Do You Remember the HIPAA BAA?
By Chuck Humphrey, B.A., EMT-B, CAC, CACO, CADS, *
It was 2003…
When the Health Insurance Portability and Accountability Act of 1996 finally became a reality with regards to the relationship between a healthcare provider of service known as the Covered Entity and contracted service providers called the Business Associates came to be. This document that mandated to seal the relationship is known to us as the Business Associates Agreement (BAA).
For many of us in the EMS world, these documents sometimes get lost in the shuffle. My guess is, for many of you, someone in charge of your agency 20 years ago paid a good deal of attention to these. Since then, what has happened?
My fear is nothing.
So, let’s take a quick look to refresh your memory or to focus your first-time attention onto this important mandate.
It’s a Contract…of sorts…
The BAA is a contract, of sorts. The mandate as required under HIPAA says that there must be a document that establishes what the Business Associate can and cannot do when working together with the Covered Entity when coming into direct or indirect contact with patients’ Protected Health Information (PHI).
The BAA must meticulously establish permitted and unpermitted uses and disclosures of PHI by the Business Associate and lay the ground rules for how this information is handled throughout the length of the business relationship that exists between the Covered Entity and the Business Associate. The document clearly defines the parameters and what actions must be taken should there be a breach of the PHI caused by the actions of the Business Associate in the course of conducting business together with the Covered Entity agency.
Who/What is a Business Associate?
By way of definition, your ambulance agency is the Covered Entity.
The Business Associate is a person or business who works together with your agency in the course of doing business. Examples of Business Associates can be an outside billing agency like Quick Med Claims, an ePCR company, an accounting firm, a file-sharing vendor, an IT vendor, a shredding company or any number of other businesses that you contract and work together with in the course of manipulating patient data.
When to Ink a BAA?
The best practice for your EMS agency is to be sure to execute a Business Associate Agreement PRIOR to conducting business. If any contractor or outside agency has the potential to see, handle, manipulate, work with PHI be it directly onsite at your location or digitally and/or remotely, then a BAA must be inked.
Executing a BAA means that the two parties have arrived on the required verbiage in the BAA as mandated by the HIPAA regulations, have reviewed the document with a full understanding of the limitations and responsibilities contained therein which is then followed by authorities of both your EMS agency and the Business Associate person/entity signing this legally binding document.
But that’s not the end of the responsibility.
The provisions of the BAA must be followed closely, reviewed by the Covered Entity with oversight that the BAA is being adhered to by the Business Associate. Like any piece of the EMS compliance continuum of rules and regulations, compliance is NOT about having reams of paper sitting on a shelf in a dusty binder. Compliance must live and breathe the HIPAA rules, which means that constant monitoring and verification steps are being taken to ensure that the BAA provisions are being followed by the Business Associate.
What if…?
By now I hope you are not asking yourself, “What if I don’t have BAAs in place?”
Well, if HIPAA is but a foggy reality for you then it’s time to do a full review of your HIPAA policies and procedures. I’d suggest that you begin by making a quick list of all of the vendors, contractors, consultants and others who have any kind of potential access to your patients’ PHI. Once you have developed that list, then pull whatever files contain the HIPAA BAAs in your office and verify that there is a BAA in place with each contractor.
If a BAA is not on file for any one of the Business Associates you work with, then RIGHT NOW is the time to execute a Business Associate Agreement.
Why, right now?
Because…if ever the “HIPAA police” come knocking to review your files (which can happen should a breach occur) you don’t want to be caught without the properly worded BAAs in place. The Office for Civil Rights (OCR) enforcement people do not take lightly their responsibilities under the HIPAA mandates and have been known to be quite forceful in assessing steep penalties on healthcare agencies when all the proper paperwork, controls, and processes to protect patients’ PHI are not in place. The penalties for HIPAA non-compliance have upper ceilings that top well over a million dollars. Don’t fool yourself into thinking that an amount like that can’t be assessed against your EMS agency – large or small.
Blow off the Dust!
Today is the day to blow off the dust from your HIPAA compliance plan and review those HIPAA BAAs. In fact, it’s most likely time to review all of your HIPAA documents and procedures, not just the BAAs. But, beginning with a BAA review will be a really good Step One!
*Chuck Humphrey is the Senior Director of Compliance and a Territory Sales Manager for Quick Med Claims. He is one of our industry experts with over 30 years of experience in the EMS industry.