HIPAA Demystified, Part 3: Lions, Tigers, and BAA's, Oh My!
Now that you've learned what HIPAA even is and if you are a covered entity, it's time to learn one of the main tenets of being HIPAA compliant. I'm talking about BAA's- not the sound that sheep make, but a Business Associate Agreement. You will learn what it is, what it means for HIPAA, and how to get one.
Simply put, a BAA is an agreement between you as the healthcare provider and another company - your Business Associate. The OCR's official definition of a Business Associate is
These associates include:
Billing companies or EHRs that process claims (which are obviously PHI)
CPA's (Certified Public Accountants), because they see your income from insurance and private pay clients
Lawyers whose legal services involve access to PHI
Clearinghouses, because they contact insurance claims
So what does this Business Associate Agreement look like?
In general, all clearinghouses, EHR's, and billing companies will have their own BAA's already set up, and you will either sign their BAA as part of the routine intake contract or sign it immediately after setting up your contract. I ALWAYS ask for a BAA before I sign any contract with a company that might access PHI, such as when I was choosing a teletherapy platform for my private clients. If they don't know what you're talking about when you ask for a BAA- they are probably not a good option.
According to the OCR, the Business Associate Contract (Agreement) must
Describe how the BA is allowed and required to use the PHI
Require that the BA not disclose any more PHI than is permitted or required
Require that the BA use appropriate safeguards to prevent the PHI from being used or disclosed in ways other than what is specifically laid out in the contract.
If you as the covered entity find out that your BA is violating that contract, you have to take "reasonable steps" (which are not specifically defined by the OCR) to end that violation, and if those are unsuccessful, you must terminate said contract. If you can't terminate the contract, you have to report the breach/violation to the OCR.
Who DOESN'T have to have a BAA?
Lest you worry about having to sign BAA's with everyone from your CPA to your electric company, here are some associates that you don't have to sign a BAA with:
Hospitals or doctor's offices that refer to you, or to whom you refer- technically, you are both covered entities and not just business associates
Insurance companies (same reason as above)
People in your office whose jobs do not involve using or disclosing PHI, like electricians and janitors
The US Postal Service or private mail carriers, since they are just transmitting info but not looking at it
Payment processing systems that "directly facilitate or effect the transfer of funds for payments for health care or health plan premiums."( "But Jill", you say, "you SAID we have to process payments in a HIPAA-compliant manner!" Yes- claims/invoices/superbills must be shared in a HIPAA compliant manner- the actual payment/fund processing alone does not have to be HIPAA compliant. HOWEVER, it is almost impossible to create an invoice that does not include ANY PHI like name, your service, or a CPT or ICD-10 code, so in general, you want to make sure that your payment processor will sign a BAA with you since they will be collecting and storing payment info from your clients.)
More info than you ever wanted to know about BAAs is available from the OCR here.
So, that concludes my 3 part series on HIPAA. Was this helpful? If you still have questions, post them in the comments or email me using the mail icon below!