Transferring PHI without an executed Business Associate Agreement ("BAA") has become a point of intense focus for federal regulators, and one from which we can expect continued fines. Typically in practice, BAAs are not always easy to get executed, for a plethora of reasons. With all of these things in mind, here are few tips and best practices that will be helpful for organizations looking to get outstanding BAAs executed.
- Get the ball rolling: Whether you are a business associate, covered entity, or subcontractor don't hesitate to be the first to send a BAA for negotiation and execution. It establishes the parameters of the negotiation, states that this is a serious matter to you, and takes the first step in getting a BAA executed. If you need a place to start, there are plenty of examples readily available, including some provided by U.S. Department of Health and Human Services (HHS).
- Stress the importance: A business associate is determined by the specifics of the business relationship, not by the existence of a BAA. In other words, not executing a BAA does not absolve an organization from HIPAA required safeguards, therefore there is no compelling argument not to execute a BAA. It is a requirement of both the business associate/subcontractor, and the covered entity to have a BAA in place. The requirement is not one-way.
- Cause for termination: Almost all contracts outlining the business relationship will permit (or require) the termination of the agreement if one party does not comply with applicable laws or regulations. Signing a BAA is required by HIPAA, and not signing one will be grounds for termination. While it might be a disconcerting thought, your only protection against an organization that refuses to sign a BAA is to stop the transfer of PHI. This may create an incredibly challenging situation, but in extreme situations it is the only option. Most likely, when threatened with terminating the underlying contract, organizations will agree to execute the BAA.
This topic is one of the more difficult facing the entire healthcare industry at present. It is not that the answer to the situation is an unknown, it is that the best answer is the most challenging solution. However, you must ask yourself one question, "How much can you trust an organization that will not execute a BAA to ensure the privacy and security of PHI?" I am willing to guess an organization that won't execute a BAA is probably an organization you don't want to do business with.