Question: Our practice is contracting with a new vendor. I sent the vendor a business associate agreement (BAA) to sign, but the vendor is claiming it’s not a business associate (BA) under HIPAA. The vendor will provide us with cloud storage for patient data, so I believe that the vendor is in fact a BA. Who is correct?
Answer: The vendor is a HIPAA BA if it receives, maintains, stores, accesses, or transmits health-related information in the course of providing services, according to a June 9 blog posting by partner attorney Laurie Cohen for the law firm Nixon Peabody LLP. Further, the vendor is a BA under HIPAA if the health-related information is protected health information (PHI), as defined by HIPAA, and if that PHI originates from a covered entity (CE).
According to Cohen, at a minimum, a HIPAA BA must:
1. Develop HIPAA privacy, security, and breach notification policies;
2. Perform a security risk assessment;
3. Provide HIPAA education to its workforce; and
4. Prepare a BAA to use with its own subcontractors who receive, maintain, store, access, or transmit PHI in the course of providing services.
Any BAs that you work with must understand the requirements and their responsibilities under HIPAA. This is especially important as the HHS Office for Civil Rights (OCR) rolls out its audit process later this year, which is also expected to target CEs as well as their BAs, Cohen warned.