Business Association Agreements (BAA)

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

3 hours 42 minutes
Video Transcription
So how are you partners? I mean vendors. I mean business associates that must agree to abide by my company's security and privacy policies. Thistles. Our next lecture in the implementing the HIPPA compliance program for leadership. Siri's. And this is all about the hip, a business associate agreement. How our partners and business associates will agree to incorporate our security policies, procedures and methodologies within their own sphere of influence
or find themselves looking for another covered entity to partner with.
We will have zero tolerance within our business associates if they fall short in any way of our standards, because it is our responsibility to protect the privacy and security of our pH I. So if you're ready, let's start reviewing our B B A s with an electron microscope e really powerful microscope that will review our contracts down to the molecular level.
So in today's lecture, we will review the business associate provisions of the HIPAA privacy rule. And then we will line out the functions and requirements of business associates and the business associate agreement or B A s in other words, contracts. And there are some exceptions to the B A is that we need to call out
as well the situations and with certain entities when B. A s are not required. So let's not shake on it, agree to disagree, and then we will both sign on the dotted line in invisible ink.
A business associate Agreement B. A is a written agreement between a covered entity and a business associate with states that both sides will do all they can to maintain the safety and integrity of pH. I. Along with provision that determine which kinds of Ph. I will be handled by the business associate, it is the HIPPA compliance privacy officers responsibility to keep be a thorough and up to date.
If you want to do business with my firm,
you will protect our clients and their P h I. And to agree to will comply or adopt our privacy rules into your own organization. Otherwise, we simply just can't do business.
By law, the HIPAA privacy rule applies only to covered entities health plans, healthcare clearinghouses in certain health care providers. But it's very rare that a covered entity will perform all of the work on its own, with only internal resource is, health care providers will often use services of outside agencies, partners, individuals and sub contractors to perform some of the various workloads.
The privacy will allows covered providers and health health plans to disclose protected health information to these business associates if the providers or plans obtained satisfactory assurances that the business associate will use the information on Lee for the purposes for which it was engaged by the covered entity and will safeguard the information for misuse and will help the covered entity comply
with some of the covered
entities duties under the privacy rule. So the business associate has to properly safeguard the information shared by the covered entity and in doing so, also help the covered entity with compliance to the privacy rule. This agreement for the business associate to align and respect to covered entities, responsibilities to the HIPAA, privacy rule and performance. Due diligence
and using the appropriate safeguards to protect the privacy of the information.
Well, this has to be in writing, and thus we have the business associate agreement or the business associate contract.
So there are a wide range of business associates and their functions that apply to business associate agreements. The fundamental requirement is that because of the service provided by the business associate. It will cause or lead to the covered entity toe have to disclose or share pH I. And that is the kicker. The reason Business associate agreements exist. If I share my pH I with you,
you promised to do your best to keep my organization's information safe,
private and secure. An employee of a covered entity is not a business associate, but much pretty much everybody else can be. My hospital could be a business associate of your hospital. My doctor could be a business associate of your medical clinic. My radiologist needs to share claim and billing information with your processing service.
I need your claims Adjustment service to look through our records and billing statements
and make sure where you're using all of the current Medicare and Medicaid billing codes. An attorney whose legal services to a health plan involve access to protected health information. The list is virtually endless, but you can see the risk of having to share your pH I with business associates and why. You better be sure when choosing business associates that you verify and review
on on an ongoing basis. Their adherence to your security and privacy standards,
you choose them, and that's why it will be your risk as well as theirs. If a data breach occurs,
HIPPA regulations require that covered entities maintain business associate agreement. Will all their partners who might need access to PH. I. These business associate contracts must describe the permitted and required uses are protected health information by the business associate, the scope of how, when and why they require the use of PH. I.
The contract must state that the business associate will not use or further disclosed that protected health information
other than permitted or required by the contract or required by law. The business associate is required to use the appropriate safeguards to prevent the use and disclosure of the protected health information other than provided by the contract. And it will be in the contract that when the covered entity is aware of a material breach or violation by the business associate of the contract or agreement,
the covered entity is going to step in because they're the ones that are required to take reasonable steps to cure the breach or in the violation.
And if the covered entity is unsuccessful in its mediation efforts that covered entity must terminate the contract or arrangement. If termination of the contract or agreement is not feasible. Well, then the covered entity is required to report the problem to the Department of Health and Human Services, HHS Office for Civil Rights. So there it is.
Just so you know where they covered entities, loyalty really lies. It's making sure that they stay out of boiling hot water
if the business associate abuses the privilege granted to them by the covered entity, the sharing and disclosure of its PH. I.
There are exceptions in situations when a business associate agreement is not required. These types of situations include when a health care provider discloses protected health information to a health plan for payment purposes with persons or organizations like janitorial services or Electrician's, whose functions or services do not involve the use or disclosure on protected health information
and where any access to protected health information by such persons would be incidental. If it all, when group insurance plans need to share between themselves within a much bigger conglomerate of providers
known as health maintenance organizations, or HMOs, thes covered entities are permitted to share protected health information that relates to the joint health care activities. Claims are reimbursement is another activity that doesn't require business associate contract or when disclosing health information to a researcher for the purpose of research, either with patient authorization
or because the researcher is not providing an activity that falls into the HIPPA regulation.
Thus, no business associate agreement is needed and during any normal banking transactions where currency is exchanged or transferred or payment methods or swapped credit card to baking a T M cards, etcetera, all outside of the business associate requirements.
So we've covered a lot regarding business associate agreement. So it must be time to reach out via text messaging to our partner down the street, who takes care of our medical building services and ask them for the answers to this question because it's in our contract that they have to help us with compliance. We covered this in this lecture, so we're good. So text away.
So name the four fundamental components of a business associate agreement or contract.
Well, the contract will define the scope of services that the business associate will require, and when that we have to disclose ph. I and It will also state that is under the stated scope or when required by law that disclosed information will be used or access. And the business associate must have the appropriate safeguards to prevent the disclosure of pH. I
thio any unauthorized person.
And if and when a breach occurs, the contract will state that the covered entities responsibility. It's our job to remediate. Minimize the breach event to satisfy the event. And if not, the appropriate levels will terminate its contract with the business associate. Not good. You've been fired.
So in this lecture, we reviewed the roles and functions of the business associate, and the contracts we need to have in place with him is covered entities. And we looked at when there are exceptions to business associate agreements and then specifically called out instances when b a s or not required, like during payments, filing claims and when sharing between insurance providers to deliver health care, treatment and services.
It's a really good stuff.
So thanks for adhering to our business associate agreement. Sitting through this whole lecture, our next lecture, the final lesson of module one complimentary standards to hip, a best practices and other common frameworks to make sure our security program is on the right track. So on behalf of all of us here at Sai Buri, thank you so much for sitting in we're hoping enjoying the lecture so far.
So take care and happy journeys.
Up Next