Business agreements can protect everyone involved. If your practice takes business associate agreements lightly, it’s time to start putting some weight on the issue. That’s the takeaway from a recent HHS settlement involving a gastroenterology group that didn’t have a signed business associate agreement (BAA) on file for a vendor — and paid the price for that oversight. Background: On April 20, the Center for Children’s Digestive Health paid the US Department of Health and Human Services $31,000 as settlement for potential HIPAA violations. The seven-clinic practice was said to have hired a company to store its records, but after investigating, neither the record storage firm nor the practice could produce a signed BAA. The lack of a BAA constitutes a violation of the HIPAA patient privacy laws. Here’s why: “The HIPAA Rules generally require that covered entities and business associates enter into contracts with their business associates to ensure that the business associates will appropriately safeguard protected health information,” the Department of Health and Human Services says on its website. In other words, the BAA offers proof to the practice that the business associate (in this case, the record storage facility) agrees to follow the patient privacy laws. If you’re still confused about BAAs — or if you’ve never seen one — read on for tips on how to ensure you’re covered from a HIPAA standpoint. 1. Understand Why the BAA Makes Sense In addition to being required by the HIPAA rules, BAAs are important to maintain because they put everyone on notice regarding what the rules and procedures are when it comes to handling protected health information (PHI), says Vik Chaudhry, Esq., of The VC Law Group in San Diego. “Realistically speaking, it’s an easy thing to comply with since the CMS website even includes templates,” Chaudhry says. “But the problem is more the lack of understanding that this is required. If you’re a covered entity and you’re sharing PHI, shouldn’t it make sense that the entity receiving it should be covered under the same framework that the Privacy Rule and Security Rule dictate?” 2. Send One to All Business Associates If you realize you don’t have a signed BAA on file for your vendors, first make sure you need one, Chaudhry says. “If the other entity you’re working with doesn’t create, receive, maintain or transmit PHI, it’s possible that they aren’t a true business associate and therefore they may not need one.” If they are business associates, however, your first order of business is to immediately stop transferring PHI to that entity, Chaudhry advises. Once you have the agreement signed, you can then resume transmitting PHI. If the vendor refuses to sign the BAA, then you may have deeper problems on your hands. “I have seen certain business associates refuse to sign these, and that’s extremely troubling,” Chaudhry says. “If they’re unwilling to sign it, you won’t be in compliance with HIPAA if you transmit PHI to that entity — and you should think about whether you want to be in business with someone who won’t sign a basic agreement required by HIPAA.” 3. Maintain A Signed Copy of the BAA You should ensure that you have a signed copy of all business associate agreements on file and readily available to you. “When I draft HIPAA manuals I always include language that says the covered entity is going to retain a copy of the business associate agreement, not only to be reviewed and amended as changes occur, but also it has to be on file for compliance reasons,” Chaudhry says. As demonstrated in the settlement described above, having the signed copy on file could be the difference between passing a HIPAA audit and having to pay the government for an infraction. Bonus tip: You should regularly review and amend your business associate agreements, since HIPAA laws change frequently and your agreements must reflect those changes, Chaudhry says. Resources: To see a sample business associate agreement, visit the CMS website at https://www.cms.gov/Medicare/Medicare-General-Information/MedicareApprovedFacilitie/Downloads/CAS_Business-Associate-Agreement_07_16_2015.pdf. To reach Vik Chaudhry, Esq., visit www.thevclawgroup.com. Chaudhry notes that the information in this article is not meant to qualify as legal advice and does not create an attorney-client relationship. If you need legal advice, please contact an attorney directly.