BAA BAA HIPAA Sheep, Have You Any Compliance Penalties?
Business Associate Agreements, or BAAs, are all the rage these days. As in rage against the machine, the giant multi-tentacled gleaming metallic horror that is popularly known as the Health Insurance Portability and Accountability Act, or HIPAA.
Whether or not you were born to sign a BAA, you’ll probably sign one before you die.
OK, let’s get positive here. We’re going to talk about what goes into a typical BAA, and what you’re signing onto when you hit that ACCEPT.
I’m Michael H. Cohen, founding attorney of Cohen Healthcare Law Group. Since 1999, our law firm has counseled hundreds of healthcare industry clients every year on healthcare and FDA legal issues. I have to say that HIPAA is part and parcel of almost every conversation.
If you’re in healthcare, normally you just can’t avoid HIPAA; and, darned it, you just can’t avoid signing a BAA somewhere down the line if you have a company that has anything to do with healthcare.
First off, what is a Business Associate?
HIPAA contains a number of different definitions, but the main one that’s important for us is: a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.
So: for example, if you’re a marketing company that collects leads for a physician practice, you probably are receiving, maintaining and transmitting protected health information (or PHI) for those people or about those people on behalf of the physician practice. The same if you’re an accounting company, or, for that matter, a telemedicine software company that collects PHI and transmits it to the medical personnel.
Next, what does HIPAA require of a Business Associate?
HIPAA requires, very simply – well it’s not so simple at all – requires that Business Associates comply with HIPAA.
And what does the Business Associate Agreement require?
Once you sign the Business Associate Agreement, or BAA, you’re basically signing on to everything the Agreement requires you to do, which is abide by HIPAA, plus whatever additional obligations the Agreement imposes. For example, you might be obligated to indemnify, or pay back, the healthcare practice if there is a data breach that is due to your own negligence.
As to the BAA’s terms, these include some of the following:
- The Business Associate agrees not to use or disclose PHI other than as permitted or requirement by the BAA or by law.
- The Business Associate agrees to use appropriate safeguards with respect to electronic PHI, to prevent use or disclosure.
- The Business Associate agrees to report breaches, and, to ensure that subcontractors, other business associates also sign BAAs.
The BAA also specifies permitted uses and disclosures of PHI by the Business Associate—for example, those that are specified in any management agreement between the Business Associate and the healthcare entity.
Then there is boilerplate, such as the term of the BAA, and who can terminate under what circumstances.
BAA’s might seem generic, but like all legal documents, they’re worth review by legal counsel. Sometimes you’ll find hidden provisions that are silently lurking until the day they are triggered by circumstances no one ever expected. If that happens, you’ll be glad you had your own attorney weigh in on the language well before you signed the document.
Thanks for watching. Here’s to the success of your healthcare venture, we look forward to speaking with you soon.
I would definitely recommend. I needed direction regarding the FDA and how the rules would affect my business. Responsive, accessible, and knowledgeable.
Impressive credentials are only overshadowed by their clear awareness of practical strategies to help Physicians navigate modern healthcare and achieve successful outcomes.