August 14, 2014

What is a Business Associate Agreement?
When a healthcare provider wants to disclose protected health information (PHI) to a business associate, there must be certain assurances from the business associate regarding the safeguarding of the information.  Such assurances must be contained in a written contract known as a Business Associate Agreement (BAA).  The contents of a BAA are dictated in part by law and should be prepared by competent healthcare counsel.

Why Do I Need a New One?
The Federal government issued final regulations modifying the legal requirements for a BAA and requiring same to be implemented by September 2013.  However, in certain circumstances, providers were eligible for the extension until September 2014.  If your practice has not implemented the modified BAA in all of your relationships with Business Associates, whether or not the practice was eligible for the extended date or not, now is the time to do so. Failure to have a proper BAA in place may result in monetary exposure to your practice. 

Who Do I Need to Have This New BAA With?
The practice should be executing a new revised BAA with all business associates.  Business associates are third parties (not members of your workforce) who have access to your PHI as part of their services.  Examples of common business associates are your billing company, accountant, IT, transcriptionist or shredding company.

Other Potential BAA Modification Benefits
There are additional benefits to updating your agreement if it is lacking protections for your entity, such as a shift in liability via indemnification.

Can I Use the BAA as my Service Agreement?
Generally, the BAA and the Service Agreement are two separate documents.  The BAA outlines requirements pertaining to HIPAA while the Service Agreement is more focused on the terms of the arrangement such as cost, services being offered and termination.  A Service Agreement is an important document that should not be signed without review.  These documents may contain significant legal and financial consequences for both parties and we recommend reviewing with healthcare counsel in order to best protect your interests.
Where do I find my new BAA?
Well, you can use the free one on the Office for Civil Rights website, available here.  However, that document does not have legal protections in place in case your business associate does incur a HIPAA breach - specifically, that document fails to incorporate risk shifting provisions, such as the concept of indemnification.  To best protect your practice, work with your healthcare attorney on your BAA.  For a customizable BAA with proper risk shifting protections, click here

Questions about BAAs or other compliance?  Contact Erica or Jennifer to discuss. 

I-STOP Implementation - Common Q&As

Looking for HIPAA and compliance forms?  
Click here to visit 
our website.

Have a question or comment for Jennifer?
Contact Jennifer at or  at (516) 747-6700 x. 302.