Enhance eSignature Legality for Business Associate Agreement

  • Quick to start
  • Easy-to-use
  • 24/7 support

Forward-thinking companies around the world trust airSlate SignNow

walmart logo
exonMobil logo
apple logo
comcast logo
facebook logo
FedEx logo

Your complete how-to guide - esignature legality for business associate agreement

Self-sign documents and request signatures anywhere and anytime: get convenience, flexibility, and compliance.

eSignature Legality for Business Associate Agreement

When it comes to ensuring the legality of eSignatures on Business Associate Agreements, airSlate SignNow offers a reliable solution. With its user-friendly interface and advanced features, businesses can streamline their signing process while staying compliant with all legal requirements.

Steps to Utilize airSlate SignNow for eSigning Business Associate Agreements:

  • Launch the airSlate SignNow web page in your browser.
  • Sign up for a free trial or log in.
  • Upload a document you want to sign or send for signing.
  • If you're going to reuse your document later, turn it into a template.
  • Open your file and make edits: add fillable fields or insert information.
  • Sign your document and add signature fields for the recipients.
  • Click Continue to set up and send an eSignature invite.

airSlate SignNow is a powerful tool that enables businesses to handle their eSigning needs effectively. It provides a seamless experience for both senders and recipients, ensuring that the entire process is smooth and hassle-free.

Experience the benefits of airSlate SignNow today and see how it can revolutionize your document signing workflow!

How it works

Open up a PDF file in the editor
Draw your signature using your finger
Download, print, or email your form

Rate your experience

4.6
1653 votes
Thanks! You've rated this eSignature
Collect signatures
24x
faster
Reduce costs by
$30
per document
Save up to
40h
per employee / month

Award-winning eSignature solution

be ready to get more

Get legally-binding signatures now!

  • Best ROI. Our customers achieve an average 7x ROI within the first six months.
  • Scales with your use cases. From SMBs to mid-market, airSlate SignNow delivers results for businesses of all sizes.
  • Intuitive UI and API. Sign and send documents from your apps in minutes.

FAQs

Here is a list of the most common customer questions. If you can’t find an answer to your question, please don’t hesitate to reach out to us.

Need help? Contact support

Related searches to esignature legality for business associate agreement

Esignature legality for business associate agreement sample
Esignature legality for business associate agreement pdf
hipaa electronic signature requirements
free hipaa-compliant electronic signature
electronic signature policy for medical records
hipaa signature requirements
hipaa compliant e signature
esign act
be ready to get more

