So far in our vendor management series, we’ve looked at:
- how to know if your vendor is a business associate (BA) under HIPAA,
- how to conduct due diligence before contracting with a vendor,
- and six areas to address in your vendor contract.
However, as a HIPAA-covered organization, you know most of your vendors are also BAs. So, let’s turn our attention to your BA contract: the business associate agreement.
Here are seven quick facts about HIPAA business associate agreements (BAAs).
1. What is a Business Associate Agreement?
“A business associate contract, or business associate agreement, is a written arrangement that specifies each party’s responsibilities when it comes to PHI.” – HealthITSecurity.comMember Login
For some vendors, you only need a service level agreement (SLA). However, for vendors that create, receive, maintain, or transmit PHI on your organization’s behalf (called business associates) you must have a business associate agreement alongside the SLA. Even if your vendor can’t actually view the PHI (because it’s encrypted, for example), you still need a BAA with them.
The BAA is unique to HIPAA. In it, your BA provides assurances that they will protect your PHI. In this document, you require your BA to take specific actions and restrict how they may use or disclose PHI.
2. What is the Purpose of a BAA, and Why Do I Need One?
The purpose of a business associate agreement is to outline your BA’s responsibility to keep your PHI private and secure. The BAA sets forth the expectations and requirements of both parties – you and your BA. It is a legally binding document.
Business associate agreements are not optional! HIPAA requires you to sign the BAA with your business associate before sharing any PHI with them. This will help you avoid a privacy breach, as well as penalties for failing to have a BAA in place.
3. What Happens if I Don’t Have a BAA in Place with a Business Associate?
The Department for Health and Human Services Office for Civil Rights (HHS/OCR) can impose hefty fines and corrective action plans if you fail to have a BAA in place with your BAs. Furthermore, if HHS/OCR audits your organization, you must be able to supply your business associate agreements and demonstrate that you’ve conducted due diligence with your BAs.
4. Do Two Covered Entities Need a BAA?
Yes. If you hire another HIPAA-covered organization to create, maintain, receive, or transmit PHI on your organization’s behalf, then they are your business associate. So, you’ll need a BAA with them.
5. Which Business Associate Agreement Should I Use?
Sometimes a business associate has their own BAA. Which should you use, yours or theirs? HIPAA is silent about this. Even so, it’s typical for the hiring organization to dictate the terms of an agreement. For example, you’d use your BAA with your business associate, and the business associate would use their BAA with their subcontractors. However, you will never enter a BAA with your BA’s subcontractors!
Note: Regardless of whose version of the BAA you use, your BA is liable for any breach of PHI that they cause. The same goes for downstream subcontractors (more about breaches, contract termination, and liability in the next blog).
6. Do BAAs Need to be Signed Annually?
No. If your BAA is “evergreen,” it will renew automatically and won’t require a new signature to remain valid. Nevertheless, it’s smart to set a regular review schedule for your BAAs. The purpose of a review is to make sure the BAA stays current with your SLA and State laws.
Once you and your business associate sign the BAA, the signature is valid until there’s a material change to the SLA that makes it necessary to change the BAA. Make sure you and your BA sign and date the BAA and document your reviews.
7. Do Business Associate Agreements Expire?
Your BAA is valid as long as the vendor contract is in effect. However, if there’s a change in the SLA that impacts your BA’s use or disclosure of PHI, you must adjust your BAA to reflect the new uses and disclosures. As stated above, you may also need to change your BAA to conform with changes to the law.
Business associate agreements are the cornerstone to HIPAA-compliant vendor relationships. A major part of responsible vendor and contract management is to keep your documents up-to-date and on record. From HIPAAtrek’s platform, you can create, negotiate, and sign your BAAs. With HIPAAtrek, you can have peace of mind knowing you didn’t miss any steps. Contact us to learn more.
Keep an eye out for HIPAAtrek’s NEW Contract Management Module. This module simplifies and streamlines contract management with a fully customizable workflow. Manage your contracts from negotiation to termination with custom stages, so you will always know where your vendor contracts stand. Contact us to learn more about this up-and-coming feature or request a demo of HIPAAtrek today.
The goal of this five-part series is to show healthcare CEOs and CFOs that effective, HIPAA-compliant vendor management is vital to the finances, performance, and reputation of their organizations. Furthermore, healthcare organizations will see a positive ROI when they foster successful vendor relationships that yield high-quality, secure services.