We have encryption on the email server itself and in email transmission (SSL). Do we still need the BAA agreement with them? At Person-Centered Tech, for example, we are often asked if cleaning services are business partners. They have the potential to contact customer information and can even manage resources containing records (z.B. moving filing cabinets to clean up behind and among them). The cleaning team`s possible contact with information is called “accidental or accidental.” For this reason, they are not HIPAA Business Associate. After analysing the risks, you may find that some kind of confidentiality agreement with the service is required. But it is a very different animal from a business associate agreement. Dropbox or any other cloud storage provider (CSPs)? Yes, yes. According to HHS.gov, when a covered entity uses a PSC “to create, receive, maintain or transfer ePHI (e.g.B. ePHI to process and/or store), the PSC is a business partner under HIPAA…. This is true, even if the CSP only processes and stores encrypted ePHI and does not have an encryption key for the data. ” www.hhs.gov/hipaa/for-professionals/special-topics/cloud-computing/index.html) Thus, if a covered entity uses a type of PSC, be it Dropbox to store documents or an electronic health registry system, the covered entity and the CSP must enter a BAA, even if the data is encrypted and cannot be effectively accessed by the CSP.
This is because, while encryption helps protect the privacy of ePHI, there is no help to ensure the integrity and availability of PIs, and the security rule requires that the confidentiality, integrity and availability of PIs be protected by appropriate measures. HIPAA requires BAAs between covered companies and business partners. HIPAA has however begun to verify not only whether a BAA is actually in force between a BA and a covered enterprise, but also whether the ABs actually comply with the agreements. Business Associate Agreements has clear expectations that the business partners you work with must meet HIPAA`s PHI protection requirements. Respect for HIPAA is reason enough for you to enter into agreements with your AABs. In addition, it is important to know that HIPAA audits are increasing in number and are aimed at small procedures and organizations. If there are no BAAs, this can result in penalties, including fines, which can be particularly problematic for small firms with limited resources. Do I need a BAA for my accountant? Customer names are not displayed as a general rule, although a check displays the customer`s name on the extract from my control account and they work with it.
Does it seem like there are a few too many questions about a BAA in this case? Or do I need this confidentiality agreement that you mentioned and can you give me one? Finally, I think I read that I don`t need a BAA from my bank, although they see every week that sends me a check…. Thank you very much Roy. A Trade Association Agreement (BAA) is a written agreement between an insured company and a business partner (BA) in which BA agrees to take appropriate measures to protect any PHI it receives or creates while providing services to the covered business. The purpose of the BAA is to require AAPs to provide PHI with the same protection of the data protection policy currently in place for covered companies, in order to protect this information from unauthorized disclosure. In principle, BA agrees to comply with HIPAA security measures while working with PHI. Is the CEO a business partner, the covered company or something else? There are many institutions and individuals who provide services that would be subject to a BAA.