Join over 28 million airSlate SignNow users

How to eSign a document: eSignature legality for Business associate agreement

hello and thanks for joining us i'm josh gingold and this is ensuring hipaa compliance with the business associate agreement or baa brought to you by zip davis and efax corporate the world's number one online fax brand i present today our technology analyst chris dawson chris good morning thanks for joining us thanks for having me pleasure always and we're also happy today to welcome a new speaker to the smith davis family hipaa compliance trainer ross leo from hipaa training.net ross great to have you on appreciate it of course without a doubt and looking forward to everything you have to say today very glad to be here josh thanks for having me absolutely and before we begin i do want to let everybody know that the information provided in this presentation does not constitute and is not substitute for legal or other professional advice we strongly encourage you to consult your legal or other professional advisors for individualized guidance regarding the application of the law to your particular situation and in connection with any compliance related concerns gentlemen it goes without saying but these hipaa regulations are are no small deal whatsoever and of course with the omnibus compliance the omnibus final rule that went into effect in september of 2013 the stakes are high ross are you seeing an uptick in activity at hipaatraining.net as businesses grow increasingly concerned over what many would argue is kind of a complex addition to the hipaa and high-tech regulations i yes i have i've seen a tremendous amount of interest in what does it mean what do i do help help all of that kind of thing but yeah there's there is a great deal of interest and concern to make sure that they have the right understanding and that they take the right steps without without false starts and omnibus and high tech are really big deals some would call it uh these omnibus final rule uh rules that took effect in september 2003 some would call it the biggest change to hipaa in 15 years and of course what we're talking about is the omnibus rule of the high tech act that many health care providers are trying to come to terms with in terms of the requirements for documenting business arrangements with vendors that's the big provision that's what's really changed and we'll go into that in just a moment the term business associate of course refers to really any entity that provides supporting products and services that are uh private health information related phi related this is a very very big deal and there are many many provisions to it and we've gone over those on past webinars and i encourage you to look into it there's a 500 page plus document that is just related to this omnibus final rule and if you're on this webinar then my guess is you're well aware of it but it this idea of protecting your business against the actions of business associates who may be handling phi data is very very important of course we also know that the term business associate as i said refers to any entity that provides supporting products or services that are related to protected health information now there are some exceptions to that and we'll go into those in just a moment but but chris this is a really broad segment if you're looking at a hospital and and all of the different vendors that may be touching this data whether it's on the i.t side or call centers whatever the case may be if you look at the term business associate it covers a lot of ground well it really does i think this is what has people a bit nervous whether you're a health care provider and and want to make sure that all of your dealings are are on the up and up with whomever you're working with or you are providing services in the healthcare vertical i am i business associate how do i know if i'm a business associate how do i know if i need to have one of these agreements in place and if i do have all these agreements in place just what are my responsibilities and liabilities that's that the people are nervous for for good reason i think there's a bit of um well not just a bit a fair amount of uncertainty floating around about what really constitutes a business associate and that's a a question that absolutely must be answered whether by it by lawyers or consultants or whomever and of course that's where special guest today ross leo comes in with hipaa training.net now ross we know that the way that you provide this protection that chris is talking about is through these formalized business associate agreements and of course that's familiar ground for you you're advising clients on exactly how to shape these things but they are legally binding and they need to be taken seriously oh that's absolutely true they're they're like any contract there's uh there's going to be a lot of terms and conditions and when you construct it it needs of course on the one hand to be in compliance with what the law is specifying but it's also got to be a sound contract as well so there are an awful lot of points that you have to be comfortable with and familiar with and it's not something that you just say okay i've got one here it is we're done you need to read it you need to be intimately familiar with with what it says because as we've seen in the news a lot of people are getting hit with a lot of fines a lot of investigations privacy breaches the whole the whole gamut so you've really got to pay very close attention to this and of course everything that's health care related right now is it getting an awful lot of attention some would say scrutiny because of the new national affordable care act so health care is very interesting and there will be a lot more rules because ostensibly there will be a lot more people in the system but we've covered this ground i want to provide a quick example that was given to me recently and i think it's a good one and i just want to walk through this for those of you who really want to understand what this means and who it does and does not apply to so let's take the example of a hospital which would be a covered entity that would be the primary health care provider the hospital the medical group whatever the case may be referred to as the covered entity what we've been talking about so far business associates okay but this covered entity for whom the business associates would work let's say that they adopt an electronic medical record system or emr system chris i know you're very familiar with this this is probably one of the single most important trends in healthcare i t right now well if you take that example one step further that company that vendor that is providing that ems emr soft emr software that is a mouthful then they're a business associate and let's say that they need access to phi uh or protected health information for support or to keep the system running right it's not always the case but let's say that they may at some point uh need access to that software on the either on premises at the hospital or through a cloud provider whatever the case may be or rather a hosted provider then they would need to complete a baa and and chris in a hospital environment if you think about a campus that could be a significant number of business associates if you will whereas in a smaller let's say a doctor's group it's a little easier to manage i imagine they have legions of people who are just looking at these