Business Associate Agreements: Does Your Business Need One?

Transcription​

Carol: Hi there. I’m with Eric Hammond here at MIS Solutions. And today, we want to talk about business associate agreements. What are they and why do companies need them?

So, Eric, why don’t we start out with what is a business associate agreement and why is it necessary under HIPAA?

Eric: So, a business associate’s agreement, at its core, is a legally binding contract between two parties. And those two parties are what’s known as the first-party provider.

Oftentimes, it’s a health care provider. Someone who’s collecting PHI on behalf of a patient, right? It can also be other companies and industries that are not necessarily in the healthcare industry. An example would be an insurance company, right? They’re going to be collecting PHI. And so, it’s between them and any third-party contractors that they use, who are going to have some type of access to that PHI, that protected healthcare information, right?

And so, it’s an agreement between those two that really dictates and stipulates who’s responsible for what in the event of a breach. And it spells out who owns the data. What can they do with that data? And so, the idea is to go ahead and lay those boundaries out between the business associate, which is the third-party company, and the first-party provider, also known as the covered entity, right?

And it’s meant to spell that out in case there is a, “Oh my gosh, we had a breach.” Who’s responsible for what? Who’s responsible for all of the affected parties and letting them know there was a breach? And so, it’s meant to keep you, really outside of court because everybody already knows what their responsibilities and what their roles are.

Carol: Okay. So, what are the key elements that should be included in the standard BAA? Yeah.

Eric: So, it’s a great question. And the first thing I would say is if you’re at a point where you need to have a BAA with one of your third-party vendors, you need to consult your counsel, your attorney, right? You can certainly work with the Department of Health and Human Services.

They have tons of good documents that will tell you the things that you need to be looking out for and the things that you need to include. But because this is a legally binding contract, you need to seek out the services of a qualified attorney, right? But at its core, a BAA should include what are the permitted uses for the PHI that the business associate is going to come in contact with.

At its core, that’s what it should say.

Carol: Okay, what would be an example of that?

Eric: Okay, so, a great example that’s really often the easiest one is defining what a breach is, and who’s responsible in the event of a breach. For example, if I am a covered entity, and I’m going to give you access to my PHI, and then you get breached. You’ve got my PHI; you’ve been breached. Who’s responsible for notifying all of those people whose records are now leaked on the internet? What’s the cost of that? I don’t want to be responsible for that. I wasn’t breached. You were, Carol. And so, the BAA is meant to protect me from that.

Carol: Alright. So, what risks do companies face if they fail to execute a proper BAA with their vendors?

Eric: Yeah, the biggest and most, I guess the simplest one is, if you are required to follow HIPAA, you are running afoul of that rule if you do not have a BAA in place with any vendor who is touching Protected Healthcare Nation, so, PHI.

And so, number one, we’ve got a compliance issue, right off the bat, if you don’t have a BAA. If you don’t have a solid or proper BAA, and that’s a subjective phrase, I get it. That’s why I say you need to talk with an attorney, right? But if you don’t have a proper or solid one, what could end up happening is you end up in court trying to hash it out in the event of a breach.

Who’s responsible for what? And so, you really want an airtight and solid BAA that defines clearly the responsibilities for each party.

At its core, I know we’re in the IT industry here and we’re talking IT, but at its core, this is a legal contract, right? And so, you want to enlist a specialist. If I have a problem with my feet, I’m not going to see a cardiologist, right? And the same thing here, right?

A solid managed service provider like MIS Solutions can consult and guide, right? And we’re happy to do that with all of our clients and we do that with our clients, right? But at the end of the day, because this is a legally binding contract, you want to consult an attorney.

Again, if you’re dealing in PHI and you’re granting access, in the most basic form, if you’re giving an outside party access to PHI that you have, you need a BAA, and that BAA needs to be vetted by an attorney that you pay for.

Carol: Okay. Eric, thank you very much. We appreciate that information.

Eric: You’re very welcome.

Schedule a free 15-minute discovery call
We’ll discuss your IT requirements and assess whether we’re the right fit for you.

Share: