Provided by: Jennifer Kirschenbaum, Esq.
March 23, 2021
When should I be requiring a business associate agreement and should I have a form to use when I need one? Is there a specific form to use?
A "Business as Usual" question! A year past, and it seems we are moving towards business as usual. It is not quite time to remove Covid screenings (as I have been asked), or dump Covid consents (please keep using), but we can smell business as usual around the corner, so, this is a perfect question to get back to normal.
You need a business associate agreement with any third party (non employee or partner) with access to the protected health information you are custodian to. An ancillary service provider with no access, for instance, your wireless provider, need not have a BAA unless the provider can actually access your system. If you store data on a cloud, the cloud provider should have a BAA with the practice.
As a reminder, a Business Associate Agreement is a contract that sets forth each party's obligations to the other as related to the their protection of, access to and use of protected health information. The government provides a free form, here - https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html. What the free form does not provide is indemnification language - risk shifting contractual protection against a business associate misusing or unlawfully or in violation of contract, disclosing protected health information. HIPAA, by its language, authorizes "risk shifting", which means we can insert language placing monetary exposure on the business associate should a disclosure or breach of protected health information result from business associate's use or access, or act or omission, or any other contractual reason we insert.
Yes, you can have a form Business Associate Agreement on file; but be advised many third party vendors will present you with and request you start with/use their form. Always always always have any contract presented to you reviewed by a healthcare attorney. Be sure that your form Business Associate Agreement has indemnification - protecting you against an exposure caused by the business associate, just as I will be sure that any BAA I revise for you has indemnification for your benefit. Yes, all third party vendors with potential access to protected health information at your practice should sign it (IT person, cleaning person, clearinghouse, biller, coder, bookkeeper, etc.).
Just because a BAA is commonplace, doesn't mean a presented BAA should not be reviewed. Language in a BAA can hurt you (by not protecting you, or worse, shifting financial obligation to you - it's a two way street...). For our standard form BAA or for assistance with review, contact Taryn or me, directly.