relationships now to determine who is and is not a business associate that would need to be covered by a baa well that and that's true and and if you are a a very large practice or a big hospital then you know you certainly do have more than a few people thinking about this what's interesting though is that lots and lots of smaller practices are being absorbed by hospitals all the time and and so you have these uh you know little neighborhoods medical clinics for example that are now having access to major emr systems and are having to integrate their own systems and maybe even have their own systems their own electronic systems that now need to speak with uh larger systems and they're adopting the their their new owners uh emr there's a lot of things happening in terms of consolidation that are making the make this uh kind of front and center no matter how big a practice and no matter uh you know how many patients you deal with on a daily basis and keeping with this hospital emr example let's take it one step further and let's say that the hospital is using cloud-based services to store all that data that contains this protected health information that cloud-based services provider would also need to complete a baa but this is where it gets really interesting and folks we're really simplifying here i cannot say enough that uh we're not trying to give any kind of legal advice here take everything that we're saying at face value but but do your own due diligence to ensure that you're looking at these relationships correctly because there are exceptions and the exceptions are it's really interesting it's right in faq that's available on the department of health and human services website but a baa is not required for organizations and this is quoting such as u.s postal service makes sense even though they're handling those letters etc those packets certain private couriers and their electronic equivalence my emphasis that could be for instance a cloud provider that is not posting phi data on its servers but it's rather just a conduit and ross this is what is referred to quite often as the conduit exception which is a topic we're going to take on on the next part in this series but that conduit exception is very important how do you advise your clients to know when a conduit exception applies or or quite frankly when they don't need a baa because that could be complicated in a costly decision if they're wrong the way the way that we typically look at a situation like this is to take the uh the department of health and human services definition of a business associate what what are they what do they do what sort of things could they reasonably be expected and that's a very very important word reasonably what could they reasonably be expected to need access to then we take the definition of courier or conduit it is as you say someone who simply gets it from pointing to point b like the postal service or the telephone company like atnt not a service provider but the telephone company so we walk through who the entity is and what they actually do and what the reasonable expectation would be for information access phone company is like the postal service little envelopes little packets of data that are going by they're just getting them from one place to another they don't have a reasonable expectation to look in them and see what's there so by getting that precise by being that careful to scrutinize the role we're able to put people in either the ba or the conduit kind of exception now ocr itself has said this is a very narrow kind of an exception so we have to be very very careful again the word reasonable becomes very important because as you correctly point out an emr provider it's very reasonable to expect that they may need to see the data the actual phi in the course of their technical support but someone like a phone company or ups or somebody like that the expectation really isn't there but we have to be extraordinarily careful how how reasonable and how finely we define this thing because if you get caught making it too broad then you may you may be in a position where you needed to have when it didn't but on the other hand if you define it too too narrow you may be giving somebody some responsibility by making them do a baa when maybe they didn't need to so like the other issues we've discussed so far it really requires a really strong understanding of the definitions and how to apply the reasonable rules to make sure that you're looking at it the right way and doing the right steps from there now chris i know that you have and like me you've poured through that 500 page document i'm sure you've read every word of it uh but but you've spent a lot of time a lot of time with uh it administrators and decision makers who are in health care fields is it reasonable to think that and it seems to me kind of obvious but is it reasonable to think that if you're a smaller doctor's office of which i know there are a number of those types of people on this call today but if you're working in a medical group there's several doctors in there and you're you're getting it support from a third party consultant or a an implementer if you will a channel partner of some sort of var you've got to have maybe and ross feel free to win here as well but you need to have not only an agreement with that business associate that that consultant who's advising you on your technical capabilities and reasonably is going to be in your uh software and providing that necessary support but potentially the subcontractors of that business associate is that correct well i i think it all depends on who again as ross pointed out who could potentially have access to real patient data um but if you think about a system whatever that system might be that's managing a whole lot of very diverse patient data exchanging that data with other systems and making it available to you know hospitals or other providers elsewhere yeah you're right i mean the chances of a subcontractor or someone along this sort of stream of information having access to data it's quite high and so now all of a sudden as a small medical practice you've got to have a pretty darn fine understanding of just where information is flowing and this relates to you know that a lot of it folks sort of take for granted is this this idea of implementing and and really understanding data flows um but it's not something that comes so naturally to a healthcare provider or even someone who's been working in healthcare it for a while uh because it hasn't been as essential to know where things are moving around now they're moving around much more frequently it's the omnibus rules and new hipaa rules make it much easier for data to move around and so the chances of some sort of sub group or a hidden subcontractor touching data it becomes much higher and and ross staying on this topic of subcontracts and as as chris points out the flow of data that could be phi related and it's it's there's also hard copy versions of this data too so this subcontractor portion of it is terribly complicated but i would guess that you would want to have some note of that in your privacy statement that's going to go to the patients that are in your system to begin with yes yes that is absolutely true one of the one of the things that i find is very common is the cover entities that give out that not as a privacy practice find themselves brought up short many times because when something does happen