When healthcare practices work with a third-party vendor, the vendor must sign a Business Associate Agreement (BAA). Under HIPAA, a HIPAA Business Associate Agreement is a contact between a HIPAA covered entity and a HIPAA business associate. The contract protects protected health information in accordance with HIPAA guidelines.
The BAA both satisfies Health Insurance Portability and Accountability Act (HIPAA) requirements and creates liability between the two parties.
BAAs are an expected part of the deal whenever outside vendors are part of the equation and they are an important component of any practice’s federal government compliance efforts. But what about when the vendor brings in a subcontractor? Must the subcontractor sign a BAA, as well? The answer is an emphatic, no.
Below are four things to consider before requiring a subcontractor to enter into a BAA:
1. Companies who work as subcontractors in healthcare already have BAAs with the companies that utilize their software or services.
Since the vendor has already engaged in a BAA with the practice, the vendor has agreed to take full responsibility for the reliability of its' subcontractors. There is no need to “double up” when there is already a solid agreement in place. If there are two BAAs in place – one between the subcontractor and the vendor, and one between the subcontractor and the healthcare practice – the subcontractor must answer to two different entities with two potentially different sets of terms.
2. It is important to make sure that all the terms of the agreement align.
This is easiest to do when the vendor signs a BAA with the healthcare organization, and the subcontractor signs a BAA with only the vendor. It is the vendor’s responsibility to manage the terms. For example, a BAA with a vendor may stipulate it must respond to a request within 24 hours. But if the vendor’s BAA with its subcontractor says it must respond within 48 hours, that’s a direct conflict of terms. It becomes even messier when the subcontractor has a separate agreement with the healthcare organization, with a separate set of terms.
3. Three-way BAAs do exist, but they’re expensive.
An agreement can be put together to include the practice, vendor and the subcontractor, but it will cost significant time and money for attorneys. Such agreements require complicated language and can cause significant delays to the project. It’s not worth the trouble when the subcontractor is already covered under a BAA with the vendor.
4. The number of BAAs is not directly proportional with HIPAA compliance.
More paperwork does not always mean doing a job better. In fact, more BAAs can actually cause confusion should a HIPAA problem arise. It is important to ensure all accountability is specifically outlined.
Of course, it’s imperative to make sure the vendor does, indeed, have BAAs with its subcontractors before moving forward. Protecting patient’s health information should always be a top priority.
Keep in mind the scope of work is between the vendor and the subcontractor, and not between the healthcare organization and the subcontractor. It is a more streamlined approach to hold a vendor accountable for its subcontractors.