Invest in these documents when working with new partners to protect your practice from liabilities
As most dentists are aware, the data we collect on patients is rarely limited to the practice. Many different professionals have access to our patient information, including:
All of these people are referred to as business associates. According to the U.S. Department of Health and Human Services, “A business associate is any person or entity that performs activities or specific functions for the dental practice which would involve the use or disclosure of patient information.”
It is important to understand that anyone who is involved in the ongoing treatment of the patient is not considered to be a business associate. For example, labs, other practices you refer to and janitorial staff are not business associates, nor is any company that acts as a conduit for information, (excluding FedEx, UPS, USPS, etc.).
Dental practices are required to have a written and signed agreement in place with each one of their business associates. The HIPAA Privacy Rule requires dental practices to have written assurance that its business associates will safeguard all patient information it receives or creates for the practice. The rule also allows the government to impose penalties on the business associates and their subcontractors, which was not the case previously.
The final Omnibus version of the HIPAA rule requires that covered entities (i.e., you) enter into contracts with business associates to ensure that the business associates will appropriately safeguard protected health information. This Business Associate Agreement (BAA) also serves to specify the permissible uses and disclosures of protected health information by the business associate, based on the relationship between the parties and the activities or services being performed by the business associate. A business associate may use or disclose protected health information only as permitted or required by its Business Associate Contract, or as required by law.
A business associate is directly liable under the HIPAA rule and is subject to civil, and sometimes criminal, penalties for making uses and disclosures of protected health information that aren’t authorized by its contract or required by law. A business associate also is directly liable and subject to civil penalties for failing to safeguard electronic protected health information in accordance with the HIPAA Security Rule.
To protect your practice, you need to find a Business Associate Agreement (BAA) template that was written after the Omnibus Rule went into effect in 2013 (contact me at firstname.lastname@example.org and I will gladly send you one). Send it to all of your business associates and keep a copy of the signed agreement with both signatures on it. Many larger companies (i.e., Google) won’t sign your BAA but will provide you with one that they’ve created. If possible, have an attorney review this with you - the BAAs you create are designed to protect you; the ones they create may only protect the other party.
Also, be aware that some companies may not sign a BAA at all and you should re-evaluate your relationship with said companies. Using Google as an example, the free version of Gmail will definitely not sign a BAA, but if you’re on the paid G Suite, then they’ll provide you with a BAA. If a company doesn’t provide a BAA, or is unwilling to sign one, then you must consider the potential consequences to you and your practice should you ever be audited.