Magazine article Medical Economics

Hipaa Liability Protections: Business Associate Agreements

Magazine article Medical Economics

Hipaa Liability Protections: Business Associate Agreements

Article excerpt

The Health Insurance Portability and Accountability Act (HIPAA) requires providers to protect patient information. However, many physicians do not know HIPAA's specific requirements for business associate agreements (BAAs) when dealing with certain vendors or external agents who may handle patient information.

THE FIRST STEP for a physician, known under the language of HIPAA as a "covered entity," is to determine the need for a BAA with a vendor. A vendor is considered a "business associate" under HIPAA if the vendor creates, receives, maintains, or transmits patient health information (PHI) on the provider's behalf.

Common services performed by a business associate (BA) include claims processing, data analysis, quality assurance, billing and collection, practice management, legal, accounting, and consulting.

Entities that only serve as conduits, such as the post office or Internet service providers, are not considered BAs even though they handle patient information.

What BAs must include

If a business associate is providing services to a covered entity, the parties must enter into a written BAA that:

* establishes the permitted uses/ dsdosuresofPHI,

* stipulates that the BA must use appropriate safeguards to prevent unauthorized PHI uses and disclosures,

* spells out that the BA reports to the covered entity any unauthorized uses and disclosures,

* extends the terms of the BAA to its subcontracts, and

* establishes that upon termination of the BAA, the vendor must either return or destroy all PHI.

The consequences of not having a written BAA can be severe. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed

Oops!

An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.