Business Associate Agreement Fact Sheet
The Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”)
The Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) established a set of national standards for the protection of certain health information. The U.S. Department of Health and Human Services (“HHS”) issued the Privacy Rule to implement the requirement of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).
The Privacy Rule standards address the use and disclosure of individuals’ health information called “protected health information” by organizations subject to the Privacy Rule — called “covered entities,” as well as standards for individuals’ privacy rights to understand and control how their health information is used. A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and wellbeing.
Who is Authorized to Sign the Business Associate Agreement?
The BAA is a legal document only valid when signed by an authorized individual designated to review and approve official legal documents on behalf of a sleep facility. Typically, hospital owned sleep facilities require a CEO’s or privacy officer’s signature. Freestanding facilities may have the owner of the facility sign all legal documents. Sleep facilities applying for accreditation are responsible for determining the appropriate signatory ensuring that an authorized individual has reviewed and signed the agreement.
Purpose of the Business Associate Agreement
Facilities, HSAT service entities, and DME suppliers applying for accreditation (covered entities) and the AASM (business associate) are required to complete a Business Associate Agreement in compliance with HIPAA Privacy Rule. The agreement is necessary to allow AASM site visitors access to Protected Health Information (PHI) contained in patient medical records. This is used at the time of a site visit for accreditation purposes only. Failure to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) may result in civil money penalties.
Where Can You Find the AASM Template Agreement?
Download the AASM business associate agreement.
Difference Between the AASM Template Agreement and the Customized Agreement Supplied by the Facility Apply for Accreditation
The template business associate agreement created by the AASM legal counsel is available for download at the time of an accreditation application and is automatically approved for signature by the AASM. From time to time, sleep facilities will opt to use their own agreement, possibly customized by their hospital’s legal counsel. Although both options are acceptable, customized agreements require careful review by the AASM and direct communication with the sleep facility’s legal department before the final version is ready for signature. Sleep facilities that wish to execute their own, customized business associate agreements, need to allow an average of 4-6 weeks for review and potential revisions before the agreement is ready for signature.
Key Things to Keep in Mind
- A business associate agreement provides protection to your patients’ health information, your sleep facility, and the AASM. Facilities that fail to comply voluntarily with the Privacy Rule Standards may be subject to civil money penalties. In addition, certain violations of the Privacy Rule may be subject to criminal prosecution.
- Customized business agreements from applicants are not automatically accepted by the AASM and often require several revisions. Ask your legal department or an authorized individual to review the AASM template business associate agreement first to see if it can be signed prior to submitting the customized agreement for a quicker application process.
- If the facility would like to submit their accreditation application prior to having an AASM signature on the custom BAA, the entity must upload the document without signatures into the Business Associate Agreement section of the accreditation application. The AASM will work with your facility while in the application process to complete this agreement. Once the BAA has been approved and signed by both parties, the executed BAA will be uploaded into your application and emailed to the primary contact listed on the account.
- Business associate agreements signed by both parties (the AASM and sleep facility) must be on file at the AASM national office prior to receiving a site visit. Sleep facilities unable to complete the agreement will experience a delay in the accreditation process that will extend the time to receive a site visit.
- All types of accreditation offered by the AASM (Sleep Facility, HSAT and DME) require a signed business associate agreement.
- During reaccreditation, previous agreements signed by both parties may be reused as long as no new language needs to be included. Typically, agreements signed prior to 2013 would need to be updated as new HIPAA language was released.
- To learn more about HIPPA Privacy Rule visit the HIPAA Privacy Rule webpage.