Business Associate Agreements and Private Practice
If you transmit any patient information in electronic form in connection with a transaction for which the Dept. of Health and Human Services (HHS) has adopted a standard- then you are considered a “covered entity.”
Covered entities are required to get signed business associate agreements with all partners and vendors that you use who have contact with your organization’s protected health information. These Business Associate Agreements ensure that all parties understand their responsibility for also complying with all HIPAA Privacy and Security regulations pertaining to protected health information which they come into contact.
Mandatory reporting is required for all unauthorized disclosures of protected health information and penalties for disclosure of protected health information are severe.
The HITECH Act of 2009 requires mandatory yearly audits of covered entities by the Department of Health and Human Services to make sure that you are meeting the HIPAA requirements.
Visit the Department of Health and Human Services website for a Sample Business Associate Agreement.
If you are not sure if you are in compliance I’d suggest that you contact all partners and vendors with whom you receive services and discuss the business associate agreement requirements.
I’d also recommend that you speak with an IT company familiar with HIPAA and HITECH requirements to help you to assess your level of security and compliance and make recommendations based on your unique situation.