Many of us have been asked to sign Business Associate Agreements (“BA”); and I would suspect most of us have signed a BA without really understanding what in the world we are signing.
We've all been there. You may begin reading with gusto, but before you know it your eyes start to glaze over as terms like “Privacy Rule”, “Security Rule”, “De-identified Data”, “Designated Record Set”, and convoluted references to "45 C.F.R. Section 164" begin to swim on the page. You may begrudgingly call your attorney in a fruitless attempt at understanding, but end up blindly signing merely for the sake of the business relationship.
However, while this may be the simplest route, it is important for any organization that deals with HIPPA compliance to have an understanding Business Associate agreements in order to save themselves from future costly compliance issues.
So, What is a HIPAA Business Associate Agreement?
First and foremost, when referencing a "Business Associate", this is anyone who performs certain functions or activities that involve the use or disclosure of personal health information. This can include accountants, consultants, pharmacies, payers (i.e., health insurance providers), laboratories, e-health record software vendors, RHIOs (Regional Health Information Organizations) and HIEs (Health Information Exchanges).
Under the U.S. Health Insurance Portability and Accountability act, a HIPPA BA is a contract between a company and those associates who have some level of access to Protected Health Information (PHI) that protects the information in accordance with HIPAA guidelines. It states what exactly the information will be used for and that it will be safeguarded against misuse. A HIPPA compliant BA should explicitly spell out how a company will respond to a data breach, including those that are caused by a business associate's subcontractors.
For more detailed information, visit U.S. Department of Health & Human Services' website detailing Business Associate Contracts.