So you’ve heard of HIPAA, but what is a BAA?
A BAA, or Business Associate Agreement, is a contract between a HIPAA-covered entity, such as a registered dietitian who handles protected health information (PHI), and a business associate, or any company that has access to, and regularly works with, PHI. A BAA is legally mandated by the HITECH Act of 2009.
(P.S. – If you need a refresher on the jargon, check out our crash course to HIPAA.)
The main focus of a BAA is to hold business associates (BA’s) accountable for HIPAA non-compliance and to establish a plan if PHI is leaked.
Business associates may be hard to identify. For dietitians and nutritionists, the most common business associates are:
- Your EHR platform, like Healthie
- Videoconferencing software
- A clearinghouse that files insurance claims
BAAs may be completely foreign to you, but you shouldn’t worry if you’ve never worked with them. Having a BAA is not essential to run your private practice. Practices that use only manual scheduling and physical billing have no need for BAAs because no software is used. However, most private practices these days use some type of platform, like Healthie, and BAAs are necessary.
When it comes down to HIPAA-compliant software, you have two options. Both require a BAA, but these 2 options are very different.
- Non-compliant “freemium” services, like Skype, Gmail, and Google Drive. These are easy to use and widely available. However, the basic service is not HIPAA-compliant. You must enter a BAA with the company and pay a fee in order to be legally compliant!
- Fully HIPAA-compliant services, including EHRs like Healthie. Healthie is fully compliant and covers a wide range of services beyond just storing PHI. For example, Healthie includes unique food logging and metric tracking, easy-to-create superbills, and videoconferencing! Websites that are always compliant, regardless of what type of plan you have, are much safer than your average “freemium” plan.
Now that you know you likely need a BAA, here’s what it should include:
- Well-Defined Terms. All contracts require clear outlines for key terms in order to avoid legal ambiguity. Phrases like “protected health information,” “business associate,” and “HIPAA” have specific definitions. You and your business associate should understand what they mean.
- The Process For Dealing With a Data Breach. How will the BA handle a data breach if it were to occur? This is possibly the most important part of a BAA. As partners, your BA should be just as accountable as you are if a data breach occurs; your contract should reflect this idea.
- How the BA Handles Audits From the Office of Civil Rights (OCR). HITECH specifies that HIPAA-compliant BAs are subject to audits from the OCR. Make sure the BAA details exactly how a BA will report and fix any complaints filed by the OCR.
(If you need some help finding detailed clauses or definitions, check out the Code of Federal Regulations’ section on HIPAA.)
The most important thing to remember about BAAs is that they are contracts. They must be as well-written and legally protective as any other contract.
If you have any jargon or tips for writing effective BAAs, let us know by commenting below.