and the patient says well i didn't know that how how did you do that you know where did you get the permission to do that the law gives covered entities individual providers or hospitals either one it gives them certain rules that they have to follow sometimes they have to get patient authorization or inform the patient sometimes they don't but what the law always requires is they have to inform the patient that these conditions could apply having a patient learn by some unplanned channel or through some unplanned or unsuspected way that their information is flowing in various places to various parties in ways that they didn't know about that kind of surprise is not a surprise it's a shock and they can have a great deal of difficulty with that so you have to make sure that you inform them that these things that these conditions and the new omnibus rules are very clear about this they say that you have to inform even more vigorously than you had to before that these kinds of conditions could exist sometimes patients have have the ability to opt out not of these business associated relationships but you have to be sure that they know what their rights are and what's going on it's usually the worst mistake to make to leave it oh well it's not that important they'll just assume that we're doing this or or whatever the expectation is but that unspoken interaction that's going on that they learn about and are surprised or shocked by that can have some very unfavorable effects on the covered entities and their business relationships with their patients so you have to be very forthcoming yeah go ahead chris sorry about that oh as you can see yeah it's history how often do we go into a doctor's office and we sign their hipaa compliance policy uh and and we just sign it because you know we get and really just want to go see the doctor and get our flu shot or or whatever uh and we don't pay attention to it and how often do the doctors really say no you know this is a new privacy policy that we have really like to go over you know some points on it or the receptionist who sees you and has you as you sign it uh you know that sort of thing it's just old hat for most folks now and yeah okay it's your hipaa policy whatever here's my signature but it does become really under these new rules far more incumbent upon the provider to ensure that one they have an updated policy and that policy is abundantly clear and and two that patients really understand it and are just blindly signing it chris that was going to be my question as well uh sorry to interrupt ross that was going to be my question as well i know i don't read them so what are what are the rules how do health care providers protect themselves with these new rules well if i can jump in first off i want to say that i agree completely with chris's point second thing is in in my consulting practice i find that a lot of the physicians are they object to hipaa first off because they feel like it takes away from face time but what i counsel them to do is to use that as improved patient relationships with their patients you're talking to them about their health why not talk to them about the health of their privacy and how you as a good steward of that information are safeguarding it as their advocate as their protector you're protecting their health why not protect your privacy as well so the provider organizations can very definitely use this as an opportunity as chris was alluding to show the patient that they're caring for the whole person their privacy as well as their health because it really is all about a healthier human being so this is a great opportunity for them to have more and better quality face time with that patient and they should take advantage of okay every time you guys talk i have dozens of questions i'm going to save them to the end so that we can get to what you're going to show us in just a little bit here ross i want to remind everybody though that you can submit your questions and comments by using the q a button at the bottom of your console there's uh four little buttons down there click on q a you'll get a window you can enter your question or comment good time to enter them all now so that we can sort them out but we encourage you to do so we're very lucky to have of course uh zif davis senior technology analyst chris dawson and hipaatraining.net compliance expert ross leo so get those in before we get to ross a couple of quick challenges that you need to be aware of and i'll go through these quickly as you already know just from listening to this conversation the hip the new omnibus rule of the high tech act which falls into the hipaa regulations from the human health and services department of u.s government it's complicated there are a lot of provisions there are a lot of exceptions we talked about the conduit exception there's also some exceptions for research in terms of allowing researchers to access data that's anonymized and aggregated etc so you really need uh help to say the least because everybody's mileage varies and no two situations are ever the same it's a good idea to get some professional help also as uh ross alluded to at the very very beginning of today's presentation uh business associate agreements baas they go by a bunch of different names but that is sort of the name that's taking hold they're legally binding and and the new omnibus rules do provide for a substantial amount of liability if you're found to be in violation so again just makes the case for some professional help and and then finally and and this one actually is um probably as important as anything that we can tell you today it's very easy for business associate agreements these baas to be misused and therefore to diminish their value and the best example i can give and and gentlemen i'll ask both of you to comment on this the best example i can give is and actually this was shared with me it's not original thinking but it really struck a chord vendors business associates potentially that are trying to get a contract with the hospital putting putting themselves out there and saying and of course we we have a baa template that will sign to differentiate their service and i think that that's very relevant it it really does diminish the value ross of of what a baa is intended to be it's not a selling point and it may not protect the covered entity if it's not if it's just templatized and it's not specific to the situation for example oh i would i would agree these the original intent of this thing was to make sure that everybody that has a reasonable expectation of handling this very sensitive information is going to treat it appropriately in ance with the rules obviously but also that there are the accountability and penalties for those who don't but by trying to use this as a marketing tool i have a feeling that in many cases those who proclaim at their business associates and they say oh yeah we'll sign that absolutely as as you said as an effort to get better get get more business this is a case of i don't think they're thinking it through carefully either because both parties have to realize that there's risk with this and it may be something that they haven't looked at carefully enough because if something goes wrong everybody's in the soup and and to your point and to this point in general i love this quote um and chris in fact the three of us talked about this just before this call chris you and i have had a number of conversations