" baa Archives - LuxSci FYI Blog: Learn about HIPAA email encryption, secure email encryption, and more
LUXSCI

Posts Tagged ‘baa’

Business Associate Agreements: Fact vs Fiction

Tuesday, August 28th, 2018

HIPAA covered entities form partnerships with third parties to safeguard their data assets effectively. Business associate agreements (BAAs) formalize these relationships and, importantly, describe the HIPAA-related risks and responsibilities that business associates (BAs) will take on.

The written contract between the covered entity and business associate must meet the following requirements:

business associate agreement

  1. State the permitted and required uses and disclosure of PHI by the BA.
  2. Assure that the BA will not use or share information other than as required or permitted by the contract or by law.
  3. Require the BA to implement suitable safeguards to prevent the unauthorized use of information, including deploying the requirements of the HIPAA Security Rule as it relates to protected health information.
  4. Report to the covered entity any use or disclosure of information not provided for by the contract.
  5. Agree to disclose PHI to meet the covered entity’s obligation to provide individuals a copy of their PHI, and also either provide PHI for amendments or incorporate amendments.
  6. Adhere to the requirements of the Privacy Rule to the extent required.
  7. Provide to the Department of Health and Human Services records, practices and books related to the use and disclosure of PHI.
  8. At the termination of the contract, destroy or return all PHI created or received by the BA on behalf of the covered entity.
  9. Ensure that any subcontractors the BA engages must comply with substantially the same conditions and restrictions that apply to the BA.
  10. Authorize termination of the contract by the covered entity if the BA violates a material term of the contract.

Read the rest of this post »

HIPAA Business Associate Agreement: Do I Need One?

Thursday, July 12th, 2018

A business associate (BA) is an individual or an entity who could come in contact with protected health information (PHI) by providing services to or performing activities on behalf of covered entities. Your employee is not a business associate, but your web host, email encryption service, billing company and lawyers could be, and these are just four examples. BAs of BAs (BA’s contracting with your vendors) further extend the chain.

Not all entities that access PHI must be business associates. For instance, the cleaning company that disposes trash from your office does not qualify as a business associate even though there is a possibility of the cleaning crew coming in contact with identifying patient information in dustbins or laying on FAX machines or desks (though if they do, then your employees did not manage the PHI properly). However, it is important to have a clear reporting mechanism in place where cleaning company workers can alert a point person in your office when they come across PHI.

Business associate agreement do I need one?

The Omnibus Rule provides multiple categories of business associates, including health information organizations (HIOs), anyone offering personal health records to individuals on behalf of covered entities, and covers a variety of service categories such as data aggregation, accreditation, actuarial and administrative services dispensed to a covered entity provided such services involve the disclosure of patient health information. Use this link for more information on business associates.

Read the rest of this post »

How Is HIPAA-Compliant Email Different from Secure Email?

Wednesday, June 21st, 2017

Protected health information (PHI) is heavily regulated under HIPAA, but the exact details can be confusing. The regulations are designed to keep everyone’s private information safe, but they also put a significant amount of responsibility on businesses.

HIPAA regulations apply to just about every aspect of a person’s medical information, including their transit, storage and security. Because email is such an important and extensively-used form of communication, HIPAA regulations apply to it as well.

HIPAA-compliant email vs secure email

Some may think that secure and encrypted email is all you need to keep PHI safe and emails compliant. The reality is that HIPAA email regulations go above and beyond standard secure email. To protect your business, you need to make sure that your email provider is HIPAA-compliant, not just secure.

Read the rest of this post »

What is HIPAA-Compliant Cloud Storage?

Friday, November 11th, 2016

HIPAA-compliant cloud storage complies with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to ensure the security of healthcare patients’ data stored on remote servers accessed from the internet.

HIPAA governs how healthcare providers and their business associates, as defined in the Act, can store, manage, and share personal health information (PHI). If you’re a healthcare provider (or a cloud storage provider working with a healthcare provider), it’s important to understand how HIPAA applies to cloud storage.

With the rising popularity of services like iCloud and Dropbox, many people and companies have become more comfortable with cloud storage. There’s no question these services are convenient; being able to access universally synced data anytime, anywhere, from any device, is incredible.

HIPAA-compliant cloud storage

But that doesn’t mean these services are HIPAA-compliant. HIPAA introduces particular requirements that not every cloud storage provider satisfies.

Don’t make the mistake of assuming that a particular cloud storage option will comply with HIPAA. Storing your data “in the cloud” can make it difficult to achieve the level of security required of healthcare.

Here’s what you need to know about cloud storage to make sure your data is safe and sound — and HIPAA-compliant.

Read the rest of this post »

Google Apps HIPAA Compliance Gotchas: Email encryption not included and higher price

Wednesday, October 8th, 2014

There has been a lot of hype about Google offering a Business Associate Agreement to paid Google Apps customers who must abide by HIPAA regulations.  Those who are familiar with Google may be under the incorrect assumption that simply signing up for Google Apps will solve all their HIPAA compliance challenges.  This seems to be increasingly less likely as of October, 2014.

Myths and hidden costs pervade this equation. If a HIPAA-aspiring entity isn’t fully educated about the finer details of the compliance process, they could end up paying very large amounts of money for Google services and still be non-compliant. Here we discuss some misconceptions about Google services as they apply to HIPAA to help you avoid the pitfalls of non-compliance.

Read the rest of this post »

LUXSCI