Not every associate is a BA. Your ob-gyn practice’s bottom line is on the chopping block if one of your business associates (BAs) is involved in a HIPAA breach and you don’t have an appropriate agreement in place. Follow our experts’ three steps to make sure you’re protected. Step 1: Decide Who Constitutes a Business Associate Business associates and their subcontractors maintain protected health information (PHI) and electronic protected health information (ePHI) just as your practice does, but are not themselves a covered entity. The level of their interaction with your employees depends on the complexity of the service they provide. A business associate is often someone who performs one of these five services for a covered entity, suggested Ryan Boggs, CISA, CRISC, HCISPP, CCSFP, manager of IT advisory at BHG in Charlotte, N.C. during a session at HIMSS17 titled “Managing Risk As a Business Associate:” You may contract with other businesses, such as a cleaning service, but do they all require a BA agreement (BAA)? “Business associate agreements include organizations that may create, receive, maintain or transmit health information,” notes HIPAA expert Jim Sheldon-Dean, founder and director of compliance services at Lewis Creek Systems LLC in Charlotte, Vt. Since your cleaning staff is not accessing health information in any way, they won’t typically be considered “business associates.” Step 2: Execute BAAs Once you’ve identified an entity as a BA, you “must execute written contracts … to make sure they safeguard PHI according to HIPAA standards,” explains Jo-Anne Sheehan, CPC, CPC-I, CPPM, senior instructor with Certification Coaching Org., LLC, in Oceanville, N.J. “Business associates must do the same with any of their subcontractors who can be considered business associates.” When you’ve got a signed business associate agreement (BAA) on file, it binds the entity to HIPAA and protects your practice if a breach occurs under their watch. Make sure you get the BAA signed, if law allows, before sharing PHI. “Business associates are subject to most of the same privacy and data security standards that apply to covered entities, and may be subject to HHS audits and penalties,” Sheehan says. Tip: For more information on constructing BAAs and medical exceptions, see www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html. Step 3: Enact “Cleaners’’ Confidentiality Contracts For third parties you contract with that don’t handle PHI, such as your cleaners, you can establish a Confidentiality Contract instead of the more complicated and expensive BAA. This type of contract protects you should an accident or theft happen, but it doesn’t completely discharge you from liability. The language of the confidentiality agreement “puts the company on the hook if it should breach its obligations with respect to confidentiality,” says attorney Kathleen D. Kenney, Esq., of Polsinelli LLP in Chicago. “Most third parties with access to PHI will meet the definition of a business associate, but in the unusual instances where they do not, having contractual protections in place puts a provider in a better position.” Kenney adds, “But this certainly does not absolve the provider from its own obligations to ensure safeguards as OCR will only look at the provider if an incident occurs and the third party does not meet the definition of a business associate.”