If you use any outside entity to assist with your ePHI or EMR, including a hosting company, you already have at least one Business Associate (BA).
BAs are the companies that help health providers perform activities that involve the use or disclosure of PHI. By law, any BA, health provider, person, or business must comply with privacy and security rules (see security and privacy rules section) when disclosing PHI. They must have an agreement signed called a Business Associate Agreement (BAA).
As defined in the U.S. Health Insurance Portability and Accountability Act of 1996, A HIPAA Business Associate Agreement is a legal contract between a HIPAA Covered Entity (CE) and BA. The BAA should detail:
The respective role and responsibilities that a health provider and a hosting company have regarding protecting PHI.
The ways in which both parties will be held liable for any breaches, so if one member violates the terms of the agreement, the other has legal recourse.
Business Associate Agreements (BAAs) satisfy HIPAA regulations. They safeguard sensitive personal data and records of patients by making both health providers and their BAs responsible and liable for proper storage and transmission. If you use any outside entity to assist with your ePHI or EMR, including a hosting company, you must have a BAA signed with that organization.
Remember, simply having a BAA doesn’t mean your responsibilities related to HIPAA are complete! You and your BAA should have clearly defined what type of actions they take to protect data. Health providers and their BAAs cannot excuse liability by claiming they shouldn’t have to follow HIPAA regulations if proper actions are not taken to safeguard patients' data. If a BAA is not issued, it’s incomplete or is violated, then both associates may find themselves in a lot of trouble with HIPAA.
A good BAA protects both the health provider and the Business Associate in the event of a breach. It’s important that your BAA uses proper legal language. If only one party is responsible for a breach of PHI, then a BAA should clearly hold that party responsible. The first thing that a good BAA must include is an acknowledgment that the entity issuing it is obligated to HIPAA regulation. Your BAA must also include an acknowledgment that the entity signing is obligated to HIPAA regulations.
What should you consider when selecting a BA?
Does your BA:
“Your practice, not your Electronic Health Record vendor, is responsible for taking the steps needed to comply with HIPAA privacy & security standards.” - THE OFFICE OF THE NATIONAL COORDINATOR FOR HEALTH INFORMATION TECHNOLOGY
HIPAA violations come with hefty fines. Noncompliance can come with a penalty of up to $1.5 million. These monetary penalties motivate facilities to operate in full compliance with HIPAA and hold accountable those who don't. Penalties are based on the severity of the violation and the facility’s knowledge of the noncompliance. While that might lead you to think that it’s better to claim non-knowledge of a breach if it occurs, you are responsible for reporting breaches as promptly as possible according to HIPAA.
The Four Tiers of HIPAA Violations:
To comply with HIPAA criteria it’s important to know what PHI must be protected. Laws require health providers and BAAs to protect both past and present patient data to qualify for reimbursements under the Affordable Care Act (ACA). Medical facilities and practitioners must also: