In 2013 as part of the Omnibus Rule, the United States government began to require all Business Associates to follow HIPAA guidelines. A Business Associate (BA) is any company that works with healthcare providers and has access to patient data, even if that access is indirect.
A Business Associate Agreement (BAA) is the required document between the medical provider, known as a Covered Entity (CE) and the Business Associate (BA). Examples of likely Business Associates that medical practices work with include IT firms, document storage and shredding services, attorneys, accountants, collection agencies, transcriptionists, and data centers (to name a few). As a medical provider, you are required to have a BAA that legally details what type of access your vendor (the BA) has to your Protected Health Information (PHI/ePHI), whether in physical or electronic form, along with what they will and won’t do with that data.
If you’re working with an IT firm or independent IT professional, you’re required by law to have a signed BAA (Business Associate Agreement) with that company. Besides not being compliant with HIPAA regulations and potentially facing fines from the Office of Civil Rights (OCR), not having a BAA with your IT firm is also a telltale sign that your IT provider does not understand HIPAA and how to protect your PHI/ePHI. A BAA is the first (and easiest) step to becoming HIPAA compliant and the government does not accept ignorance as a reason not to be compliant.
Don’t let your IT firm put you on the hook for a minimum penalty of $50,000 for Willful Neglect.
For more information about HIPAA, including what aspects of patient data must be de-identified and what companies you need to have a Business Associate Agreement (BAA) with, see our post - What is HIPAA? Why Should You Care and What You Need to Know.