Importance of a Business Associate Agreement
The Privacy Rule under HIPAA requires the safeguarding of protected health information (PHI) and applies to all covered entities (CE) – healthcare providers, health plans and healthcare clearinghouses. Most providers do not carry out ALL their necessary healthcare functions. Billing, medical software, and electronic health records are just a few examples of services that must often be outsourced to other organizations, commonly referred to as vendors or business associates (BA). The Privacy Rule allows covered entities to disclose PHI to BAs so long as the provider obtains satisfactory assurances that the BA will use the protected information only for the intended purpose and will safeguard the information from misuse.
These terms and assurances should be outlined in a formal document called a business associate agreement (BAA). The problem arises that many providers have multiple BAs that help them with their processes, and each of those BAAs need to be managed in an organized and efficient way.
As part of our goal to deliver a comprehensive compliance solution to our clients, HIPAA One has created a tool that allows healthcare providers to create and organize vendor contracts in one easy, web-based application. The HIPAA One® vendor management solution (VMS) is a software designed to provide you with a single location to store and manage your vendors, including HIPAA-defined Business Associates (BA), and to create and manage BAA in support of the services provided to your business.
The Simplest Way to Manage your Contracts
VMS offers the same functional, intuitive software as our other tools, with additional features such as:
- Flexible, customizable contract templates
- Requesting proof of compliance
- Bulk upload of vendor information
- Built-in electronic signature capabilities
- Automated task reminders and status tracking
VMS offers automated solutions for some of the most difficult aspects of business associate agreements; such as having to create a legally-binding document from scratch, requesting vendor proof of compliance, inputting and organizing vendor information, and remembering to complete tasks and upkeeping throughout the year.
Why does it matter?
Because a BA's use of protected health information is an extension of the CE under the Privacy Rule, the CE is responsible to ensure that BAAs are in place and up to date. Additionally, if a BA experiences a breach, the CE is liable for notifying the Department for Health and Human Services as well as their patents, even if it is of no fault of their own. With VMS, covered entities can utilize features to ensure that their BAs remain in compliance and reduce the risk of a breach.
How does it work?
Utilizing VMS is simple:
- Upload your organization’s information
- Modify the sample agreement or copy-paste over a previous agreement from another document
- Input vendor information and assign them to a contract group, and push send
- Track vendors’ contract statuses such as viewed, not viewed, approved, rejected, etc.
- Set auto reminders for upkeeping purposes
VMS comes included with every HIPAA One account at no additional cost. For more information, visit our solutions page.