A BAA agreement is designed to protect the private identifying medical information that belongs to patients but may need to leave the office or clinic in which it was created. This agreement is drawn up between a medical provider’s business and/or hospital and other individuals or businesses who are not directly employed by that provider or hospital but may have cause to come into contact with these documents through the course of their work.
The goal is always to protect the patient, but these agreements can also serve to protect the healthcare providers who contract with outside businesses should there be an issue with medical privacy.
What Is a BAA Agreement?
A BAA agreement is not a simple document whereby the business associate in question agrees to be careful with all patient data. Rather, it is a lengthy and specific document that outlines exactly what it means to protect patient privacy, how the business associate is and is not to handle patient medical records, and what the penalties will be should they violate the agreement.
The following is included in a BAA agreement:
- What PHI will be accessed by the business associate
- The requirements for protecting each variety of PHI expected of the business associate
- The explicit expectation that the business associate will not share any protected health information outside of the confines of the agreement
- The outline of training required of the business associate and the log of completion of that training
- The details of what penalties will occur if a data breach is identified
- How the BAA agreement should be terminated, if appropriate
- A detailed process for destroying or returning PHI, if appropriate to the process
Why Is a BAA Agreement Necessary?
Many healthcare businesses work with the assistance of outside businesses in order to efficiently run the backend of the business and provide care to patients. For example, a clinic may require an outside company to transport test specimens to or from a lab, to manage x-rays and scan and store them after they are taken, or to otherwise attend to some of the details of healthcare management.
Should that organization or one of its employees put the healthcare data they use at risk, the healthcare organization who employed them will be liable for any harm caused if there is not a BAA agreement in place that clearly outlines the expectations and responsibilities of the business associate.
How to Create a BAA Agreement
If you or your organization works with outside organizations or businesses, it is a good idea to create a BAA agreement that is specific to the business. Make sure you are covered and get the support of Florida Healthcare Law Firm in this process to make sure that the agreement is ironclad.