health Information Privacy (HIP).

If you prefer a custom BAA agreement tailored to your needs, contact us via e-mail, or call us at 800-473-6208 to discuss your needs. We’ll work with you to make sure your compliance requirements are fully satisfied.

Discover more