Question

Welcome to a Bite-Size HIPAA® Q&A video, where we answer your questions about how HIPAA applies to your dental practice. We recently received the following question in our Bite-Size HIPAA® Q&A inbox. The writer says:

"We asked our practice management software provider to sign our Business Associate Agreement, but they refused and said they will only sign their own BAA. Since it is our patient’s PHI, we feel like they should have to sign our agreement. What should we do?"

Thank you for submitting this question! This is a very common practice with larger vendors and providers. In this video, I’ll help to explain why that is and what your practice needs to be looking for in third party BAAs.

The HIPAA Law

Let’s see what the HIPAA law has to say about whether business associates can require you to use their BAA instead of your own.

There are three sections in HIPAA that lay the groundwork for the requirements surrounding Business Associate Agreements (BAAs). Let’s breakdown what these sections mean for your situation. Section164.308(b)(1) states that covered entities (you) can share PHI with a business associate only if  you obtain “satisfactory assurances” that they will appropriately safeguard the information. Section164.314(a)(2)(i)(A) says that these “satisfactory assurances” must be documented in a contract that requires the business associate to comply with all the applicable HIPAA requirements.

Section164.504(e) further details the specific required provisions for BAAs, including but not limited to, specifying the permitted and required uses of PHI by the business associate, requiring the business associate to use appropriate safeguards, and ensuring that the business associate reports any security incidents or breaches of PHI to the covered entity.

These sections make it clear that while having a Business Associate Agreement is a must according to the law, the specifics of what that agreement looks like aren't set in stone beyond the basic requirements that assure the vendor will take good care of patient PHI. This means clear rules on how PHI is used, shared, and protected - plus what to do if there's a breach or someone gets unauthorized access. If the vendor's BAA covers all these bases, then you are in the clear as far as HIPAA goes.

Additional Context

In order to provide some additional context to this question, I’m going to approach it from a slightly different angle. Let’s ask why certain vendors would refuse to sign your BAA.

While BAAs are written chiefly to protect patient data, BAAs are also written to protect the organization writing the BAA. Attorneys tailor these agreements to protect their clients from the liability associated with protecting patient data. More specifically, they are written to address what happens when those protections fail and clarify who is on the hook to make it right. That is why BAAs often address things like liability, indemnification, and insurance requirements. For example, our Bite-Size HIPAA® Business Associate Agreement template makes it clear that if a business associate causes a breach, they are responsible for paying to clean it up. Plus, they need to have a robust safety net in place, a minimum of one million dollars in cyber liability insurance.

Imagine a vendor working with hundreds or thousands of individual dental practices with all of them wanting the vendor to sign their custom BAA. The vendor would need a team of attorneys to review each unique agreement and a comprehensive system to keep track of the nuances in each signed agreement. The scope of this compliance process is impractical for vendors to manage pushing them to insist on a standardized Business Associate Agreement they can build internal policies and procedures around.

Even though you will likely be required to accept some vendors’ standard BAAs, don’t be too quick to sign it. Be on the lookout for the language that protects the vendor from liability and risk caused by their actions. Review every BAA carefully, highlight any language that limits the vendor’s liability, and discuss it with your attorney before signing.

Summary

To summarize, Business Associate Agreements between covered entities, your practice, and vendors with access to patient health information are required by law. Who writes the BAA doesn’t really matter, so long as the contract provides a solid, HIPAA-compliant plan for protecting the patient information you share with them, and meets any specific requirements you have; such as assigning liability in the event of a breach. It's the substance of the agreement that counts, not whose logo is on the header.

Assume that vendor BAAs were written to protect their own interests, not yours. So be aware of those risks so you can make good business decisions. Sometimes liability is addressed separately in your service agreement with the vendor, so check there too. And as always, have an attorney review these agreements before signing.

Remember, HIPAA requires you to keep a copy of these executed Business Associate Agreements for six years after termination of the agreement, so make sure you keep a signed copy of every BAA in a safe place.

Have a HIPAA Question?

If you have a HIPAA question related to the day-to-day operations of your dental practice, feel free to send it my way. My email address is todd(at)bitesizehipaa(dot)com. I can’t promise I’ll be able to get to every question submitted, but I’ll do my best to find the most applicable ones to address in future Bite-Size HIPAA® Q&As.