As a vendor, Business Associate Agreements (BAA) are something that I am very familiar with. Our business deals with PHI directly in order to provide the services we offer. This means that we need to have a signed BAA with the Covered Entities we do business with so that we are able to have access to this information.
Over the last few years these agreements have become more and more particular as far as what all the parties involved want. There are many reasons for this shift, and most of the changes that covered entities want are good. The problem is that we need to be realistic about what we can sign. If a vendor receives a BAA that says they will follow all the policies and procedures of the covered entity, they may not be able to sign it for a number of reasons. This fact is especially true if the vendor was never provided with the policies and procedures they will be expected to follow.
I think it is very important that vendors be given the BAA as soon as it looks like a contract might possibly happen. This way those types of issues can be discussed and all parties will end up with a BAA that does what it should and can be complied with. If a vendor doesn’t receive the BAA until the last minute, there may be pressure to sign it quickly to keep everything moving.
We as vendors are just as concerned with PHI, and we want to do the right thing. Let us be part of solution to the problem of protecting PHI and not an adversary.
No related posts.