about this but it seems like common logic to say well when in doubt get a baa from your vendors just to cover yourself and make sure you're not going to have any trouble so this quote here make everyone we deal with sign of baa that way we've covered our basis so this would be the reverse now of the business associates who are using baas as a marketing tool to get new business now we're talking about covered entities that are just saying you know what let's be safe and just put everyone on a baa which at face value makes a lot of sense to me chris you and i have talked about this but ross the reality is that's a bad idea i would i would have to say that i think that using this kind of a blanket approach really is well bad is a strong word i think it's so advised and the reason i say it that way instead is because on the one hand it means that you haven't examined the business relationship you have with that party carefully enough you see to go to go to the very heart of what hipaa is about it's about risk management that means that you look at what your risks are where they come from how they can impact you and so on and i have a feeling there are a lot of folks that don't realize this contract this business associate agreement is not only a way of dealing with risk but it is a source of risk as well especially if you haven't carefully examined the situation because contracts are always two-way each party has responsibilities and accountabilities to the other and if you simply do this having everybody sign one that's like asking the guys who do the groundskeeping to sign a baa because well they're you know they're doing business for this some might as well get them to do one what would that really mean i think i think it's interesting to note that you know every every business associate agreement is a contract a binding a two-way contract as ross points out but not every contract needs to be a baa and you know my temptation as well and as you said we've discussed this before my temptation is well gosh when in doubt right but you know i think ross makes an excellent point that under the omnibus rule a baa really imposes some pretty significant potential penalties and and exposes a a a business with which you are doing business to an awful lot of liability and we're talking about you know potentially fifty thousand dollars plus per uh per violation of these these rules uh if there's you know gross neglect much lower penalties if people have been you know trying their best essentially but you know there's a lot of liability that gets exposed here and you don't need to expose all of the people with whom you do business to that liability fortunately there's some pretty good decision trees that the health and human services has provided around this um but it makes the case that no matter how small a practice you are no matter how you uh you know how you deal with your data that you need to have an expert whether it's you know a trainer or a consultant a lawyer who'd specialize in this you need to have someone available to really help you go through those those business relationships that you have and establish where these baas are absolutely necessary okay so i appreciate that you guys i that one i really struggle with even as hearing you how much sense it makes i guess i'm one of those people that would be guilty of making this type of statement especially for the smaller businesses but to both of your point uh everybody who's listening to this call you need to be extremely careful with these so that as roth says uh you don't take on burden that doesn't belong to your organization so be careful with that okay before we turn it over to ross and really look at what needs to go into or rather the elements of a meaningful baa how to protect yourself here are some other additional considerations that you probably are already aware of but you do need those notices notices of privacy practices that go out to your constituents your patients whatever they may be and it is a good idea as as both of our speakers today have pointed out to take the care to explain to uh what are really your customers your patients that there are new rules and that they do need to read it and they do need to understand what it means because you have electronic medical records or whatever the case may be so don't just put it in front of them with the stack but rather take steps to make sure that they understand uh what their rights and responsibilities are and also these breach notification requirements it is something that you need to be very conscious of because if something does happen and let's say a business associate has a breach some sort of unintended electronic breach of data if you will that you may not otherwise know about uh it's very important that that not only there's a policy in place to deal with those breaches but on this last point that that you're able to enforce those policies and that your business associates know what the consequences are with not notifying you or what you're expecting expectation is that they should notify you so these are other documents that should all be a part of the business associate agreement process but on that baa specifically now as i said we have ross leo on from hipaa training.net ross is a hipaa compliance instructor so he teaches uh covered entities and ross i imagine business associates as well not just covered entities i imagine you cover both but it is your job to essentially tell people what they what they need to do and when we're looking at the elements of a meaningful baa there are four main points here and the first one you have is regulatory requirements of the business associate and its subcontractors which we talked about can you give us a little more detail on that and the remaining three steps in how you look at this process yes uh first off one of the things that that that uh begets all of this is under the original law before high tech and before omnibus it placed almost the entire responsibility on the covered entity to manage all of the privacy whatever was sent downwards to business associates the law expected the covered entity to manage everything and it was through the vehicle of the business associate contract as it was then configured that the covered entity was supposed to do that well what high tech and omnibus have done is they have taken that responsibility and they have put it into the actual body of the law so now everybody who has legitimate access to this information is now held accountable by the law directly as well as to the business associate contract for how they do that what they do what they mishandle or whatever the situation is it also brought into the picture the subcontractors to business associates as part of this picture now here's here's where it gets a little bit hairy covered entities and business associates have a direct relationship and it's defined by the business associate contract the other another name for the baa the business associates also have subcontractors but when i say it gets a little hairy it's because the relationship of the covered entity to the business associate is not in the same sense extended all the way down to the subcontractors directly to the covered entity so the covered entity is still trying to manage these relationships but this time it's through the business associate so here's like i say this is why it's a little hairy so what we really have to emphasize at this point is the covered