A HIPAA business associate agreement (BAA) is contract between a HIPAA-covered entity and a vendor that is providing a service to that covered entity. They are very common in the healthcare sector yet, despite this, there are often mistakes made by HIPAA-covered entities when they are completing a BAA.
A signed HIPAA business associate agreement must be completed by the covered entity before it is legal for a business associate to come into contact or process with PHI or ePHI.
Despite these agreements being around for some time there is a tendency for covered entities to make mistakes when it comes to completing or enacting a BAA. In this article we have detailed the most common mistakes that are made.
1. Having Every Contractor Complete a BAA
A number of covered entities have taken a “better-safe-than-sorry” strategy in relation to tacklingtheir definition issues, and have completed agreements with all entities they have business relationships with – whether they were legally necessary or not. Recent studies sponsored by the California Healthcare Foundation discovered that many entities were completing agreements with other covered entities unnecessarily, and were also entering into agreements with vendors who were not accessing PHI.
2. Believing a Completed BAA Means HIPAA Compliance is Certain
As part of the aforementioned study, CHF found many covered entities were neglecting their due diligence obligations and were not obtaining “satisfactory assurances” that the BA they were disclosing PHI to was HIPAA-compliant. Instead, they restricted their investigative efforts to “high risk” IT vendors and only looked to guarantee that they had mechanisms in place to safeguard stored and electronically transmitted PHI. Fewer still reviewed their BA’s to ensure compliance with HIPAA. Only a small number asked to see proof of risk assessments and policies and procedures covering the actions that must be taken in the event of a violation of PHI. These failures could result in the covered entity being sanctioned with a financial penalty for breaching HIPAA.
3. Allowing Some Companies handle ePHI without a HIPAA Business Associate Agreement
Many service suppliers are not given PHI to perform duties on behalf of the covered entity, but ePHI still passes through their systems and databases. Many software solutions impact ePHI which means the software provider is classified as a business associate. There are exception for entities that act as conduits through which ePHI simply passes, although the majority of cloud service and software providers are not excempted from compliance with HIPAA and BAAs are necessary.
4. Thinking Encryption of PHI is Enough for HIPAA Compliance
Encrypting all ePHI that is saved or shared by a business associate is an important security measure, but encryption alone is not enough to ensure HIPAA compliance. Physical security measyres must also be configured to ensure ePHI cannot be accessed by unauthorized persons and administrative safeguards must be put in place and written policies and processes must be developed and maintained.
5. Not Completing a HIPAA Business Associate Agreement with Subcontractors
The business associate agreement sees to it that there is a chain of custody for PHI. A vendor of a HIPAA covered entity must complete a contract with the covered entity, and a subcontractor used by a business associate is also obligated to enter into such a contract. A subcontractor is a business associate of a business associate and is not covered by the BA/covered entity contract. A separate contract must be completed before access to PHI is permitted. The chain can be long and the further away from the covered entity that ePHI is sent, the greater chance there is for HIPAA business associate agreement breaches.
6. Business Associate Agreement Template Failures
There are many HIPAA business associate agreement templates on the market. However, it should always be remembered to closer review them before use. Before using a template like this, it is crucial to check for whom that template has been created to make sure it is relevant. It should also be amended to take into account all of the requirements stated by the covered entity.