eHealth Tidbit - Business Associate Agreements

By eHealth Specialist Jennifer Lavalley

Do you ever question whether a Business Associate Agreement (BAA) should be put into place between your organization and an organization you are associated or working with? We have put together a “Top 10” list to help you decide when a BAA is necessary.

Top 10 reasons for using a BAA:

  1. Outline the use and disclosure of protected health information (PHI).
  2. Restrict the business associate’s use of PHI, i.e. the conditions of use.
  3. Identify risk management processes. Include the safeguards that will be used and implementing HIPAA requirements surrounding PHI.
  4. Require accounting of any use or disclosure of PHI that is outside the contract specifications. This is to include any breaches or incidents.
  5. Ensure that the BAA will disclose individuals’ PHI upon request or amend PHI if properly requested.
  6. BAA should comply with HIPAA related obligations.
  7. BAA’s operations relating to the use and disclosure of PHI are available to the U.S. Department of Health and Human Services for verification of HIPAA compliance.
  8. Termination clause: require that all PHI be returned or destroyed at the end of the contract.
  9. Require BAAs to follow these same requirements with their subcontractors.
  10. Allow termination of contract if the BAA violates any conditions of the agreement.

If you have questions about BAAs or other ways to protect your patients’ PHI, please contact your eHealth Specialist.