Importance of HIPAA compliance cannot be denied and the public health information is often shared with third parties that is your business associates. Even when the medical information is shared with business associate HIPAA compliance cannot be denied.
WHO ARE YOUR BUSINESS ASSOCIATES?
Business associates are best defined as those who support a Covered Entities. They are the ones who are in contact or could come in contact to the protected health information. Some common examples of Business Associates are lawyers, accountants, billing companies, IT contractors, cloud storage services, email encryption services, web hosts and many more such parties. It is a necessity to sign a Business Associate Agreement with these people. As per the terms of these contract it states how will they deal with the information given to them and how will they maintain the privacy of these information on your behalf.
THE BUSINESS ASSOCIATE AGREEMENT-
The Business Associate Agreement clearly specifies the list of obligations the Business Associate will adhere to:
1] Protecting PHI- This implies that the Business Associate agrees to implement the Administrative Physical and Technical standards set for the compliance of HIPAA Security Rules and some standards as per the Privacy Rule. The have the ability to give the copies of their HIPAA policies and Procedures if asked to.
2] Training Employees- Training for the compliance of HIPAA policies is essential for the organization but this training is also of equal importance for the employees of Business Associates also. All the employees of the business associates should be trained on their duties for protecting the electronic PHI or ePHI in the coverage of Business Associate. They need to show the details and pattern of training of all the employees under them.
3] Breach Notification- In an event of breach to the security or privacy of the PHI the Business Associate should notify you immediately without any delay. It is recommended that the notification of breach should be made within 15 days of discovery of breach. As your role of Covered Entity under HIPAA you get 60 days after the discovery of breach to notify HHS as well as the patients to whom breach is concerned and it is also essential for the BA to notify you of the breach if they even suspect any breach.
4] SUBCONTRACTORS- The HIPAA policies does not remain confined to the Business Associate but it extends also to the subcontractors of the Business Associates. The subcontractors should also fulfill the same HIPAA Privacy and security compliance as that complied by the Business Associate.
5] Return or Destroy Information- When the service contract with the Business Associate is over and you are no longer in professional relation with the Business Associate. Then in this situation BA will no longer need to access the PHI to execute any service, then the BA should return or destroy any PHI that he has received from you as Covered Entity. It also implies that the subcontractors should also destroy any data that they have.