I'm amazed at the number of healthcare organizations that are completely unaware of the Business Associate Agreement under HITECH. Of those that are aware of the document, further confusion exists as to whether they are required to execute one. Here are some resources to help you determine quickly whether this requirement applies, but you should err on the side of putting one in place with your business partners. They are simple and easy to use and there is nothing objectionable about the terms so long as you and your partners intend to do business the right way.
Here is a brief description of the BAA from from TechTarget and a video from legal experts on the matter below: Under the U.S. Health Insurance Portability and Accountability Act of 1996, a HIPAA business associate agreement (BAA) is a contract between a HIPAA covered entity and a HIPAA business associate (BA). The contract protects personal health information (PHI) in accordance with HIPAA guidelines.
Effective Feb. 18, 2010 in accordance with the HITECH Act of 2009, a BA's disclosure, handling and use of PHI must comply with HIPAA Security Rule and HIPAA Privacy Rule mandates. Under the HITECH Act, any HIPAA business associate that serves a health care provider or institution is now subject to audits by the Office for Civil Rights (OCR) within the Department of Health and Human Services and can be held accountable for a data breach and penalized for noncompliance.
With these new regulations in mind, a HIPAA business associate agreement should explicitly spell out how a BA will report and respond to a data breach, including data breaches that are caused by a business associate's subcontractors. In addition, HIPAA business associate agreements should require a BA to demonstrate how it will respond to an OCR investigation.
Attorneys Carlos Leyva and Mayra Scheuermann have developed a HIPAA/HITECH Survival Giude, which includes educational resources, model contracts, and a sample Business Associate agreement. Ankota does not endorse this package, but this is a good resource to learn from and the package looks to solve the problems that many of Ankota's readers face.