Health Information Compliance Alert

Make Sure Your BAAs Are HIPAA-Compliant to Avoid Getting Burned

Unauthorized access and disclosure land many a practice in hot water annually. Oftentimes, this type of breach cannot be controlled by physicians and their certified staff, who diligently follow HIPAA to the letter. Despite these providers’ efforts to stay compliant, the errors can usually be traced to business associates, who either fail to acknowledge the rules or are unaware of them. Ensuring that your business associate agreements (BAAs) are enforced can help you avoid issues down the road.

Who’s to Blame?

“There is really no reason why a provider shouldn’t have BAAs in place in 2017,” says Michael D. Bossenbroek, Esq. of Wachler & Associates, P.C. in Royal Oak, Michigan. Though an occasional infraction might slip by now and then, setting up a firm BAA will likely help you dodge this common breach. The BAA helps enforce the principles of HIPAA, and partners who refuse to enter into this type of contract probably aren’t worth your time.

“Providers need to give careful thought to identifying their business associates and making sure that they have a HIPAA-compliant BAA in place with those business associates,” Bossenbroek says. “Providers aren’t necessarily responsible for the actions of their business associates, but a failure to execute a BAA is an easy way to get pulled into a business associate’s breach or failure to comply with HIPAA.” 

Consider this. A strong BAA should be a top priority with clearly defined procedures and policies, guidance from the OCR and HHS suggest. Both federal agencies bring a myriad of tools to the table to help you address these types of issues. Here are a few of the materials they present to help you set up HIPAA-compliant BAAs:

  • Comprehensive risk analysis tool
  • Monthly OCR Cyber Awareness Newsletter
  • Outline and overview of the HIPAA Security Rule with printables and links
  • Safeguards and set up templates for your practice’s HIPAA program.

Resource: For a look at the HHS link, visit https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html.