Business Associate Agreements (BAA) [Healthcare Compliance Tips]

Evaluate your business associate agreements (BAA) to ensure PHI is appropriately safeguarded.

In Feb 2019, per the HIPAA Journal, a vendor that provides secure electronic exchange and manages medical records for healthcare organizations reported that hackers gained access to parts of their system that contained sensitive patient information.  Approximately 18,000 or more patients were affected, in which it took eight months for the breach to be reported.

In light of recent cybersecurity attacks, CMS and HHS have launched their new Compliance Review Program, which began April 2019.  They will randomly select a mix of health plans and clearinghouses to “ensure compliance among covered entities with HIPAA Administrative Simplification rules for electronic health care transactions.”

As you can see, this is serious.  And, it’s time to evaluate and connect with your business associates to combat cybersecurity threats.

HIPAA does require that covered entities (your practice) and business associates enter a contract to ensure that protected health information is safeguarded.  And, to assist you further, we found this resource from CMS called the “Sample Business Associate Agreement Provisions” that will get you started.

Remember, you may not have control over what occurs within their business, but the government expects that you at least sign an agreement together.  And, we suggest you go one step further to follow-up to ensure their business standards continuously meet your needs.

Besides, if they can’t give real answers to your cybersecurity questions or protect your patient information as you do, then maybe it is time to change business associates.

**The opinions and observations from the group/author are not a promise to exempt your practice from fines and penalties.  Research, modify, and tailor the advice to fit your specialty.