SOURCE: LockPath, Inc.

LockPath, Inc.

June 09, 2015 00:00 ET

10 Essential Components of a Business Associate Agreement

OVERLAND PARK, KS--(Marketwired - June 09, 2015) - HIPAA requires that covered entities and business associates (BAs) enter contracts, or business associate agreements (BAAs), to limit how they use and ensure they safeguard PHI. It is extremely important for organizations in the health care space to continually monitor their BAAs to stay compliant and help prevent a breach.

To comply with HIPAA, covered entities should have an agreement with every vendor that touches PHI. According to HHS, a BAA must:

  1. Determine when and how the BA is allowed to use or disclose PHI.
  2. Require that the BA will not use or disclose PHI other than what has been permitted by the contract or required by law.
  3. Establish what safeguards will be put in place to prevent unauthorized PHI disclosure. This includes implementing HIPAA requirements surrounding electronic PHI.
  4. Require the BA to report any use or disclosure of PHI not covered by the contract to the covered entity, including incidents or breaches of unsecured PHI.
  5. Ensure the BA will disclose PHI as specified in the contract to satisfy a covered entity's obligation with respect to individuals' requests for copies of their PHI. PHI should be available for amendments as well.
  6. To the extent the BA is to carry out a covered entity's obligation under HIPAA, require the BA to comply with the requirement relevant to the obligation.
  7. Ensure internal practices, books and records relating to the use and disclosure of PHI by the BA will be made available to HHS to determine the covered entity's HIPAA compliance.
  8. Require the BA to return or destroy all PHI received from, or created or received by the BA on the covered entity's behalf, upon termination of the contract.
  9. Require BAs to enter agreements with their subcontractors that may have access to PHI.
  10. Allow the covered entity to terminate the contract if the BA violates a material term of the contract.

Whether it's a HIPAA violation or a breach, business associates have the potential to land your organization in hot water. They are, however, a necessary risk. The best way to ensure compliance is to be vigilant and effectively manage your BAAs. Here are a few quick tips on how to do so:

  • Keep all agreements in a centralized location that can be easily accessed at any time
  • Know when agreements expire
  • Continually monitor BA compliance by issuing assessments
  • Include BAs in your risk analyses

Manual processes, such as spreadsheets, text documents, or notebooks, can make managing vendors and business associates a daunting task. Many healthcare organizations have found that leveraging a governance, risk and compliance (GRC) tool like LockPath's Keylight can help to avoid the uncertainty of BA compliance.

About LockPath
LockPath is a market leader in corporate governance, risk management, regulatory compliance (GRC) and information security (InfoSec) software. The company's flexible, scalable and fully integrated suite of applications is used by organizations to automate business processes, reduce enterprise risk and demonstrate regulatory compliance to achieve audit-ready status. LockPath serves a client base of global organizations ranging from small and midsize companies to Fortune 10 enterprises in more than 15 industries. The company is headquartered in Overland Park, Kansas.

Image Available: