What is a BAA?
This is a question that I have asked and researched and I want to share what I’ve learned with you. BAA stands for Business Associate Agreement. Read below to learn about why it’s important as a Teletherapist.
The BAA is essentially a contract between you (the clinician) and the service provider (teletherapy platform) that you will be using to conduct your Teletherapy sessions. This contract is required and satisfies HIPAA regulatory requirements. In a nutshell, if you are handling personal, identifiable information, you should do business only with companies that are willing to provide you with a Business Associate Agreement.
Office for Civil Rights (2013):
A covered entity’s contract or other written arrangement with its business associate must contain the elements specified at 45 CFR 164.504(e). For example, the contract must: Describe the permitted and required uses of protected health information by the business associate; Provide that the business associate will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law; and Require the business associate to use appropriate safeguards to prevent a use or disclosure of the protected health information other than as provided for by the contract. Where a covered entity knows of a material breach or violation by the business associate of the contract or agreement, the covered entity is required to take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, to terminate the contract or arrangement. If termination of the contract or agreement is not feasible, a covered entity is required to report the problem to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR).
A Business Associate is any person or entity that performs functions involving the use of or access to protected health information in order to provide services on behalf of or for a covered entity under HIPAA.
The BAA holds you and the teletherapy platform you use liable if there is a violation of HIPAA Privacy and Security Rules when handling protected health information (PHI). If you are employed by a teletherapy company, you do not need a BAA because the agreement/contract is signed by the teletherapy platform and the company that is employing you. The Business Associate Agreement is a contractual obligation to safeguard PHI.
The Department of Health and Human Services (HHS) conducts periodic audits and you don’t want to get fined if HHS comes knocking. Having a BAA places liability on you and the teletherapy platform to ensure you are both following HIPAA rules and standards.
Want to know more about privacy and security rules you have to follow as a Telepractioner, check out these articles:
Office for Civil Rights, (2013, July 26). Business Associates. Retrieved from https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html
Photo on Visual hunt