Having a Business Associate Agreement (BAA) in place with any third party you do business with is essential to protect yourself from any legal issues that may arise, but it’s not a failsafe initiative. There’s a lot of misinformation about how much protection a BAA actually provides. Here are 4 myths about Business Associate Agreements decoded.
Myth: We don’t need a BAA if the business associate never actually looks at the data.
This myth is similar to the adage, “Ignorance is bliss.” If the data is there, someone should be looking at it. Not knowing could be worse than knowing. The business associate should be reviewing the data on a regular basis to determine if there are any potential security risks.
Myth: We have less risk with the BAA.
Exposure to penalties has increased with the HIPAA Privacy Rule. You are responsible for protecting your patients’ information. Furthermore, if the HIPAA Business Associate you authorize to access the data fails an audit or commits a data breach, you are also responsible. Over 20% of reported data breaches since 2009 have been caused by business associates. You are now responsible for ensuring that any subcontractors your HIPAA business associates use, including data centers, online backup providers, and cloud vendors, are also compliant.
Additionally, the rule was changed to remove the ‘harm’ standard, meaning lost equipment containing unencrypted patient data is now presumed to be a data breach. You should require that your vendors provide you with a network vulnerability assessment from an independent company that does not maintain their network.
Myth: Having a signed BAA is all we need to do to ensure the business associate is HIPAA compliant (audit and subcontractors)
Just as you are responsible for maintaining a HIPAA compliance program, the business associate you choose to work with should also implement a HIPAA compliance program for their business. They have to document their HIPAA-compliant policies, procedures, training, and compliance evidence just as you do for your practice. You should require that they share their own HIPAA Risk Analysis with you as proof that they have complied with HIPAA requirements. It is recommended that you reserve the right to audit the compliance of the business associate at any time to ensure they are adhering to HIPAA compliance standards.
Myth: All BAAs are the same.
Like any contract, it is critical to understand the terms and conditions. Pay special attention to breach notification terms and other critical elements that became effective/required after the HIPAA Omnibus Final became effective in September 2013. Be sure the BAA is current. Any BAA older than 9/23/13 must be updated to address the Omnibus rule.
Being compliant is an ongoing initiative that organizations must prioritize for their business operations. It is important to review any contracts and you hold and the compliance standards of the BAA you’re working with to avoid a data breach. For more information about Audit and Compliance solutions, contact us today.