A HIPAA BAA, or Business Associate Agreement is a contract between a HIPAA-covered entity and a vendor working with that covered entity.
Covered Entities Under HIPAA
Covered entities under the HIPAA law includes healthcare providers, health plans or healthcare clearinghouses that handle electronic transactions. Any company partnering with a covered entity to do business that will have access to protected health information (PHI) must have a business associated agreement in place. This contract must be in place prior to any business conducted between the two parties.
In 2013, the law was revised to include any subcontractors of a business associate. They are also required to have a signed HIPAA business associate agreement in place before any access to PHI or ePHI.
Knowing the Difference Between HIPAA-Compliant Business Agreements
Every HIPAA-compliant business associate agreement must have the types of PHI to be provided to the business associate, how they can use it and what they can disclose. The agreement must also specifically list the measures they take to protect the information they are handling, whether by transmission or not, and their security protocols if a breach occurs.
The contract must be specific in its stipulations of the business associate and their implementation of physical, administrative and technical safeguards. It is important to stress the integrity, confidentiality and availability of the ePHI and whether it meets the HIPAA Security Rule. This contract should also include allowable uses and disclosures in order to effectively meet the HIPAA Privacy Rule.
It should be noted that even with a business associate agreement in place, the covered entity in the agreement will be wholly liable should any breaches or non-compliance occurs. Any business associate agreement in place that does not have these particulars should be considered non-compliant and null and void.