29 Jul 2019

The HIPAA Privacy Rule states that clearinghouses, covered entities, and business associates are required to follow the HIPAA security and privacy rules. According to the U.S. Department of Health & Human Services, the Privacy Rule “requires that a covered entity obtain satisfactory assurances from its business associate that the business associate will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity. The satisfactory assurances must be in writing, whether in the form of a contract or other agreement between the covered entity and the business associate.”

So, who is a business associate?  A business associate is any person or entity that creates, receives, maintains or transmits protected health information (PHI) from or on behalf of, or provides services to, a covered entity.  This distinction trickles down into sub-contractors as well.  Law enforcement and government agencies, however, are not considered business associates and may request PHI as needed.

A business associate agreement (BAA) fulfills the “in writing” stipulation of the Privacy Rule.  It is required for any business associate, and provides the covered entity with assurances that they will comply with HIPAA and maintain security of the PHI.  This is particularly important when facing a data breach that occurs with a business associate and not the covered entity.  If the covered entity can demonstrate due diligence in prevention of the breach, the BAA will transfer most of the financial liability of the data breach to the BA itself.

Here are three of the most common mistaken beliefs Datica hears about Business Associate Agreements:

  1. The vendor in question doesn’t necessarily need to be HIPAA-compliant because they aren’t storing data. Even though the vendor claimed they were not storing PHI, having data pass through their systems would still require protection under HIPAA. A BAA serves as a promise of this.
  2. They are HIPAA-compliant because they encrypted the data in transit and in storage. This is certainly crucial, but there is so much more to HIPAA than encrypting data. You can read about everything we do to be HIPAA-compliant in our policies. At a minimum, a vendor must encrypt data and ensure physical media meets HIPAA’s physical security requirements. As a result, that vendor would need to have a BAA signed with their hosting vendor to ensure legitimacy.
  3. The subcontractor doesn’t need to sign a BAA because the vendor they’re subcontracting for already has one in place with the covered entity. As of 2013, this is false. As soon as PHI passes through your system, you are also automatically considered a business associate and the vendor you subcontracted with will require a BAA from you. In fact, the latest rules state that covered entities MUST ensure they obtain satisfactory assurances from their business associates, and they must do the same with their subcontractors, and so on, no matter how far “down the chain” the information flows.

Schedule an Appointment

Schedule an Appointment

    Our clients are awesome!

    Based on 55 reviews.
    Jeremy Richards
    Jeremy Richards
    2020-03-13
    Petronella provides great advanced digital marketing and automation solutions for my business!
    Kate Swenson
    Kate Swenson
    2020-02-14
    Highly recommended for CMMC certification assistance! Excellent and affordable options for secure data hosting on local infrastructure. 5 stars!
    Tom Matzen
    Tom Matzen
    2020-01-25
    Petronella Technology Group helped us setup our sales and marketing automation, cybersecurity and compliance for our new Blockchain startup. Great to work with! Craig in particular really knows his stuff, can translate into non-tech speak, and has wisdom beyond his years. Highly recommend them.
    Justin Summers
    Justin Summers
    2020-01-14
    Craig is awesome! He is very professional and efficient with his work. I would definitely recommend Petronella Technology to anyone who needs state of the art service.
    Blake Rea
    Blake Rea
    2020-01-14
    Craig is an expert in his field. Impressed by his knowledge, A true pioneer in Cybersecurity. My business is safer thanks to Petronella Tech!
    Robert Friedman
    Robert Friedman
    2020-01-10
    For the last five years Craig has been the Contributing Editor for Cybersecurity for NC Triangle Attorney Law Magazine which I publish. His base of knowledge is always leading edge, pragmatic and early to understand for our readers who are not techies. He is patient and easy to work with.
    Tammy Everett
    Tammy Everett
    2020-01-10
    Craig Petronella, CEO of Petronella Technology Group provided the members of the Defense Alliance of North Carolina expert advice on cybersecurity and NIST compliance. Eye opening experience! Thanks so much!
    Julie Brown
    Julie Brown
    2020-01-09
    Craig and the Petronella Technology Group, Inc. team made HIPAA compliance for my small practice so simple and easy! They helped me with all of my HIPAA training, HIPAA Security Risk Assessment, Penetration Test, and HIPAA secure hosting so I can rest easy.
    Pivot Point
    Pivot Point
    2020-01-03
    Petronella Technology Group helped us with our marketing strategy for our new web startup. Awesome experience!!!!
    Richard Brunet
    Richard Brunet
    2019-12-30

    SCHEDULE AN APPOINTMENT

    Make It Happen Now

    CLIENT SUPPORT

    Don't Feel Stranded

    CONSULTATION

    Get Best Advice

    PAYMENTS

    Make A Payment

    Top