HIPAA Business Associate Agreement
According to Federal HIPAA compliance regulations, a Business Associate Agreement (BAA) needs to be customized and agreed upon for any third-party work being done for a healthcare provider. The following agreement is based on IT services being provided to your organization, office, or business by Iowa City Technology Services.
With your digital signature below, in working with Iowa City Technology Services (ICTS), you acknowledge that every effort will be made by ICTS to meet or exceed HIPAA compliance requirements. As well, ICTS will abide by this agreement in providing compliance with HIPAA guidelines.
In an office that adequately meets HIPAA compliance requirements, patient records are physically and digitally secured, so most IT support can be provided without any access to patient data. Even so, ICTS will make an additional effort to completely avoid accessing, viewing, or handling patient data.
Even if your office is not fully HIPAA compliant (e.g. If patient data is readily accessible without password protection or patient files are left out on counters), ICTS would not unnecessarily touch, access, view, or handle any patient data.
In the event that ICTS were asked to perform work that required access to patient records, clinic data, or practice management systems, HIPAA guidelines would be adhered to. A comprehensive BAA sample is provided below as a guideline to indicate the scope of compliance adherence we would be guided by.
Our promise is to stringently follow best practices. However, due to the broad and varied vulnerabilities present in most offices and practice management systems, as well as access by other third parties, or undetected system compromises, ICTS shall not be held liable for any data loss or breach outside the scope of our control.
By typing your name below, as the business owner or authorized agent, your digital signature conveys that you have read the above agreement and accept its terms.
(Agreement Version: 20160324TH0840)
What is HIPAA Compliance?
The goal of HIPAA compliance is to protect healthcare information so that it remains private and only accessible to those the patient has approved.
HIPAA compliance involves the following required practices:
- Put safeguards in place to protect patient health information.
- Reasonably limit uses and sharing to the minimum necessary to accomplish your intended purpose.
- Have agreements in place with any service providers that perform covered functions or activities for you. These agreements (BAAs) are to ensure that these services providers (Business Associates) only use and disclose patient health information properly and safeguard it appropriately.
- Have procedures in place to limit who can access patient health information, and implement a training program for you and your employees about how to protect your patient health information.
Who Needs to be HIPAA Compliant?
Everybody. HIPAA compliance isn’t just for hospitals and doctor’s offices, it’s also required for any person or business who interacts with them. These third parties must sign a Business Associates Agreement (BAA).
You become HIPAA compliant in one of two ways: (1) avoid all access to or handling of all healthcare related data, or (2) if you must handle healthcare data, comply with the best practices outlined in the document below.
Here are some examples of business associates who need to be HIPAA compliant:
- If you’re handling healthcare office equipment such as copiers or fax machines that retain scanned documents in memory, you must follow HIPAA compliance guidelines when handling or destroying that equipment.
- If you repair computers that have healthcare information stored on them, you must follow HIPAA compliance guidelines when handling or destroying that equipment. One could even consider personal computers in this category since most people store their own personal healthcare information on their own computers. In other words, anyone who ever touches someone else’s computer should be mindful of HIPAA compliance.
Business Associate Agreements are not a substitute for proper protocols and security measures. In other words, patient records should not be solely be protected by written agreements with third parties. They should be safe and secure even without such agreements. Digitally stored patient data on computers should be encrypted and secured with passwords making that data only accessible to authorized staff. Copy machines and other office equipment should utilize internal HIPAA compliant file erasing utilities (available on most systems at the time of purchase).
Covered Entities and Business Associates
The HIPAA Rules apply to covered entities and business associates. Individuals, organizations, and agencies that meet the definition of a covered entity under HIPAA must comply with the Rules’ requirements to protect the privacy and security of health information and must provide individuals with certain rights with respect to their health information. If a covered entity engages a business associate to help it carry out its health care activities and functions, the covered entity must have a written business associate contract or other arrangement with the business associate that establishes specifically what the business associate has been engaged to do and requires the business associate to comply with the Rules’ requirements to protect the privacy and security of protected health information. In addition to these contractual obligations, business associates are directly liable for compliance with certain provisions of the HIPAA Rules. (source)
Business Associate Agreement Provisions
A “business associate” is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information. A “business associate” also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate.
The HIPAA Rules generally require that covered entities and business associates enter into contracts with their business associates to ensure that the business associates will appropriately safeguard protected health information. The business associate contract also serves to clarify and limit, as appropriate, the permissible uses and disclosures of protected health information by the business associate, based on the relationship between the parties and the activities or services being performed by the business associate.
A business associate may use or disclose protected health information only as permitted or required by its business associate contract or as required by law. A business associate is directly liable under the HIPAA Rules and subject to civil and, in some cases, criminal penalties for making uses and disclosures of protected health information that are not authorized by its contract or required by law.
A business associate also is directly liable and subject to civil penalties for failing to safeguard electronic protected health information in accordance with the HIPAA Security Rule.