The HIPAA Business Associate Agreement Checklist
April 20, 2018

Let us start first by knowing who are and who are not Business Associates.

A “business associate” is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information.

The key thing to note here is a business associate is a person or entity that would require the disclosure of “individually identifiable health information” in order to deliver their product or service to, or on behalf of, the Covered Entity.

Individually identifiable health information, according to HIPAA, are information that is a subset of health information, including demographic information collected from an individual, and:

  • Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
  • Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
    • That identifies the individual; or
    • With respect to which there is reasonable basis to believe the information can be used to identify the individual.

To comply with the U.S. Health Insurance Portability and Accountability Act (HIPAA), all health care providers, health plans and healthcare clearinghouses must have a business associate agreement with any third parties that access patient protected health information (PHI).  Here are the elements you must include in your Business Associate Agreements:

  • Proper Usage of PHI

Describe when and how the third party (Business Associate) will be using patient protected health information.

  • Proper Disclosure of PHI

Indicate that the Business Associate can only disclose PHI in ways that are specified in the business associate agreement or that are required by law

  • The Need for Additional BAAs

Indicate that the Business Associate must enter a separate Business Associate Agreement with any subcontractor that will access patient PHI

  • The Proper Destruction of PHI

Specify when and how the business associate is to return or effectively destroy all patient PHI

  • Safeguards to Prevent Breaches

Stipulate that safeguards be put in place to prevent the Business Associate from accidentally disclosing PHI

  • Realization of your Obligations

Stipulate that the Business Associate (BA) must take measures necessary to satisfy your obligations under HIPAA

  • Mandatory Disclosures of PHI

Define under what circumstances the BA must disclose PHI (for e.g. at the patient’s request)

  • Disclosure of Breaches

Spell out how and when the BA must report any accidental disclosures of PHI data to you

  • The Right to Terminate the Agreement

Specify your rights to terminate the BAA. Indicate the BA’s obligations upon termination

You may find a free Business Associate Agreement provisions via HHS.gov’s website. Click here for reference.

Learn More. Subscribe TODAY!
Your journey to full HIPAA & HITECH Compliance starts today.
Share Us on: