Understanding Business Associate Agreements (BAAs)
The Business Associate Addendum (BAA) ensures AWS appropriately safeguards protected health information (PHI). The Office for Civil Rights (OCR) enforces HIPAA Privacy and Security Rules. A business associate subcontractor agreement binds (1) a business associate of a covered entity; and (2) a business associate of that business associate. Subcontractors must promise to safeguard electronic protected health information (ePHI) on behalf of the business associate. By law, a business associate must ensure subcontractors agree to the same restrictions and conditions regarding such information.
A business associate contract specifies each party’s obligations regarding PHI. Unless a vendor can’t view PHI, you need an agreement. A signed BAA makes the business associate responsible for keeping client information safe and explaining how. HIPAA requires a BAA with every business that could access clients’ PHI.
Covered Entities and BAAs
BAAs must be signed whenever business associates handle PHI passing through the Covered Entity first. Covered entities needing BAAs include:
- health plans
- healthcare clearinghouses
- healthcare providers transmitting health information electronically
In simple terms, BAAs make business associates as liable as covered entities for mishandling PHI. If you’re a covered entity sharing PHI, you need a BAA. Some companies won’t sign, not wanting PHI liability.
Disclosure and HIPAA Compliance
Can a business associate disclose PHI to another business associate?
This agreement ensures AWS appropriately safeguards such information. The Office for Civil Rights enforces rules on this. Covered entities needing these include:
- health plans
- healthcare clearinghouses
- providers transmitting health information electronically
Does a business associate need to be HIPAA compliant?
The Health Insurance Portability and Accountability Act of 1996, commonly known as HIPAA, outlines the lawful use and disclosure of protected health information (PHI).
If business associates or subcontractors could access PHI, an agreement is necessary. Not every PHI-dealing business needs one, just:
- health plans
- healthcare clearinghouses
- healthcare providers transmitting electronic health information
By law, a business associate must ensure subcontractors agree to the same restrictions and conditions regarding PHI. If a covered entity fails to ensure a business associate is compliant prior to an agreement, and a breach occurs, the covered entity may be liable.
If a covered entity discovers that a business associate has suffered a data breach or mishandled PHI, they must address the breach or terminate their contract.