Touchstone Compliance

Straight Talk about Business Associate Agreements (BAA)

The Business Associate Agreement (BAA) is a necessary component of HIPAA compliance.  You should care about this not just because it is part of the HIPAA law or that you are safeguarding your patients’ information, either of which should be sufficiently compelling, but because you will want to protect your business and yourself.  

Safeguarding patient data throughout the supply chain

Congress wants to protect patient data throughout the supply chain.  So, they closed a gaping loophole where the practitioner might do an excellent job of safeguarding that patient data but, because they passed this data onto a supplier such as an x-ray practice, the data might be compromised by the x-ray practice.  Congress changed the law to require all steps in the supply chain to be held to the same standard of data care to protect the patient’s data.

The liability, either civil or for fines, ordinarily rests with the party that allowed the data to be unprotected.  But what do you do when each party starts to point fingers to each other as to who may have allowed the data compromise?  This is where the BAA becomes a lifesaver. 

The Importance of a Business Associate Agreement

The BAA is a contract between the practitioner and a supplier.  It stipulates that the supplier understands it is subject to HIPAA and as such, each will protect any patient health information (PHI.)  Upon signing, both parties attest that they are each HIPAA compliant. This means the staff handling the data are trained; there are written policies and procedures, and a process is in place to handle compromised data. 

Legal protection via your Business Associate Agreements

This contract provides a legal firewall/protection to the practitioner.  If there is no BAA, then each party will be responsible for the incident.  If there is a BAA, only the found party will be responsible.

Costs associated with a data protection violation aren’t only fines; the patient could file for civil damages.  In addition, there are costs associated with mitigation, such as paying for credit protection/monitoring, putting a corrective action plan in place, and being audited for seven years by the Office of Civil Rights.  There are also reputational costs.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.