Let’s explore the question in the blog below. First, let’s take a look at three <\/span>HIPAA fines<\/span><\/i> imposed by <\/span>the<\/span><\/i> Office of Civil Rights<\/span><\/i> (OCR)<\/span><\/i> in <\/span>2019<\/span><\/i> and <\/span>2020<\/span><\/i>.\u00a0\u00a0<\/span><\/p>\n Under the US law, all healthcare providers need to follow the <\/span>Heath and Insurance Portability and Accountability Act<\/span><\/i> (HIPAA)<\/span><\/i> if their work involves patients\u2019 <\/span>protected health information (PHI)<\/span><\/i>.<\/span><\/p>\n If a covered entity wants to outsource their work, they need to follow certain rules set by <\/span>HIPAA<\/span><\/i>.\u00a0 Activities or functions involving protected health information can be outsourced only if –\u00a0\u00a0<\/span><\/p>\n A covered entity can disclose PHI to a vendor only after receiving satisfactory assurance about how the vendor would use the PHI. The assurance should be in the written form. Vendors need to assure that they will –\u00a0<\/span><\/p>\n Vendors must follow the same rules, when subcontracting their work.\u00a0<\/span><\/p>\n The three HIPAA rules<\/a> apply to the subcontractors of <\/span>business associates<\/span><\/i> as well. The subcontractors too must follow the same standards as the <\/span>business associates<\/span><\/i>. Neither one can use the PHI for purposes not in their <\/span>business associate agreement<\/span><\/i>.\u00a0<\/span><\/p>\n The agreement needs to be in place before the disclosure of PHI happens. Failure to have a signed <\/span>business associate agreement<\/span><\/i> with a <\/span>business associate<\/span><\/i> is a HIPAA violation. <\/span>Covered entities<\/span><\/i>, <\/span>business associates<\/span><\/i>, and sub-contractors can be penalized<\/a> for the violation.\u00a0<\/span><\/p>\n HIPAA allows a few exceptions to the BAA rule. No such contract is required if you are disclosing the PHI to –<\/span><\/p>\n The OCR considers the agreement as a written assurance from the vendor. By signing a contract the vendor assures that it has\u00a0<\/span><\/p>\n As per the HIPAA rules, the <\/span>business associate agreement<\/span><\/i> must\u00a0<\/span><\/p>\n Business associate agreements<\/span><\/i> between <\/span>business associates <\/span><\/i>and their subcontractors must follow the same rules as mentioned above. The OCR can take action against <\/span>business associates<\/span><\/i> for failing to address a breach or violation by their subcontractor.\u00a0<\/span><\/p>\n Before you hire a vendor, figure out if it should be labeled as a <\/span>business associate<\/span><\/i>. You should label a vendor as a <\/span>business associate<\/span><\/i> if the job involves creating, disclosing, maintaining, receiving, or transmitting PHI on your behalf.\u00a0<\/span><\/p>\n Next, you\u2019d want to understand if the vendor can follow HIPAA. Ask the vendor to conduct a risk assessment of their system, and put in place a risk-management plan.\u00a0<\/span><\/p>\n The next step would be the signing of a <\/span>business associate agreement<\/span><\/i> with the vendor. Remember, this should all happen before you begin disclosing PHI to the vendor.<\/span><\/p>\n But why go through all this trouble? That\u2019s because it would help establish liability in case of a data breach. Unless there is a signed <\/span>business associate agreement<\/span><\/i> in place, OCR can hold covered entities liable for HIPAA violations by their <\/span>business associates<\/span><\/i>.<\/span>\u00a0<\/span><\/i><\/p>\n Covered entities can also be penalized for not signing <\/span>business associate agreements<\/span><\/i> with their Business associates. Here are some more examples in which covered entities were fined because of carelessness with <\/span>business associate agreements<\/span><\/i>.\u00a0\u00a0\u00a0<\/span><\/p>\n\n
\n
What you need to know about Business associate agreements<\/b><\/h2>\n
What is a Business Associate Agreement (BAA)?\u00a0<\/b><\/h3>\n
\n
Disclosing PHI to a business associate<\/b><\/h3>\n
\n
Business associate subcontractor agreements\u00a0<\/b><\/h2>\n
\n
Exceptions to business associate agreement standards\u00a0<\/b><\/h3>\n
\n
\n
What should business associate agreements include?\u00a0<\/b><\/h3>\n
\n
How to comply with the BAA standards?<\/b><\/h3>\n
Penalties for not signing a BAA<\/b><\/h3>\n
\n