Health Information Compliance Alert
Ensure Your BAA Contains These Essential Items
PDF
Leaving even one seemingly minor item out of your business associate agreement (BAA) could spell disaster for your facility or practice. Here’s what the U.S. Department of Health & Human Services (HHS) has to say about what you need to include in your BAA.
On Jan. 25, HHS published refreshed guidance on BAAs. According to HHS, your BAA must:
· Establish the permitted and required uses and disclosures of protected health information (PHI) by the business associate (BA);
· Provide that the BA will not use or further disclose the PHI other than as permitted or required by the BAA, or as required by law;
· Require the BA to implement appropriate safeguards to prevent unauthorized use or disclosure of the PHI, including implementing requirements of the HIPAA Security Rule with regard to electronic PHI (ePHI);
· Require the BA to report to the covered entity (CE) any use or disclosure of the PHI not provided for by its contract, including incidents that constitute breaches of unsecured PHI;
· Require the BA to disclose PHI as specified in its contract to satisfy a CE’s obligation with respect to individuals’ requests for copies of their PHI, as well as make available the PHI for amendments (and incorporate any amendments, if required) and accountings;
· To the extent the BA is to carry out a CE’s obligation under the Privacy Rule, require the BA to comply with the requirements applicable to the obligation;
· Require the BA to make available to HHS its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by the BA on behalf of, the CE for purposes of HHS determining the CE’s compliance with the HIPAA Privacy Rule;
· At termination of the contract, if feasible, require the BA to return or destroy all PHI received from, or created or received by the BA on behalf of, the CE;
· Require the BA to ensure that any subcontractors it may engage on its behalf that will have access to PHI agree to the same restrictions and conditions that apply to the BA with respect to such information; and
· Authorize termination of the contract by the CE if the BA violates a material term of the contract. Contracts between BAs and their subcontractors are subject to these same requirements.
Source: U.S. Department of Health & Human Services Office for Civil Rights www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html.
Health Information Compliance Alert
- HIPAA Compliance:
Heads Up: Your Contracts With BAs Are Under the Microscope
Why your BAA is now more important than ever before. The “HIPAA police” aren’t fooling [...] - Ensure Your BAA Contains These Essential Items
HHS provides an updated view on what your contract must contain. Leaving even one seemingly [...] - Privacy Strategies:
Nail Down Responses to Common Patient Privacy Questions
Help your front office employees provide accurate answers quickly with some pre-written replies. Your patients [...] - EMR Strategies:
Watch Out: Attestations Can Help, But They Can Also Hurt
Avoid generic attestations or expect audits in the emergency department. While the use of attestations [...] - Continuing Education:
Are You Sure Your EHR System's Compliant?
Get up to speed on security management and technical assurance of EHR. Here is your [...] - Reader Question:
Are Unencrypted Emails Okay
Question: I recently heard that the HIPAA privacy rule was changed and it now prohibits [...] - Reader Question:
Signature Variations Are Acceptable, if They're on Your Signature Log
Question: We’re having trouble making sure our providers meet signature requirements for their charts and [...] - Reader Question:
Don't Drop The Signature Baton In Handing Off A Patient At Change Of Shift
Question: When an emergency physician turns an incomplete patient encounter over to a partner due [...] - Industry Notes:
Could May 1 Be Final Deadline for Ordering/Referring Edits? Part B practices have been waiting [...]