Practice Management Alert
Ensure 10 Essential Elements Appear in Your BAAs
Follow HHS’s guide on what your contract needs to include.
Missing just one seemingly minor item when you compose your business associate agreements (BAA) could mean disaster for your practice. Make your job easier and ensure you hit all the key points with this rundown of what the U.S. Department of Health & Human Services (HHS) says you need to include in your BAAs.
On Jan. 25, HHS published refreshed guidance on BAAs. According to HHS, your BAA must:
1. Establish the permitted and required uses and disclosures of protected health information (PHI) by the business associate (BA);
2. Provide that the BA will not use or further disclose the PHI other than as permitted or required by the BAA, or as required by law;
3. Require the BA to implement appropriate safeguards to prevent unauthorized use or disclosure of the PHI, including implementing requirements of the HIPAA Security Rule with regard to electronic PHI (ePHI);
4. Require the BA to report to the covered entity (CE) any use or disclosure of the PHI not provided for by its contract, including incidents that constitute breaches of unsecured PHI;
5. Require the BA to disclose PHI as specified in its contract to satisfy a CE’s obligation with respect to individuals’ requests for copies of their PHI, as well as make available the PHI for amendments (and incorporate any amendments, if required) and accountings;
6. To the extent the BA is to carry out a CE’s obligation under the Privacy Rule, require the BA to comply with the requirements applicable to the obligation;
7. Require the BA to make available to HHS its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by the BA on behalf of, the CE for purposes of HHS determining the CE’s compliance with the HIPAA Privacy Rule;
8. At termination of the contract, if feasible, require the BA to return or destroy all PHI received from, or created or received by the BA on behalf of, the CE;
9. Require the BA to ensure that any subcontractors it may engage on its behalf that will have access to PHI agree to the same restrictions and conditions that apply to the BA with respect to such information; and
10. Authorize termination of the contract by the CE if the BA violates a material term of the contract. Contracts between BAs and their subcontractors are subject to these same requirements.
Source: U.S. Department of Health & Human Services Office for Civil Rights (www.hhs.gov/ocr).
Stay tuned: For a sample BAA from HHS you can use to develop your practice’s BAAs, email editor Leesa Israel at leesai@codinginstitute.us.
Practice Management Alert
- Worker's Compensation:
3 FAQ Answers Will Help Solidify Your WC Processes
Remember that successful WC reimbursement starts long before the claim gets filed. Many different types [...] - Human Resources:
Implement a Grievance Process to Manage Employee Complaints
Disgruntled employees can cost you more than bad PR. No employer is perfect, and your [...] - HIPAA How-To:
Review Your Business Associate Agreements Before the Feds Come Knocking
You have until September to get a handle on the recent changes. Now that the [...] - HIPAA How-To:
Ensure 10 Essential Elements Appear in Your BAAs
Follow HHS’s guide on what your contract needs to include. Missing just one seemingly minor [...] - What Would You Do?:
Can a Patient Retract an ABN?
Question: We have a patient who came for a service we knew Medicare wasn’t likely [...] - Reader Question:
Be Cautious With EMR Templates
Question: We are evaluating several EMR products and one company is touting the pros of [...] - Reader Question:
Inform Patients of Sequestrian Reductions -- Maybe?
Question: Now that the Medicare remittance is clearly tracking CO-223 for sequestration mandate reductions, would [...]
