Need for HIPAA Business Associate Agreements

Avoid violating HIPAA’s Privacy and Security Rules by executing a Business Associate Agreement (“BAA”) prior to turning over protected patient information to a third party vendor.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended under the 2013 Final Rule, requires privacy regulations governing individually identifiable health information. These privacy rules establish a set of national standards for the protection of certain personal health information.

The Privacy Rules address the use and disclosure of patients’ information, otherwise known as protected health information, by organizations subject to the Privacy Rule. A major goal of the Privacy Rule is to assure that individuals’ personal health care information is properly protected while allowing the flow of health information needed to provide and promote high quality health care, and to protect the public’s health and well-being.
A major area of vulnerability for many dental practices lies in relations with third-party vendors who have access to patient personal health information. Under HIPAA, third-party vendors may be responsible for securing and guarding personal health information in the same way that dental practices are required to secure such information.
The Rules require that the covered entities include certain protections regarding patient information in a Business Associate Agreement. Dental practices should draft a Business Associate Agreement, which imposes specified written safeguards on the individually identifiable health information used or disclosed by third party vendors.