Business Associate

Business Associate Agreements are necessary contracts between healthcare providers and Business Associates. Required by HIPAA, the BAA provides protections for your office and the PHI that your office shares with Business Associates.

When a breach occurs, offices are required to notify the patients whose information may have been compromised in the breach. This is known as the Breach Notification Rule.

Under the HITECH Act, passed in 2009, the secretary is required to post all breaches affecting 500 or more patients to the internet. This applies to all medical providers and Business Associates. This web site is commonly referred to as the HIPAA Wall of Shame. You can find it at https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

Understand what a Business Associate is, how to determine if an entity is a Business Associate or Covered Entity and the Business Associate Agreement.

When you have a Business Associate Agreement in place you always can send a letter terminating the relationship. When you send that letter, you should instruct the Business Associate to delete all your patient data, and if that is not feasible that hey are responsible to protect that data under the HIPAA regulations. It is always best to have an attorney review the letter prior to sending it.

An opinion on when you need Business Associate Agreements when working with Durable Medical Equipment Vendors.

One of the more common causes of Government Investigations into possible HIPAA violations are patient complaints.

in order to be HIPAA Compliant, you must maintain a "Culture of Compliance" at your office. This can include keeping your software up-to-date, regular required training and addressing risks that pose to your office. This month we address HIPAA training, encrypting your drives and Business Associate Agreements

Very often we have companies that provide us with computer hardware and software support can access our computer systems. The question is how secure are our trusted partners? In this case an Orthopedic Clinic did not properly manage access to their network and it cost them $1.5 million.