The foundation of sustainable telehealth must provide for the protection of Personal Health Information (PHI). One of the primary issues that should be addressed is the need for Business Associate Agreements (BAAs).
The Department of Health and Human Services (HHS) provides clarification by informing us that:
“The HIPAA Privacy Rule applies only to covered entities – health plans, health care clearinghouses, and certain health care providers. However, most health care providers and health plans do not carry out all their health care activities and functions by themselves. Instead, they often use the services of a variety of other persons or businesses. The Privacy Rule allows covered providers and health plans to disclose protected health information to these “business associates” if the providers or plans obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the Privacy Rule.”
Because of the COVID-19 pandemic and the subsequent National Emergency Declaration healthcare providers were given wide latitude in the selection and adoption of almost any technology that would allow them to continue to deliver healthcare. There was a temporary relaxation in the enforcement in HIPAA regulations and the regulation of the protection of health records.
That brings us to a question I am frequently asked: “As a provider, is it necessary to have a BAA with my telehealth vendor?” The answer, provided by HHS, is simple: “Under this Notice, however, OCR will not impose penalties against covered health care providers for the lack of a BAA with video communication vendors or any other noncompliance with the HIPAA Rules that relates to the good faith provision of telehealth services during the COVID-19 nationwide public health emergency.”
In the short term, during the declared National Emergency, BAAs are recommended by HHS but not required for providers to have with their telehealth vendors. However, at some point, and it will only be a matter of time, this will change. In the move to sustainable telehealth BAAs will be needed. Better to do it sooner rather than later and choose a telehealth vendor willing to sign and uphold your BAA.
This article was originally published on Medivisum and is republished here with permission.