Should My IT Vendor or Cloud EHR Sign My BAA?

Yes, Yes, and more YES. Business Associate Agreements are critical to protecting you and your legacy as a covered entity. Period. And they are the law.

A Business Associate Agreement is a contract between you (the covered entity) and your IT vendor or EHR provider. Whether you use Revolution, Crystal PM, or OfficeMate, to name a few, they all must sign your BAA. Not just their BAA. This is because their BAA is designed to protect them and not your practice. Remember, the BAA is a legal contract specifying how IT Vendors and EHRs maintain and secure your patients’ PHI.

If you have any doubt about whether a BAA is in place for the provider that handles personal health information for your organization, it is crucial that you confirm that they will sign one. Without this agreement, the provider is not accountable for protecting the PHI it is handling or transmitting – meaning that they are not HIPAA compliant. This also means that you, as the covered entity, would be held liable should a data breach occur. And since you didn’t ensure that a BAA was in place, you are also likely to be penalized for noncompliance – and the fines are hefty.

So, which providers should sign a BAA? Any entity that manages the transmission and storage of PHI is determined to be a business associate and must sign a BAA. This may include:

  • IT Vendors supporting your environment
  • Hosting companies
  • Fax providers
  • Email providers
  • Mobile messaging providers

Here is our advice, plain and simple — Any company that refuses to sign a Business Associate Agreement is telling you that their business is not HIPAA compliant and you should not use their services.