Business Associate Agreements (BAAs) Are Required By HIPAA
Vendors that have access to PHI(Protected Health Information) must give assurances that they are protecting that data adequately. This is done through a signed Business Associate Agreement (BAA), a contract between you and the vendor that states the vendor understands and complies with HIPAA regulations.
Vendors That Usually Require a BAA
- EHR and other software vendors, if they access your data for troubleshooting or if they host your data for you
- IT consultants
- Data centers, managed servers, data storage providers, backup services, even though they may not access your data to provide services, a BAA covers potential for insider misuse
- Collections agencies
- Accountants, particularly when they provide accounts receivable services where they may encounter patient names
- Storage facilities
- Shredding companies, especially when they remove your paper records for off-site destruction
- Transcription companies
Vendors That May Not Need BAAs
- Phone and internet providers, covered by HIPAA’s conduit exception
- Couriers and delivery services
- Other covered entities, including physicians and laboratories
- Janitorial services, but your risk assessment should document your clean-desk policies to minimize incidental exposure
You do not need to sign a BAA with the subcontractors of your Business Associates. But your Business Associates have to get those contracts signed with their business associates.
Importance of a Risk Assessment
A thorough review of all BAAs should be part of your annual risk assessment. It is important to ensure that all Business Associates have a valid, up-to-date agreement that covers all the terms required by HHS.