entity and its legal counsel needs to be very clear the business associate contract what is required what is expected how things are going to manage because the covered entity is really more or less in a sense the senior partner in this contract they're still looked at by the law as being the primary custodian and protector of all this information because they're the source and they're the ones who supply it to everybody else the business associate in their subs if there are so they need to be very very clear in the body of the business associate agreement how that's going to be done what's going to be expected what the penalties will be because it has to contain sanctions as well for failures to deliver and it needs to be complete about this because you have to be very clear and complete in this thing because everybody who is a party to this agreement is going to have responsibilities and legal liabilities and a failure to be clear or complete is going to result in some murkiness and that's a lot of the complaint that i hear these days about about hip you know it's not really clear about this all here well in a case like that you're going to have to take a position and define it for yourself and as long as you're comfortable with what the law says and if the law doesn't say anything to the contrary you can define it for yourself in the body of that agreement and that is another part of being clear and complete in those relationships and of course the direct follow-up to that you really need to make sure that you have these performance measurements and metrics in place so that you know uh exactly whether you're compliant and whether there is a plan to ensure that you remain compliant that's correct the every contract and for a moment think of a business associate agreement as like any other contract you have responsibilities on both sides things that are going to be delivered time frames in which those things are going to be done some contracts talk about a thing called liquidated damages all of this is about one party delivering the service that's promised within a specific time frame at a specific level of quality together and in that sense a baa is very much the same the law spells out various kinds of time frames it spells out various kinds of documentation that each party has to have one of the vehicle one of the things that this particular vehicle can do is take those time frames in that documentation and it can enable good coordination between the parts to cover them during the business associate so that instead of working at cross purposes as can happen sometimes they're working together they're bound together by the contract they should be working together and it's in an effort to continue to protect the information it's in an effort to continue to provide high quality timely health care to the patient and working together i think overall they can do a better job so it's a positive way to use the agreement to bring about better coordination because the one thing that we want to try to do is use this as a vehicle to avoid sanctions the fact is sanctions many times are going to end up being assessed against more than one part and the primary is typically going to be the private entity not solely and not only of course not under the current rules that we have but if we can avoid sanctions for all parties concerned then the entire system of this is better off and the patient is still being protected and you mentioned sanctions and that leads us right into probably the biggest uh well they're they're equally important but to me the one that captures my attention is the concept of controlling risk well as i as i mentioned a moment ago hipaa is really about risk management it puts covered entities and business associates in a position to identify define and determine proper methods for managing and controlling the risk that they face now we're talking of course specifically with regard to the information and the likelihood of it's being compromised how that might happen who it might be compromised to and so on and the law gives each covered entity and intern business associates the ability to do that for themselves because the ultimate goal is not a prescribed set of controls as many people would feel far more comfortable with it gives them the ability to determine what the risks are in very unique environment as you pointed out no two are the same so they can do that and they can come up with the most cost effective controls for their specific situation but that of course means that they have an awful lot more intimacy with their own environment which is a good thing to be ultimately one of the things that they find though is that that risk is transferred in both directions you get controls but you also get risk going from the business associate back to the covered entity and then down from the covered entity to the business associate and then even onward to the subcontractors and the contract the business associate agreement can be used to manage that risk better by putting in certain kinds of conditions certain kinds of controls and these are of course like all contracts or negotiated instruments by putting this in place it can be used to mitigate risk for both parties it puts risk where it belongs which has to again be agreed to by both parties but it's a vehicle where you can manage this thing itself there are always going to be proactive and reactive approaches to managing risk controls you can put in place to keep it from occurring for example the disaster recovery plan is a reactive type of control where something bad happens it gives you a plan to respond to it and that's another form of control that can affect both parties and by developing the coordination as i mentioned before between the business associate the covenant there can be compatible approaches where they can work together to manage risk that affects them vote and this baa is a vehicle that can enable that sort of things for happening i like to look at the baa as a vehicle to put responsibilities and accountabilities properly where they belong but also as a way for these two parties to manage their relationship in a coordinated collaborative sort of a way so that everybody is better off but they have to they have to make the effort to get that done and that begins with understanding of the situation and of course making sure that everybody is better off you have to talk about accountability and liability uh both holding your business associates accountable but also ensuring that if there is a mistake made that they're covered that they're able to to be uh to take liability and to accept and and stick to your policies and ensure things like patients being informed of a breach etc that's right the the accountability and liability questions comes from a question of what is known as agency now as as you've said this is not meant to be legal advice but this is something that the people are often they're blindsided by and the question of agency is how much of the business associates job is actually directed actively by the folks at the covered entity or how much independence does the business associate actually have the more control and this is and this is where the rubber meets the road so to speak the more direct control and involvement a covered entity has and the activities of the business associate the more as the law would say the more agency there actually is and this is one of those very subtle areas where a