BAAs: What are they, and how can I write a good one?

So you’ve heard of HIPAA, but what does a BAA do? BAAs, or business associate agreements, are contracts that is legally mandated by HIPAA, specifically the HITECH Act of 2009. (PS, if you need a refresher on the jargon, check out our crash course to HIPAA). A BAA is between a HIPAA covered entity, which is an RD who handles protected health information (PHI), and a business associate, any company that has access to and regularly works with PHI; the main focus of the document is to hold business associates (BA’s) accountable for HIPAA non-compliance and to establish a plan if PHI is leaked. Though business associates may be hard to identify, for dietitians, they tend to be EHR or videoconferencing software.

BAAs might be completely foreign to you, but you shouldn’t worry if you’ve never worked with them; they’re not essential to run a private practice. Practices that use only manual scheduling and physical billing have no need for BAAs because no software is being used; however, most private practices in this day and age use some form of software for dietetic work and BAAs to enable them.

When it comes down to HIPAA-compliant software, you have two options; you need to sign BAAs with both, but they’re very different:

  • Non-compliant “freemium” services, like Skype, Gmail, and Google Drive. These are easy to use and widely available; however, the basic service is not HIPAA-compliant. You must enter a BAA with the company and pay a fee in order to be legally compliant.
  • Fully compliant services, including EHRs like Healthie. These websites are fully compliant and usually cover a range of services beyond just storing PHI; Healthie, for example, includes unique diet and health metric tracking, superbilling, and videoconferencing! Websites that are always compliant, regardless of what type of plan you have, are much safer than your average “freemium” plan.

A well-written BAA should have these components:

  • Defining your terms. Key terms in any contract must be outlined in order to avoid legal ambiguity. Phrases like “protected health information”, “business associate”, and “HIPAA” have specific definitions, and you and your business associate have to understand what they mean.
  • How the BA will deal with data breaches. This is possibly the most important part of a BAA. As partners, your business associate should be just as accountable as you are if a data breach occurs; your contract should reflect that idea.
  • How the BA will handle audits from OCR. HITECH specifies that HIPAA business associates are subject to audits from the Office of Civil Rights (OCR). Make sure the BAA details exactly how a business associate will report and fix a data breach.

(If you need some help finding detailed clauses or definitions, check out the Code of Federal Regulations’ section on HIPAA.)

The most important thing to remember about BAAs are that they are contracts, and must be as well-written and legally protective as any other contract. Let us know your tips for writing effective BAAs and about other parts of HIPAA you want us to blog about next!

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to Top