What Dental Practices Need To Know About HIPAA BAA

Melissa LuVisi
July 15, 2021 | 3 min read

When you run a dental practice, you need support from many external vendors, such as cloud dental software providers, billing specialists, accountants, and more.

These service providers often handle sensitive patient information on your behalf. It’s your responsibility to ensure that their processes are HIPAA-compliant.

Check out tab32 today to see what it can do for you! Click to book a demo.

Learn more now!

So how do you hold these vendors accountable?

HIPAA requires covered entities (e.g., dentists, physicians, healthcare providers, etc.) to work with business associates (BA) and business associate subcontractors (BAS) that adhere to HIPAA regulations.

The law also states that any vendor and service provider you use must sign a business associate agreement (BAA). Here’s what you need to know about BAA and how it helps ensure cybersecurity in dentistry.

What’s a Business Associate Agreement?

A BA is an individual or organization that creates, receives, maintains, or transmits protected health information (PHI) on behalf of a covered entity. 

Your BAs may include medical billing company, accountant, attorney, email encryption provider, file sharing services, backup storage, cloud computing platforms, IT services vendor, shredding company, and cloud dental software provider.

If a BA uses a subcontractor, it must enter a Business Associate Subcontractor Agreement (BASA) with the BAS. This ensures that the subcontractor is appropriately safeguarding the PHI from the covered entity.

HIPAA Security Rule mandates that covered entities only work with BAs that follow HIPAA guidelines to protect PHI. The Department of Health and Human Services (HSS) can audit BAs and BASs for HIPAA compliance, just like they do for covered entities.

A BAA is a written agreement between your dental practice and a BA. It specifies each party’s responsibilities when handling PHI. A BAA should cover the following:

  • The PHI the BA will collect, store, and/or handle, and how it’ll protect the data.
  • Safeguards to prevent the inappropriate use or disclosure of PHI.
  • Documentation that the BA has provided employee training on HIPAA compliance.
  • Definition of what a breach entails and what should be included in an incident report. (E.g., whether your BA should report failed unauthorized login attempts.) 
  • Procedures to follow, including breach reporting window, in the event of a cybersecurity incident (e.g., data breach.)
  • Breach insurance requirements, which may vary based on the type of service provided.
  • Subcontractor compliance the BA must enforce.
  • Breach indemnification, which states that your practice is only responsible for breaches of which you’re at fault.
  • Terms for agreement termination. E.g., how the BA will destroy or return the PHI.

While a BAA shifts most of the liability to the third-party vendor, you may still get into hot water if you're aware of a breach of contract but fail to take action. HIPAA regulations require a covered entity to correct the fault or terminate the BAA if it discovers that a BA no longer adheres to the agreement. Otherwise, you’d share the liability of any breach along with the BA.

Why Are Business Associate Agreements Important?

Most dental practices need the support of third-party vendors to run their businesses cost-effectively. From accounting and billing services to electronic health records (EHR) software and patient communication platform, every vendor that handles your PHI must be HIPAA-compliant.

But it’s not your fault if a service provider violates HIPAA guidelines and jeopardizes sensitive information. In fact, there’s no way you can effectively police business associates when it comes to HIPAA compliance.

A HIPAA BAA protects your practice from liabilities if your vendor fails to meet HIPAA guidelines or experiences a cybersecurity incident. It shifts the responsibility of safeguarding the PHI to the service provider, so you’re not on the hook for hefty penalties when a data breach happens.

The BA will also take on the responsibility and expenses of any remediation (e.g., providing credit monitoring to affected patients) so you don’t have to shoulder the high cost of a data breach.

When a vendor enters a BAA with your practice, you get the peace of mind that it’ll take the necessary measures to protect your sensitive patient information.

Using a HIPAA-compliant dental practice management platform is essential for running your dental practice cost-efficiently. tab32 is a business associate you can trust to collect, store, and process your PHI securely. Get in touch to see how we can help you stay HIPAA-compliant without the headache.

Book a demo now!

No Comments Yet

Let us know what you think