Business Associate Agreement Fact Sheet

The Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”)

The Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) established a set of national standards for the protection of certain health information. The U.S. Department of Health and Human Services (“HHS”) issued the Privacy Rule to implement the requirement of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

The Privacy Rule standards address the use and disclosure of individuals’ health information called “protected health information” by organizations subject to the Privacy Rule — called “covered entities,” as well as standards for individuals’ privacy rights to understand and control how their health information is used. A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and wellbeing.

Purpose of the Business Associate Agreement (BAA)

The BAA provides protection to your patient’s health information, the sleep facility and the AASM. Facilities, Independent Sleep Practices, and DME suppliers applying for accreditation (covered entities) and the AASM (business associate) are required to complete a BAA in compliance with the HIPAA Privacy Rule. The agreement is necessary to allow AASM site visitors access to Protected Health Information (PHI) contained in patient medical records. This is used at the time of a site visit for accreditation purposes only. Failure to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) may result in civil money penalties.

Who is Authorized to Sign the Business Associate Agreement (BAA)?

The BAA is a legal document only valid when signed by an authorized individual designated to review and approve official legal documents on behalf of a sleep facility. Typically, hospital owned sleep facilities require a CEO’s or privacy officer’s signature. Freestanding facilities may have the owner of the facility sign all legal documents. Sleep facilities applying for accreditation are responsible for determining the appropriate signatory ensuring that an authorized individual has reviewed and signed the agreement.

Difference Between the AASM Template Agreement and the Customized Agreement Supplied by the Facility Applying for Accreditation

The template business associate agreement created by the AASM legal counsel is available for download at the time of an accreditation application and is automatically approved for signature by the AASM. From time to time, sleep facilities will opt to use their own agreement, possibly customized by their hospital’s legal counsel. Although both options are acceptable, customized agreements require careful review by the AASM and direct communication with the sleep facility’s legal department before the final version is ready for signature. Sleep facilities that wish to execute their own, customized business associate agreements, need to allow an average of 4-6 weeks for review and potential revisions before the agreement is ready for signature.

Where Can You Find the AASM Template Agreement?

Click the following link or download the AASM business associate agreement within the BAA section of the application.

Key Things to Keep in Mind

  • A business associate agreement provides protection to your patients’ health information, your sleep facility, and the AASM. Facilities that fail to comply voluntarily with the Privacy Rule Standards may be subject to civil money penalties.
  • Customized BAAs from applicants are not automatically accepted by the AASM and often require several revisions.
    • To speed the application process, ask your legal department or an authorized individual to review the AASM BAA template first to determine if it can be signed.
  • If the facility chooses to use a custom BAA, you may upload the BAA within the application without signatures from either party. Upon submission of your application, the AASM will work with your facility while in the application process to complete the agreement. Once the BAA has been approved and signed by both parties, a final copy of the BAA will be emailed to the primary contact listed on the account.
  • Business associate agreements signed by both parties (the AASM and sleep facility) must be on file at the AASM national office prior to receiving a site visit. Sleep facilities unable to complete the agreement will experience a delay in the accreditation process that will extend the time to receive a site visit.
  • All types of accreditation offered by the AASM (Sleep Facility, HSAT and DME) require a signed business associate agreement.
  • During reaccreditation, there is no need to resubmit another BAA unless changes are required as the signed agreement will be pulled into the current application.
    • Reasons to update a previously signed BAA:
      • When the Centers for Medicare & Medicaid Services (CMS) changes language
      • When facility’s custom BAA changes
      • When the authorized signatory changes
  • To learn more about HIPPA Privacy Rule visit the HIPAA Privacy Rule webpage.