BAA

A Business Associate Agreement is a required HIPAA contract between a covered entity and a business associate that establishes permitted uses and disclosures of PHI and requires appropriate safeguards.

A Business Associate Agreement is a legally required contract between a covered entity (like your practice) and any vendor or partner that accesses, creates, or maintains Protected Health Information on your behalf. HIPAA requires a BAA to be in place before you share PHI with a business associate. Business associates include your electronic health record vendor, your billing company, your credentialing service, your cloud storage provider, your IT support company, and anyone else who might encounter patient information as part of the services they provide to you. The BAA specifies how the business associate must handle PHI, what safeguards they must implement, what they must do in the event of a breach, and your rights to terminate the agreement if they violate HIPAA. Without a BAA in place, sharing PHI with a third party is a HIPAA violation, even if no breach actually occurs. During credentialing, some payers ask whether you have BAAs with your business associates. This is part of their assessment of your HIPAA compliance posture. Having BAAs in place demonstrates that you take data protection seriously. A common mistake practices make is not having BAAs with all their business associates. Your EHR vendor probably required one when you signed up, but what about your answering service? Your shredding company? Your email hosting provider? If any of these vendors could potentially access PHI, you need a BAA. Keep a list of all your business associates and the dates of their BAAs. Review and update BAAs when contracts renew or when you change vendors.