By Bill Minahan   |   December 22, 2020   |   1 Comment

HIPAA BAA Checklist:

A comprehensive checklist of everything you need to know about the HIPAA Omnibus rule, BAAs, and remaining compliant.

The fines and consequences of HIPAA violations can cost you your practice. If you are not educated on HIPAA BAA requirements, then they can be easy to violate.

The following HIPAA BAA checklist will provide you with everything you need to know about BAA compliance.

HIPAA BAA Checklist:

• Understand what a Business Associate Agreement (BAA) is

Today, health care organizations increasingly partner with and rely on outside business associates to perform tasks. This often means granting third-party companies access to protected health information (PHI), which increases the chance of exposure and breaches.

A business associate is an organization that creates, receives, maintains, or transmits PHI on behalf of a health care organization.

As a result of the HIPAA Omnibus rule, healthcare organizations that require their business associates to access PHI must have a BAA to ensure HIPAA Privacy and Security Rules are met. Read more about HIPAA Privacy and Security Rules here.

A BAA is a written arrangement between a health care organization and its business associates that highlights their commitment to security and lays the groundwork for protecting patient data.

A BAA contract is not a suggestion for health care providers and their business associates—it’s the law.

If you would like us to write and manage your BAAs with your third-party business partners, then please contact us today.

Once you know what a BAA is, you can determine which businesses require one.

• Identify Business Associates

A business associate is any organization or individual that accesses PHI on behalf of a health care provider. To be specific, the following are services for which health care providers could require other businesses or individuals to complete:

– Consultants: management, billing, coding, transcription, or marketing companies.
– IT contractors: data storage or document destruction companies.
– Lawyers, accountants, or malpractice insurers.

Along with many, many more. Accurately identifying business associates is an essential part of the HIPAA BAA checklist. If health care providers don’t have a BAA in place with their business associates that access PHI, then they’re violating HIPAA. Even business associates who only have access to encrypted PHI are still liable.

Furthermore, if a health care organization fails to create a BAA, the business associate is still at fault if PHI is compromised. Therefore, it’s in the best interest of both partnering companies that create, maintain, or transmit PHI, to have a BAA contract.

• Identify Exceptions

It’s also important for health care organizations to determine who does NOT need a BAA. Business Associates who are exempt from BAA contracts include, but are not limited to:

– Internet Service Providers.
– U.S Postal Service.
– Other Courier Services.

• Establish the permitted and required uses of PHI with business associates and execute the contract

After you determine who is and isn’t a business associate, you can begin to establish their permitted uses of PHI.

The U.S Department of Health and Human Services (HHS) only allows health care providers to share PHI if it is used to carry out health care functions. HIPAA doesn’t allow PHI to be shared or sold for any independent uses or marketing purposes. For example, a business associate can’t use PHI in their email campaigns.

The Business Associate Agreement must include the following information:

– Describe the permitted and required uses of PHI by business associates.
– Provide that business associates will not use or further disclose PHI other than what’s permitted in the contract.
– Require business associates to use appropriate safeguards to prevent HIPAA breaches or inappropriate uses of PHI.

We can write your BAa for you today.

• Conduct a Security Rule risk analysis and adopt safeguards

Under the HIPAA Security Rule, both health care organizations and the business associates they partner with must perform and document a risk analysis of their network and IT systems to identify risks.

Business associates and health care organizations must identify, document, and respond to risks accordingly. Furthermore, they must implement specific technical, physical, and administrative safeguards under the Security Rule.

The policies put in place should be in writing. If you are interested in a Written Information Security Program (WISP) that covers all aspects of HIPAA Compliance, including implementation and management of BAAs, then please check out our COMPREHENSIVE HIPAA WISP.

A checklist of HIPAA Security Rule requirements here.

•  Perform Cyber Security Awareness Training around HIPAA regulations for all eligible employees

All employees that have access to PHI should receive training on cyber security best practices, HIPAA rules, and internal security policies. Despite human error being the number one cause of HIPAA data breaches, security awareness training is one aspect of the HIPAA BAA checklist that many organizations don’t take seriously.

An educated workforce that is aware of cyber threats and HIPAA regulations is less likely to violate HIPAA rules.

Furthermore, the training should be documented. That way if a HIPAA violation does occur, it will be easier to avoid the accusation of willful neglect. This brings us to our final point of the HIPAA BAA checklist.

• Keep a record of all required documents

The final, and perhaps most important point on aNetwork’s HIPAA BAA checklist, is maintaining records of your company’s HIPAA BAA compliance. Both health care organizations and business associates must keep a record of the required BAA for up to 6 years after the last effective date.

Even if you’re doing all the right things: BAA contracts, security policies, employee training, there needs to be concrete evidence of it. When a breach occurs, the HHS investigates the extent to which it could’ve been avoided.

If there’s no evidence of all the measures you’ve taken to ensure the protection of patient information, then your company will most likely be accused of willful neglect.

The HHS defines willful neglect as “conscious, intentional failure or reckless indifference to the obligation to comply” with HIPAA rules. The fines can reach up to $1,500,000 per year.

Proper documentation of risk analysis and assessments, security policies, personnel training, and safeguards, makes the accusation of willful neglect far less likely. If you are interested in a comprehensive document that covers all of the written and physical HIPAA Compliance requirements, then please take a look at our HIPAA Written Information Security Program (WISP).

In conclusion, health care organizations and their business associates that handle PHI share the responsibility of keeping the data they store safe.

A BAA establishes the permitted use of PHI and helps both businesses remain compliant and avoid hefty fines.

Health care is the single most at-risk industry when it comes to cyber attacks. If a data breach does occur, you want to be able to prove to your patients, HHS, and the public, that you were doing all the right things.

By following this HIPAA BAA checklist, your company has a better chance of HIPAA compliance. Unfortunately, HIPAA compliance can be intimidating and time-consuming.

HIPAA compliance shouldn’t be hard, confusing, or expensive. We offer total HIPAA compliance software and solutions: audits, vulnerability scanning, risk solutions, and more.

That way, you can do your job without living in fear of HIPAA violations and fines.

Let us do the hard stuff.

Download Complete HIPAA Checklist 2020

---

---