What's a BAA and Why Is It Important?

Think back to the last time you purchased some type of software for your treatment center.  When you were talking to the vendor or your team, did you discuss signing a BAA. A BAA or Business Associate Agreement is a must-have to satisfy HIPAA requirements. If you are thinking about working with a technology partner for alumni engagement, patient information, or customer relationship management you need to have a BAA in place.

Anytime you are dealing with protected health information (PHI) a BAA needs to be in place between your treatment center and the “Associate”. A associate is a person or company that creates, receives, transmits or maintains PHI on behalf of your treatment center. If a vendor is going to handle PHI, for any reason, they must sign a BAA.

There are a number of items that need to be in a BAA to fully protect you and your patients. A BAA will outline:

  • Permitted uses and disclosures of PHI

  • Details of your requirements under the regulations

  • Procedures to follow if there is a breach

  • How to terminate if necessary

As you are talking to technology partners, you need to ask them about their data security policies and procedures. Specifically ask if they are HIPAA compliant and if they have offer a BAA. If they won’t sign a BAA, then you should look elsewhere. Every vendor who works with PHI should be comfortable signing a BAA.

Here is a sample BAA for your use.  You may want to have your lawyer review to make sure it covers the specifics for your program. As always, this post is for informational use and not intended for legal advice.