covered entity actually assumes greater liability than they may realize the idea here is if you're going to engage a business associate to do a particular job for you use the contract to negotiate particulars about what the job is how it's going to be done various kinds of constraints and you know other parameters about that and then let the business associate do what they're supposed to do to provide that service but the more that you do is the covered entity the more you do in that the more active you are the more direction you exercise over it you're going to find that you actually absorb more liability and have more accountability than you may have realized so you've got to you've got to be careful when you define roles and actions and independence levels for each party to this agreement and of course we talked about this earlier but real quick uh half of the battle and i appreciate those four points uh by the way thank you very much for that ross and i want to tell everybody these slides are available you can also contact hipaatraining.net the address is right in the name it's hipaa training.net we'll provide that link in just a moment but we've talked a little bit ross about when a baa is needed and i think that you've sort of summed it up here nicely well it really does come down to this if if the shoe fits and even though there are people that wonder who really qualifies the the office of civil rights part of dhhs has given a definition and as you said at the top of the seminar if you have a contractor that handles phi for you then they probably qualify and there are some that don't like the postal service and others so if the shoe fits then you probably need to do a baa certainly give serious consideration to it but if it doesn't always be wary of the fact that it does create liability and risk and obligations where probably none should exist but and and like any contract it's not bulletproof no matter how carefully no matter how well you craft it it's a vehicle like every other legal vehicle and you're going to have to defend it you're going to have to use and my advice to everybody is make it as positive and as careful and as complete as you can but always be prepared to understand the situation very very clearly and very carefully because we don't want anybody having a false sense of security about is it a bulletproof shield or is because they're not like any other contract came out and that false sense of security is a biggie and of course this is the point and again i want to thank ross leo from hipaatraining.net for great information you can find them at hippodashtraining.net i want to bring chris dawson back in for the q a section chris you still with us i'm here all right and and we also again have ross on as well if you haven't already done so you can submit your questions by simply clicking on that q a button at the bottom of your screen we're going to do our best to answer as many of these we can in the next 10 minutes or so if you have if we don't answer them during today's presentation i'll pass that information on to chris dawson and ross leo and we'll get as many of those answered after after the presentation as we can i'll take as many of those as i can if you have other questions or comments you can also send an email to webinars davis.com and as i said you can learn more about uh ross leo's organization hipaatraining.net at hipaa excuse me training dot hipaa.net appreciate that very much okay guys here we go fast and furious i'll call these out read them out loud to you and if you can please do your best to answer them as quickly as possible so that we can answer as many as possible that would be great okay the first one comes to us from jim and let me see if i can get this into the slide area for all of you jim says is the baa separate from a service contractor or can it be included as an attachment or enclosure to the contract now ross i'm going to point this one at you because i had a similar question to jim's question which is if you're not sure could you put language in for instance a service level agreement that says uh you need to let us know if at any point you you know intentionally or inadvertently access phi so that we can ensure that we have the right agreements in place etc how do you cover yourself or do you have to have a baa in all instances if that if the rule applies to that particular associate uh this is actually an issue that i dealt with a few years ago i had a very complicated situation uh and what we discovered and i talked this over with my clients corporate council what we did was we built two uh we built two documents one was the service agreement and the other was a business associate we we turned out to call it a business associate annex or addendum the business associate addendum had everything that a ba should have in it regarding the hipaa subject specifically and it was an attachment in all applicable cases to a services contract it it simplifies a couple of things for one you don't overly complicate or clutter your business your your business agreement about the services but it also makes sure that the hipaa part is covered and since the baa is required by the law to be reviewed for modification on an annual basis it makes that process much simpler but you can absolutely have the baa done as an attachment to a license agreement or service agreement of any kind and uh and appreciate that go ahead important clarification though is that you know it it can be an addendum but it shouldn't be sort of embedded within the the service agreement those two things should stand alone uh even if they get combined into ultimately a sort of single document it needs to be um an addendum or an appendix such that it it does stand alone and that's in direct response to jim's question so jim uh yes it needs to be an attachment or a separate enclosure as chris says and ross as well perhaps an exhibit jenna wants to know and i think we can handle this one real quickly ross just to clarify is it training dash hipaa.net or hipaa training.net as i've said um it's it's hipaa training.net okay so jenna thank you for that and and i i see that i have it correct on the screen here so you're all good to go now john john says and chris this is a great one for you start with you on this one ross feel free to answer as well john says what are the requirements of cloud-based suppliers that may handle something like voicemail or recording when it comes to hipaa now i feel like this one's pretty straightforward but chris i guess it really depends on whether they're handling phi data it yeah but you know if if a patient could leave information on a voicemail for example and you could then need to say get tech support and say hey i can't access this voicemail uh something something's gone wrong with the system or you know we're trying to get transcriptions of these voicemails for example uh the chances of that provider seeing or accessing phi is relatively high in which case yes you would certainly need to have a baa if there's some sort of uh you know something strictly self-service cloud-based and uh you don't ever see a possibility of them accessing information uh then i i you could probably try and apply the conduit exception but and ross i'd love to hear your perspective on this but i think this definitely uh would be a case in which a baa would be appropriate well to to kind of add to what what chris has already said you have to remember phi can come in the