Full Stack IT by CoreSpace

CoreSpace Blog


    If You Have PHI, You Need a BAA

    Posted by CoreSpace Admin on Apr 20, 2016 10:12:39 AM

    Long gone are the days of simple handshake agreements. Medicine is big business, and a focus on guarding patient privacy means the paperwork will stack up. A business associate agreement (BAA) is one of many parts of total HIPAA compliance, and an essential part at that.

    Don’t care about HIPAA? That’s a million dollar mistake.

    Take a moment to think about these examples:  

    • A dental specialist who uses computers in her practice and trusts an external IT person to update and repair them
    • A urologist who employs a medical transcription agency to type his notes
    • A OB/GYN practice outsources certain telephone duties to an answering service

    What do all these situations have in common? The covered entity could be in big, expensive trouble if he or she fails to have a BAA in place with all business associates.

    Are you squirming? Think this doesn’t apply to you? Sorry. It clearly does.

    But think of the upside: A BAA protects YOU and your practice.  The BAA is essentially your way to require people that help you with your business to take care of the Protected Health Information (PHI) they come in contact with.  After all, don’t you want your business associates to be as careful and respectful of PHI as you are? And remember, PHI can be as simple as a patient’s name.

    Covered Entities, Business Associates and Protected Health Information

    But first, let’s review our terms.

    A covered entity is anybody who works in healthcare, providing treatment, payment or other operations. The U.S. Department of Health & Human Services (HHS) deems health plans, healthcare providers and healthcare clearinghouses covered entities. The definition of “health plan” includes schools and employers that handle their students’ and employees’ protected health information. This means a school will be held to the same standard of HIPAA compliancy as a dentist or a surgeon.

    Covered entities subcontract out to business associates, or vendors who gain access to protected health information as part of their job. These include medical transcriptionists, data storage services, medical equipment companies, lawyers, accountants, translation services and answering services.

    Protected health information (PHI)

    is any information contained in medical records that could identify a specific individual, which was used, created or disclosed while providing treatment, diagnosis or another healthcare service. To meet the definition of PHI, a piece of health data must be both identifiable to the individual patient, and disclosed to or used by a covered entity while caring for the patient.

    What is a BAA?

    The sole purpose of a Business Associate Agreement is to delineate a business associate’s responsibilities under HIPAA. This agreement is necessary to prove that the business associate understands and adheres to HIPAA rules regarding protected health information. Such an agreement should not be taken lightly – both civil and criminal penalties for violating HIPAA can be very severe, and ignorance is not an acceptable excuse.

    Business associates are only permitted to disclose or use PHI in accordance with their business associate contract. This contract should clearly state permissible disclosures and uses of PHI. Other facets that a contract should cover include:

    •       Stipulating what safeguards the business associate must implement to prevent disclosure or unauthorized use of PHI
    •       Requiring that the business associate immediately inform the covered entity if any lapses in security or privacy occur
    •       Requiring the business associate to fulfill individuals’ requests for copies of their own PHI, as stated in the contract
    •       Requiring transparency from the business associate if HHS wants to review books, records or internal practices
    •       Destruction of PHI when contract ends
    •       Requiring the business associate’s subcontractors to also meet all HIPAA standards
    •       Stipulating termination of contract if a business associate violates the contract’s terms

    The HHS includes a sample BAA on its site.

    Protect Your Patients, Protect Yourself

    When dealing with PHI, you have the responsibility to protect patient privacy, and your own solvency and freedom. HIPAA violations are expensive and can lead to million dollar fines and incarceration.

    There are a slew of reasons to not only be prepared but to have a plan in place to protect your business from a PHI breach and an OCR audit. Here are three to consider.

    1. It’s the law: The Omnibus Final Rule officially went into effect in late 2013, but many organizations still aren’t fully aware of the changes in the regulations and the major financial, operational and legal risk management consequences for all Covered Entities, as well as Business Associates and Subcontractors that were not previously required to comply with HIPAA.
    1. Upcoming OCR audits and your business
      Nothing sends a shock of fear through a hospital C-suite quite like the word “audit.” And the second phase of HIPAA audits is slated to begin in early 2016. Those CIOs, CISOs, CEOs, General Counsel and privacy officers unfortunate enough to receive notification of an impending HIPAA audit from HHR and OCR will invariably feel that pressure. While security is a crucial aspect to any health organization, it's another thing entirely to plan accordingly for an OCR audit.
    1. Data breach. Earlier this year, Community Health Systems garnered a lot of press for a data breach of 4.5 million patient records, following a successful cyber-attack by hackers that originated from China. Medical ID theft is on the rise as more sophisticated career hackers are realizing the valuable information they can snag from patient records. In fact, a recent FBI alert highlights just how real this threat is to the healthcare industry.

    CoreSpace works closely with each customer who deals with e-PHI to ensure that, conjointly, CoreSpace and the customer are adequately maintaining the proper configurations, security safeguards, processes and procedures to protect e-PHI according to the HIPAA Privacy and Security Rules.

    We sign Business Associate Agreements

    and will share our audit report upon request, so you can feel better knowing your ePHI is secure. If you would like to learn more about your HIPAA compliance options, see our pages on HIPAA Compliance. Please contact us anytime for individualized answers for all your HIPAA questions.

    Call us today for a cutting-edge, compliant hosting and data storage solution.

    Tags: BAA, PHI, ePHI, information security

    The CoreSpace Blog

    Experts In IT Services

    With the CoreSpace blog you'll find news, expert opinion, and advice about IT, colocation, business infrastructure, and much more.

    Subscribe to Email Updates

    Recent Posts