BAA, BAA, the Relationship Between the Sheep and the Lamb
Written by Bev Jenkin Tuesday, 15 February 2011 00:00
Whenever a business/organization has a business associate relationship with an individual or entity, a Business Associate Agreement (BAA) that complies with HIPAA (Health Insurance Portability and Accountability Act) and the Health Information Technology Act of 2009 (HITECH ACT) must be executed between the parties.A Business Associate is defined as a person or organization that creates, accesses, uses, discloses and/or stores PHI (personal health information) in order to perform a function, service or activity by, or on behalf of, a Covered Entity.
The following is a list of criteria that may be used to assist you in determining business associate status so that you can decide whether or not a BAA (Business Associate Agreement) is necessary in your relationship.
If the answer to any of the below questions is “yes,” you need to sign a BAA with this individual or entity.
Does the business/vendor perform a function, such as record destruction, that is necessary on behalf of your business/organization and do you benefit from their actions?
Does the business/vendor create, receive or retain PHI on your behalf, such as record retention?
Does the business/vendor provide a function/service for your business/organization, such as claims processing, claims administration, data analysis, utilization reviews, quality assurance, billing services, benefit management, practice management, chart reviewing, or claim repricing, that uses PHI on behalf of your business/organization?
Does the business/vendor perform any other HIPAA related functions on your behalf, such as legal, actuarial, accounting, consulting, data aggregation management, software maintenance and servicing, consulting, administration, accreditation or financial services?
Does the business/vendor perform a service for or on behalf of the business/organization that involves the disclosure of PHI, such as record copying?
Persons or entities whose services or activities do not involve creation, use, or disclosure of PHI do not require a Business Associate Agreement, even if they are exposed to, or have, incidental access to PHI.
Just remember, the shepherd is responsible for the actions of the lamb.
| < Prev | Next > |
|---|
What our clients say
“In the electronic medical record environment, Stevie Davidson has the knowledge and expertise to create a focused and strategic IT plan to assist any medical practice. She can assess the needs, identfy the challenges, and provide all of the training necessary to creat an efficient IT solution. I have received glowing feedback from medical practice managers and physicians who have utilized her services. She is creative, flexible and a true professional in her field.” Fran Monteleone, RN Director Physician Services and Community Health Clara Maass Medical Center
|
