The Business Associate Agreement is required by HIPAA to grant a third party (3rd) (“Business Associate”) access to protected health information (PHI) by a medical office (“covered facility”). It outlines the rules under which personal medical records can be transmitted in accordance with federal law. After the authorization, the business partner is responsible for the protection of all protected health information shared with specific instructions in case of security violation. It is strictly forbidden for the counterpart to sell or use health information prohibited for the subsystem. In the simplest case, a Business Associate Agreement (BAA) is a legal contract between a health care provider and a person or organization that, as part of its services, has access, transmits or stores protected health information (PHI) for the provider. Whether you prefer to call it business associate agreement or, like HIPAA, business Associate Contract, they are both ways an important part of an organization`s efforts to be HIPAA compatible. Below, we`ve put together the basic components and definitions of a HIPAA business association agreement model that you can browse. Keep in mind that ACCORDS are legally binding agreements, so it`s best to have a designated security officer, lawyer or HIPAA compliance solution that will help you navigate these contracts. In the event of a violation or non-compliance with a BAA by a counterparty/subcontractor, the covered unit must take appropriate measures to remedy the infringement or terminate the infringement. “If such measures fail, they must terminate the contract or agreement,” HHS explains. “If termination of the contract or agreement is not possible, a covered entity is required to report the issue to the HHS Office for Civil Rights.” 1 There are a few exceptions to the requirement to sign a matching contract.
These include specialists to whom a hospital refers a patient and transmits the patient`s medical card for treatment, laboratories to which a physician discloses a patient`s PPH for treatment, and the disclosure of PHI to a health plan sponsor, such as an employer, through a collective health plan. To protect PIs, a safety rule must be established and safety measures put in place. For example, a comprehensive security risk analysis of the activities of a registered entity and counterparty should be conducted before one of the parties is authorized to process and transfer PRIs. In the event that PHI is accessed under the responsibility of the counterparty by persons who are not authorized to post the information, the counterparty is required to notify the entity concerned of the violation and may be required to send notifications to persons whose PHI has been compromised.