When Is A Business Associate Agreement (Baa) Required

„Don`t roll the dice“ when it comes to HIPAA compliance. If you hire a BA and share your PHI with them without creating a BAA beforehand, you should expect serious consequences. But let`s be honest… It is difficult, if not impossible, to run a business without the help of third parties. Hiring outside help when you need extra hands or if you have special needs is often made sense by business. The HhS Office for Civil Rights has imposed numerous fines for contractual errors committed by trading partners. In investigations into data protection and complaint violations, the OCR found that the following covered companies had not received at least one PROVIDER from a HIPAA-signed BAA. This was either the sole reason for the fine or the additional injury contributed to the heaviness of the fine. The most comprehensive source of information about HIPAA is the HHS website. However, since HHS cannot cover all possible relationships between a covered company and a counterparty, some of this information may be difficult to track and interpretable. For specific advice on specific circumstances, it is recommended to ask for professional hipaa compliance assistance.

Since the passage of the Economic and Clinical Health Information Technology Act (HITECH) in 2013 and its inclusion in HIPAA through the Hipaa Omnibus Final Rule, subcontractors employed by business partners are also required to comply with HIPAA. A counterparty must also obtain a HIPAA counterparty agreement signed from its subcontractors before accessing the PHI or ePHI. When subcontractors use creditors who need access to the PHI or ePHI, they must also enter into matching contracts with their subcontractors. Become HIPAA CompliantAttract new customers and grow your business. A BAA is a signed document that confirms the willingness of a third-party supplier to take responsibility for the safety of your customers`PHI, to comply with appropriate security measures and to meet hipaa requirements when dealing with PHI on your behalf. For some credit institutions, you only need a Service Level Contract (SLA). However, for lenders that create, receive, manage or transfer POs on behalf of your organization („business partners“), you must have an associate agreement next to ALS. Even if your provider can`t view the PHI (z.B because it`s encrypted), you still need a BAA with it. HIPAA requires insured entities to cooperate only with trading partners that guarantee full protection of the PHI.

These assurances must be written in the form of a contract or other agreement between the covered company and BA.1 HHS to verify the compliance of ABs and subcontractors, and not just in the entities covered.