Generally, Covered Entities prefer to use a standard BAA template. This may be because it's easier to track a BAA's terms across different Covered Entities, or it may be because some Covered Entities have a third party auditing or certification process in place.
BAAs are often used to define the uses of protected health information. A Business Associate may only use PHI for purposes that are allowed by the contract. If the contract is terminated, the Business Associate must return PHI to the Covered Entity. If the receiving provider uses the PHI for its own purposes, the receiving provider will incorporate the PHI into its own records. This could lead to a conflict of practices between the two providers.
Some Covered Entities have suggested the use of a third party certification process for Business Associates. This could help reduce the amount of due diligence required for Business Associates. It could also help set a "gold standard" for Covered Entities. This could potentially ease the burden on Business Associates while still ensuring that they are meeting minimum HIPAA compliance requirements.
Smaller Business Associates often struggle to track the requirements of their BAAs. They may not have access to the technical safeguards necessary to comply with HIPAA, or they may not be knowledgeable about their obligations under the Privacy and Security Rules.
Larger Business Associates tend to have more resources and expertise to handle HIPAA compliance. They also have dedicated teams dedicated to this area. They report less problems with compliance than smaller Business Associates. These organizations may have a greater level of bargaining power, which can make the process of negotiating a BAA much easier.
SITES WE SUPPORT
SOCIAL LINKS
Comments