By Bill Minahan   |   December 22, 2020   |   12 Comments

HIPAA BAA Checklist is:

Everything you need to know about the HIPAA Omnibus rule, BAAs, and remaining compliant.

The fines and consequences of HIPAA violations can cost you your practice.

A lack of HIPAA BAA requirements education may lead to unintentional violations

The following HIPAA BAA checklist will provide you with everything you need to know about BAA compliance.

HIPAA BAA Checklist:

• Understand what a Business Associate Agreement (BAA) is:

Today, health care organizations commonly partner with and rely on outside business associates to perform tasks. Subsequently, this often means granting third-party companies access to protected health information (PHI). Additionally, this action increases the chance of exposure and breaches.

A business associate is an organization that creates, receives, maintains, or transmits PHI on behalf of a healthcare organization.

As a result of the HIPAA Omnibus rule, healthcare organizations that require their business associates to access PHI must have a BAA to ensure HIPAA Privacy and Security Rules are met. Read more about HIPAA Privacy and Security Rules here.

A BAA is a written arrangement between a healthcare organization and its business associates. It highlights their commitment to security and lays the groundwork for protecting patient data.

A BAA contract is not a suggestion for health care providers and their business associates; it’s the law.

If you would like us to write and manage your BAAs with your third-party business partners, then please contact us today.

Once you know what a BAA is, you can determine which businesses require one.

• Identify Business Associates

A business associate is any organization or individual that accesses PHI on behalf of a healthcare provider. Specifically, the following are services for which health care providers could require other businesses or individuals to complete.

– Consultants: management, billing, coding, transcription, or marketing companies.
– IT contractors: data storage or document destruction companies.
– Lawyers, accountants, or malpractice insurers.

Above, is merely a brief list, but in reality, there are many more. Additionally, accurately identifying business associates is an essential part of the HIPAA BAA checklist. If health care providers don’t have a BAA in place with their business associates who access PHI, then they’re violating HIPAA. Even business associates who only have access to encrypted PHI, are still liable.

Furthermore, if a healthcare organization fails to create a BAA, then the business associate is still responsible if the PHI were to be compromised. Therefore, it is in the best interest of both partnering companies that create, maintain, or transmit PHI, to have a BAA contract.

• Identify Exceptions

It’s also important for health care organizations to determine who does NOT need a BAA. Business Associates who are exempt from BAA contracts include, but are not limited to:

• Internet Service Providers.
• U.S Postal Service.
• Other Courier Services.

• Establish the permitted and required uses of PHI with business associates and execute the contract.

After you determine who is and isn’t a business associate, you can begin to establish their permitted uses of PHI.

The U.S Department of Health and Human Services (HHS) only allows healthcare providers to share PHI if it is used to carry out healthcare functions. HIPAA prohibits the sharing or sale of PHI for independent or marketing purposes. For example, a business associate can’t use PHI in their email campaigns.

The Business Associate Agreement must include the following information:

• Describe the permitted and required uses of PHI by business associates.
• Provide that business associates will not use PHI, other than what the contract allows.
• Require business associates to use appropriate safeguards to prevent HIPAA breaches or inappropriate uses of PHI.
• We can write your BAa for you today.

• Conduct a Security Rule risk analysis and adopt safeguards

Under the HIPAA Security Rule, both health care organizations and the business associates they partner with must perform and document a risk analysis of their network and IT systems to find risks.

Business associates and health care organizations must identify, document, and respond to risks accordingly. Furthermore, they must implement specific technical, physical, and administrative safeguards under the Security Rule.

The policies put in place should be in writing. If you are interested in a Written Information Security Program (WISP) that covers all aspects of HIPAA Compliance, including implementation and management of BAAs, then please check out our COMPREHENSIVE HIPAA WISP.

A checklist of HIPAA Security Rule requirements is here.

•  Perform Cyber Security Awareness Training around HIPAA regulations for all eligible employees

All employees that have access to PHI, should receive training on cyber security best practices, HIPAA rules, and internal security policies. Despite human error being the number one cause of HIPAA data breaches, security awareness training is one aspect of the HIPAA BAA checklist that many organizations don’t take seriously.

An educated workforce that is aware of cyber threats and HIPAA regulations is less likely to violate HIPAA rules.

Furthermore, documentation of training should take place. That way if a HIPAA violation were to occur, it would be easier to avoid the accusation of willful neglect. This brings us to our final point of the HIPAA BAA checklist.

• Keep a record of all required documents

The final, and perhaps most important point on aNetwork’s HIPAA BAA checklist, is maintaining records of your company’s HIPAA BAA compliance. Both health care organizations and business associates must keep a record of the required BAA for up to 6 years after the last effective date.

Even if you’re doing all the right things: BAA contracts, security policies, employee training, there needs to be concrete evidence of it.  If a breach happens, then the HHS evaluates how much of it could have been avoided.

If there is no evidence of all the steps you’ve taken to protect patient information. Your company will almost certainly be accused of willful neglect.

The HHS defines willful neglect as “conscious, intentional failure or reckless indifference to the obligation to comply” with HIPAA rules. The fines can reach up to $1,500,000 per year.

Proper documentation of risk analysis and assessments, security policies, personnel training, and safeguards, makes the accusation of willful neglect far less likely. If you are interested in a comprehensive document that covers all of the written and physical HIPAA Compliance requirements, then take a look at our HIPAA Written Information Security Program (WISP).

In conclusion, health care organizations and their business associates that handle PHI share the responsibility of keeping the data they store safe.

A BAA establishes the permitted use of PHI and helps both businesses remain compliant and avoid large fines.

Health care is the single most at-risk industry when it comes to cyber-attacks. If a data breach does occur, you want to be able to prove to your patients, HHS, and the public, that you were doing all the right things.

By following this HIPAA BAA checklist, your company has a better chance of HIPAA compliance. Unfortunately, HIPAA compliance can be challenging and time-consuming.

HIPAA compliance shouldn’t be hard, confusing, or expensive. We offer total HIPAA compliance software and solutions: audits, vulnerability scanning, risk solutions, and more.

That way, you can do your job without living in fear of HIPAA violations and fines.

Let us take the load.

Download THE Complete HIPAA Checklist 2020

---

---