A business associate agreement (BAA) is a contract between two parties – a covered entity and a business associate – that outlines each party’s responsibilities regarding HIPAA compliance. HIPAA, or the Health Insurance Portability and Accountability Act, is a federal law that regulates the use and disclosure of protected health information (PHI). A BAA is required by law whenever a covered entity shares PHI with a business associate.
If you are a covered entity that needs to share PHI with a business associate, or if you are a business associate that needs to sign a BAA with a covered entity, it is essential that you have a sample BAA to work from. Here is an overview of a typical BAA and what it should contain:
1. Definitions
The BAA should begin with a section that defines important terms used throughout the agreement. This section should define terms such as “covered entity,” “business associate,” “PHI,” and “HIPAA.”
2. Obligations of the Business Associate
This section should outline the specific obligations of the business associate under HIPAA. The obligations typically include the following:
– Implementing safeguards to protect PHI
– Reporting any breaches of PHI to the covered entity
– Complying with the HIPAA Privacy Rule and Security Rule
– Ensuring that any subcontractors comply with the BAA
3. Permitted Uses and Disclosures of PHI
This section should outline the specific permitted uses and disclosures of PHI by the business associate. The permitted uses and disclosures should be limited to what is necessary for the business associate to perform its services for the covered entity.
4. Term and Termination
This section should specify the term of the BAA and the process for termination. The BAA should be in effect for as long as the business associate is in possession of PHI.
5. Compliance with HIPAA
This section should outline the specific requirements for HIPAA compliance by the business associate. This includes requirements for training, documentation, and audits.
6. Indemnification
This section should outline the indemnification obligations of each party. The business associate should agree to indemnify and hold harmless the covered entity for any breach of the BAA or HIPAA.
7. Miscellaneous Provisions
This section should include any other provisions that are necessary, such as notice provisions, governing law provisions, and confidentiality provisions.
In conclusion, a BAA is an important contract that outlines the responsibilities of both the covered entity and the business associate regarding HIPAA compliance. It is important to have a sample BAA to work from to ensure that all necessary provisions are included in the agreement. By using a sample BAA, you can have peace of mind that your PHI is being handled in accordance with HIPAA regulations.