I recently joined a healthcare company to set up and run its contract management function. While I have lots of contract management experience. The nuances of health care contract management are new to me. We have a lot of Business Associates Agreements (BAAs). Our team asks me for a new every time they start talking to a potential vendor or provider.
I would like a better understanding of a BAA, but I also need to know when a Business Associates Agreement is required and once executed, how do I track it.
A Business Associate Agreement (BAA) is an agreement between a health provider and another entity (such as a supplier or a healthcare professional) that provides services to the health provider or its customers where those services may involve health information protected under HIPAA of the health provider's patients or customers. The primary purpose of the BAA is to define the requirements for the sharing and use of protected health information in the course of services provided by the business associate entity (including defining how data breaches will be handled).
It is critical to track any breaches of BAA agreements and either the resulting correction of issues that caused the breach or the termination of the contract and handling of protected health information in that event. It is also critical to track whether or not valid and current BAAs exist with all providers that fall under the HIPAA definition of a business associate.