OR WAIT null SECS
Understanding what should be included in a required HIPAA BAA is essential.
Earlier this month, I wrote an article HIPAA: Back to basics with the BAA, where I promised to write about the nuances of the requisite business associate agreement (BAA). Unless someone is new to the healthcare industry or a business associate (which includes subcontractors) that recently started creating, receiving, maintaining, or transmitting (including storage) protected health information (PHI), by now there should be an awareness that a business associate is directly liable under the HIPAA Rules. Like covered entities, business associates may be subject to civil, and in egregious cases, criminal penalties.
This leads us to the BAA—a written agreement between the parties that serves three primary purposes:
Notably, after having read and drafted numerous BAAs, one quickly learns that all BAAs contain very similar, if not identical language. That’s because BAAs have certain content requirements, which must be included. Other items, such as particular state law, venue/jurisdiction, and indemnification (just to name a few) are not compulsory but are often seen.
As HHS explains on its website, a BAA is “[a] written contract between a covered entity and a business associate [or a business associate and its subcontractor that] must:
Armed with this information (and after reviewing the HHS website link), hopefully it provides a renewed appreciation for what will be included in a BAA and what may be included. It never ceases to amaze me when I receive (often caustic) questions or push back on the compulsory items that HHS has set forth. This article may serve as a basis for a polite way to push back if faced with a similar situation.