Gazelle Consulting

Is a Signed Business Associate Agreement Enough?

Many covered entities work with vendors, consultants, lawyers, data managers and more for subcontracted services that require the use of PHI.

In order to release PHI to a subcontractor, covered entities are required to obtain a signed Business Associate Agreement that describes their HIPAA responsibility.

But is a signed contract enough to protect you from liability in the case of a breach?

Things to Consider: Business Associate Agreements and HIPAA

As a covered entity, you are required to obtain “reasonable assurance” of your Business Associate’s compliance with the BAA and HIPAA regulations. This leaves a lot of room for you to do what you think is right.

But consider that if one of these BAs causes a breach of the data you provide to them, you may be held liable. You’re putting your own business on the line by accepting this as “evidence” that they understand the terms of the agreement, are taking it seriously, and implementing the actions required by it.

Do you feel that your organization is protected with this level of assurance?

Developing Confidence In Your Business Associate Agreements

You might consider sending your BAs a brief compliance questionnaire in addition to this to make sure that they have at least some sort of compliance program in place.

But then again, if they show on their questionnaire that they are not strongly compliant, that could impact your ability to do business with them or demonstrate that you knew they were not compliant and did business with them anyway.

Many businesses accept a contract signage as “reasonable assurance” of compliance from their BA’s. But other businesses, for whom the risk of a BA breach or the costs of a BA breach are too high to accept, require more assurance of compliance. It’s up to your organization to determine what is acceptable.

A good way to determine what is acceptable is to do a risk analysis and assessment regarding the data your business associates will be dealing with.

BA’s using huge data sets with low expectation of compliance? May need stronger assurance.

BA’s who are likely to be compliant and only using a very small amount of data? Maybe contract signage is enough.

Do you want an extra layer of confidence in your business associate agreements? Give Gazelle Consulting a call at (503) 389-5666! We’ll help you ensure that your business is wholly compliant, quickly and painlessly.

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest

Popular Posts

  • How to Handle the Loss or Destruction of Medical Records

    Whether it be an delete happy IT admin, a theft, or a glitch in your system, lost health records can have an impact on your patients...

  • Who Enforces HIPAA?

    HIPAA, which stands for the Health Insurance Portability and Accountability Act, is enforced by the Office for Civil Rights (OCR), which is an arm of the Department of Health and Human Services (HHS).

  • 2018’s Most Interesting HIPAA Violation Cases

    2018’s Most Interesting HIPAA Violation Cases

    Since the 2003, the Enforcement Act, an addendum to HIPAA that gave the OCR the right to enforce HIPAA on behalf of the HHS, we’ve seen an ever increasing number of fines and breaches.

  • Stronger HIPAA enforcement

    HIPAA Consent Form – How to Obtain HIPAA Authorization

    Earlier this month, the Office for Civil Rights (OCR) announced a new plan to strengthen HIPAA enforcement in response to criticism from the Office of Inspector General (OIG). The OCR will be beefing up their compliance investigations and expanding their audit program in 2016.

  • Is G Suite HIPAA Compliant?

    Is G Suite HIPAA Compliant?

    Yes, G Suite can be configured to be HIPAA compliant. In this post, we will discuss G Suite apps and learn what it takes to operate your G Suite account in a HIPAA compliant manner.