November 11, 2020
Does my business really need Business Associates Agreements?
Think of it as building unscalable walls and a deep mote to surround your business and protect your personal wealth from challenges brought about because of operational failures by third parties that your business has hired to outsource critical workflow processes.
Economic realities have driven many businesses in America to outsource non-core functions, which may include:
- Billing Services
- IT Service and Cloud Storage Providers
- Shredding Services
Business Associates Agreements (BAAs) are an essential part of the infrastructure you should have in place to protect your medical practice. The HIPAA Privacy Rule requires that all Medical Service Providers (Covered Entities) have signed BAAs in place with any Business Associate they hire that engages with Protected Health Information (PHI).
The BAA must acknowledge that the organization issuing it is subject to HIPAA regulation and that the organization signing it is also subject to HIPAA. Good BAAs ultimately protect both parties that sign it. They ultimately define the steps to be followed and the financial liabilities in the event of a breach. Importantly, they also help to protect the Covered Entity’s reputation.
Here are 3 steps you need to take to protect your Healthcare business:
1. Work only with Business Associates that commit to complete protection of PHI and are willing to sign a BAA with your organization.
2. Choose Business Associates that have documented operational procedures which limit the risk of a data breach (in the case of shredding services, that means requiring shredding On-Site at your location)
3. Select Business Associates that are capable of providing rapid support in the event of a breach, accurate data related to the extent of the PHI risk to your organization, and being able to
take meaningful immediate measures to cure the breach and reduce the liability risk to your firm.
In the final analysis, the vetting process of Business Associates (third party vendors or processors) is one of the key responsibilities of any Practice Manager or Practice Administrator.
Vetting against HIPAA rules can be facilitated by external consultants, but in the shredding industry, it can also be assisted by requiring that vendors have their operating practices certified by external agencies, like the National Association of Information Destruction (NAID) and by the International Organizational for Standardization (ISO).
For more information, contact Greg Gálvez at [email protected] or 678-580-1155