form of something written something electronic or something spoken so voicemail absolutely would be covered the we really should consider all of those as information period so that the baa will call all three out as individual elements but you have to treat each one as sensitive in the form that it comes to you so i'd have to absolutely agree with chris we we need to have consideration given in in those cases where it seems reasonable we've got to have a baa for that next question comes to us and and thank you both very much uh and thank you also to john for that question next question comes from uh devi dust who says from a software vendor's point of view for instance somebody uses amazon web service or microsoft azure aws and microsoft are willing to sign bas does this cover the vendors that offer cloud services to their customers using aws and azure so ross i don't know is that a subcontractor situation in other words i'm a software provider i let's say i provide emr service to health groups but i'm i'm actually hosting those records on an amazon server or an azure server uh if if microsoft and amazon give me a baa and i can give that to the covered entity am i covered or do i also have to have a baa under the subcontractor rule no the way that the way that i understand this to work is that if you are getting your service directly from some third party let's call it you know cloud voicemail just for the sake of discussion so if they are your primary service provider your contract is with them if they know that they're going to handle phi which they would through your contract with them they then need to get the subcontract with whoever their back end is be at microsoft azure or amazon web services because as the covered entity the flow through is from you to your contractor your business associate and then from them to the sub but it's the sub and the business associate that have the direct relationship to the contract the covered entity manages this through their contract with their business associate but they're but having done it that way and this is my understanding of the law the coverage does not need to have a contract a subcontract with in this case amazon because their relationship is managed through the contract that they have with cloud voicemail as their actual service provider great answer really appreciate that next one comes from uh michael um let's see here michael thanks for bearing with us michael says is there a defined process for review and response to baa requests that you receive that identifies whether to sign how to process retention periods etc i guess this is where you bring a consultant in right ross is is somebody that can actually look at your documentation determine whether you're covered uh legal counsel should also be able to do this sort of thing um are there are there places where these folks can go to sort of vet how they're managing their baas themselves uh you can you can i i i strongly urge that this be done through if if you have a an attorney i strongly recommend that you have that an attorney coupled with a hipaa consultant who is an expert in that that kind of a pairing would do everything that you need to get that contract looked at and defined but that's really the process it's got to be your legal authority and it should be someone very very familiar with the hipaa process and the various pieces of that now jody tina john uh we're going to take your questions via email last question the day is coming to us from bill and bill says is there any group that reassesses an organization either a provider or product owner etc on a regular basis i'm familiar with the department of defense and facility clearances there is a government organization called dss that comes around and checks out the company and re-certifies annually etc so is there somebody who is actually looking at whether businesses are compliant with these omnibus rules and any other hipaa rules my my my best guess is that maybe perhaps this department of commerce or is there another entity that is actually taking a closer look at these pas and whether businesses are being compliant if let me let me go ahead and jump in and certainly i want chris's opinion on this too as far as i know there is no agency no government organization no private organization that does this i'm familiar with the dias with the dss uh organization that he mentions and they do that with department of defense facilities as he says but there is no equivalent to that uh in the commercial market for this it is what you could call uh by exception by event and there are the proactive audits that were done in 2012 by dhhs on 115 covered entities this is this is a situation where the government is basically at least at this early stage they are willing to take your word for it if you say that you're doing this that until they get evidence that you're not meaning that something has gone wrong they're going to take your word for it but they're going to whack you really hard if they ever come looking and they find out that you haven't been telling them the whole truth or the whole story about and something significant is missing now my own conjecture and that's all that that is is i suspect that some part of this will end up being under joint commission eventually now i haven't heard anything to that extent or to indicate that that seems to be the case so that is purely my opinion but it seems a logical melding of what joint commission is already doing for hospitals however as i say there is no external entity that i am aware of that is doing this but you are expected to do it for yourself on an annual basis to provide evidence that you're staying compliant yeah this is very much the owner system at this point and uh you know but but even if it is the honor system uh it the the consequences of uh negligence uh and and uh particularly and the the omnibus rules outline uh monetary consequences for negligence really are significant so one this is a kind of a blue ocean market for someone who wants to become an independent uh auditor and two uh i would say that you know this is just because they will take your word for it word to the wise you know this is this is a big big deal and um you know get it get an attorney get a consultant and make sure that you're doing this right well thank you and thank you to bill for that question everybody else who submitted questions and comments we certainly appreciate it unfortunately that's all we have time for today i've been talking to chris dawson senior technology analyst here at ziff davis and ross leo compliance instructor at training dash hipaa.net you see this address right there on your screen again just a quick reminder for all of you the information provided in this presentation does not constitute and it's not substitute for legal or other professional advice and we strongly encourage you to consult your own legal or other professional advisors for individualized guidance regarding the application of the law to your particular situation and in connection with any compliance related concerns i'm josh gingeld on behalf of chris dawson ross leo and myself thanks for joining us this has been a special presentation of zip davis ensuring hipaa compliance with the business associate agreement brought to you by by efax corporate the world's number one online fax brand thanks for joining us and have a great day you

Read more
be ready to get more

Get legally-binding signatures now!