If this is the first time your practice is entering into a contract with a healthcare IT vendor, then according to the Health Insurance Portability and Accountability Act of 1996 or (HIPAA); each party must enter into and establish a Business Associate Agreement and follow it to the letter, to remain HIPAA compliant. But before you sign any IT vendor’s contract, there are questions you may want to ask about the BAA first, before obligating your practice and tying it to a healthcare IT “Business Associate.”
Before you start, you must familiarize yourself with what a BAA is and what ten requirements you must adhere to, to remain compliant. According to HIPAA, it is a detailed written contract between a covered entity, you, and a business associate, your healthcare IT vendor in this scenario. In the BAA written agreement, there is a minimum of ten must-do provisions outlining, each party required responsibilities with your patient’s Protected Health Information (PHI).
The easiest way to explain who or what a business associate is, we’ve included below an excerpt from the U.S. Department of Health and Human Services website defining what a business associate is:
“A business associate is a person or entity that performs specific functions or activities that involve the use or disclosure of protected health information on behalf of or provides services to, a covered entity. A member of the covered entity’s workforce is not a business associate. A covered health care provider, health plan, or health care clearinghouse can be a business associate of another covered entity.
Now here is where pressure might be put on you to sign a service contract prematurely if this is your first Business Associate Agreement process. Typically covered entities, you, and Healthcare IT vendors each have their own company’s BAA they want the other to sign, before either enter into an IT service contract. At times it can become a “war of the agreement forms,” when each side insists whose form to sign.
The critical point to remember, it’s not who’s form is used, it’s the content or language inside that form that carries all the weight. In the event of a breach, you don’t want to learn later you are responsible when during the negotiation the vendor actually should be, but no provision was made before signing.
Yes. By all means. Even if your practice is small, never conclude you cannot negotiate critical provisions. With this process, each side gives and takes. Just remember, inside the form, you must have the ten must-do requirements outlined by HIPAA. This part is not negotiable. If the IT vendor does not allow you to negotiate, when using their BAA form, you may want to hold off and reach out to another IT vendor business associate for other options.
Remember these three words: “Level of Risk.” Not every healthcare IT vendor will interact with your patient’s health information or (PHI), as another might. It comes down to what amount and type of PHI are made, accepted, maintained and transmitted by your business associate, based on the terms inside the BAA.
Two possible examples:
Besides the levels of risk, you will also want to discuss any issues or risks that are only specific to Healthcare IT, such as:
As you or your attorney design your Business Associate Agreement, there is much to consider, before you sign the IT vendor’s service contract. Don’t feel pressured that you must sign the contract now before you negotiate BAA terms. Whatever you decide, make sure not to rush into signing, until the Business Associate Agreement is agreed upon by both parties and signed.