If you are a healthcare practitioner who falls under the Health Insurance Portability and Accountability Act (HIPAA) as a covered entity, you must follow HIPAA rules and regulations when you contract with an outside third party vendor to help you with your practice. If any business associate has potential access to your patients’ protected health information (PHI), they need to sign a business associate agreement (BAA) to ensure confidentiality and follow HIPAA regulations.
Who is considered a business associate under HIPAA? A business associate is defined by the U.S. Department of Health & Human Services as a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.
The BAA protects the healthcare practitioner against a potential breach from third-party vendors. Third parties, such as an IT consultant or a medical billing service company, may be using, storing or disclosing PHI—pursuant to their services agreement with the healthcare practitioner.
What happens if the third party vendor is breached and PHI enters the public domain? Who is responsible? This is the purpose of the BAA—to outline the responsibility of the third-party vendor and what happens if a breach does indeed occur. Without the BAA, the healthcare practitioner will (1) not be in compliance with HIPAA and (2) may be held responsible for third party actions that can cost them large sums of money.
What is in the BAA? The agreement should include:
- clauses about confidentiality;
- the third-party vendor’s function (For example, if they are a billing company, they can access all the insurance information, the diagnoses, the types of treatment, Social Security numbers, and names of the patients as part of their services.); and
- The security measures in place by the third-party vendor to avoid or prevent a HIPAA breach.
However, the most important aspect of the BAA is what happens if there is a breach, including:
- Who will be held liable for the breach?
- Who will be responsible for the notification to the patients and the government pursuant to HIPAA rules and regulations?
- Who will be responsible for the payment of any penalties or fines as a result of the breach?
With business associate agreements, you can ensure that individuals and companies you are working with are abiding by the rules and regulations that are set in place under HIPAA to protect patient confidentiality.
Are you working with any third-party vendors and have questions about the BAA? Speak to an attorney in order to protect you, your practice and your patients.
Contact me today with questions or comments.
Stephanie J. Rodin, Esq.
Rodin Legal, P.C.
Tel: (917) 345-8972
Fax: (917) 591-4428