No

Business associate agreement checklist

More and more technology companies — even subcontractors — are being asked to sign business associate agreements when working with HIPAA-covered entities. Here are some tips to help you navigate through the complex world of business associate agreements:

Making your agreement work for you — Be sure to review business associate agreement with your legal counsel and modify accordingly:

  • Ensure that you have the proper insurance coverage and limits in place when assuming the risks related to protected health information (PHI). Avoid assuming liability for the HIPAA covered entity’s actions
  • If you are a subcontractor, or completing only a portion of a project, be sure you limit your financial responsibility in the agreement to the work you are involved in
  • Limit indemnification agreements to the cost of the service level agreement or services rendered
  • Confirm that you are not being asked to take any action that would violate HIPAA rules. If this occurs, consider a reverse indemnity agreement
  • Require other sub-contracted technology companies to sign a business associate agreement, where needed, and do not allow narrower indemnification provisions than you have in your agreement. Ensure subcontractors have proper privacy and security policies in place as well as proper insurance coverage

Employee training — HIPPA requires employee privacy and security training, but training also helps minimize your risk, creates accountability, reinforces policies, and helps to ensure that the protected health information is handled properly.

Security breach response — Despite due diligence, breaches can happen. Establishing a response plan will help you to react quickly when a breach occurs, enabling you to communicate to affected parties, as required of a business associate, and to minimize damages.

Business continuity planning — Having a business continuity plan in place helps ensure that your business can get back up and running after a disaster. And, it’s also a HIPPA security requirement. The Insurance Institute for Business & Home Safety’s Open for Business site offers business continuity how-to guides and planning templates.

     

    114-1627 (9/19)          LC 2019-173

    No

    Business associate agreement checklist

    More and more technology companies — even subcontractors — are being asked to sign business associate agreements when working with HIPAA-covered entities. Here are some tips to help you navigate through the complex world of business associate agreements:

    Making your agreement work for you — Be sure to review business associate agreement with your legal counsel and modify accordingly:

    • Ensure that you have the proper insurance coverage and limits in place when assuming the risks related to protected health information (PHI). Avoid assuming liability for the HIPAA covered entity’s actions
    • If you are a subcontractor, or completing only a portion of a project, be sure you limit your financial responsibility in the agreement to the work you are involved in
    • Limit indemnification agreements to the cost of the service level agreement or services rendered
    • Confirm that you are not being asked to take any action that would violate HIPAA rules. If this occurs, consider a reverse indemnity agreement
    • Require other sub-contracted technology companies to sign a business associate agreement, where needed, and do not allow narrower indemnification provisions than you have in your agreement. Ensure subcontractors have proper privacy and security policies in place as well as proper insurance coverage

    Employee training — HIPPA requires employee privacy and security training, but training also helps minimize your risk, creates accountability, reinforces policies, and helps to ensure that the protected health information is handled properly.

    Security breach response — Despite due diligence, breaches can happen. Establishing a response plan will help you to react quickly when a breach occurs, enabling you to communicate to affected parties, as required of a business associate, and to minimize damages.

    Business continuity planning — Having a business continuity plan in place helps ensure that your business can get back up and running after a disaster. And, it’s also a HIPPA security requirement. The Insurance Institute for Business & Home Safety’s Open for Business site offers business continuity how-to guides and planning templates.

       

      114-1627 (9/19)          LC 2019-173