Business Associate Agreements

HIPAA Compliant Cloud Storage
Abyde News, Best Practices, Business Associates, HIPAA

HIPAA and the Cloud: Is Your Patients’ Data Safe or at Risk?

September 18, 2025 No comments yet

September 18, 2025   Sure, your dog pics and selfies are safe in the cloud… but what about your patients’ data? When technology advances, your practice evolves too. As a healthcare provider, your job is to keep your patients and their data safe. The Health Insurance Portability and Accountability Act (HIPAA) covers protecting this data, especially how it is stored.  For example, what if a bad storm floods your practice and ruins an internal server? With cloud storage, this isn’t an issue. Cloud storage is hosted elsewhere and accessed through an internet connection, keeping your practice’s Protected Health Information (PHI) safe.  Cloud storage and computing are encouraged, but it’s up to your practice to utilize them compliantly.    Best Tips for Using Cloud Storage It’s time to do research before working with any cloud service provider. Some good questions to ask include:  Does this organization highlight its HIPAA policy on its site? Is it clear what safeguards they have in place to protect your data? Will they encrypt the PHI?  Are the servers where PHI is stored located within the United States?  While this is not a HIPAA requirement, it’s considered more secure than other nations.  Most importantly, is this cloud service provider aware of the extent of its HIPAA responsibilities?  Cloud service providers are considered Business Associates (BAs) under HIPAA. While BAs might not deal with patients directly, they handle patient data and are required to follow HIPAA legislation. Cloud service providers are considered BAs whether or not they have access to the encrypted data. Since they store it, they are considered BAs.  BAs must complete a Security Risk Analysis (SRA), train staff, maintain up-to-date documentation, and more, like any healthcare practice.  Before working with a BA, it is essential to complete a Business Associate Agreement (BAA). BAAs are legal contracts with BAs that ensure both parties are aware of their responsibilities when handling PHI and define the course of action if a breach occurs.  A BA and Covered Entity (or, healthcare practice) must complete a BAA before entering a business relationship. Your practice should also avoid working with BAs who do not want to be held legally responsible for handling PHI.  Not having a BAA with your cloud storage provider can get you into hot water with HIPAA. In fact, a university was fined nearly 3 million dollars by the Office for Civil Rights (OCR). The OCR discovered that the BA and the college never signed a BAA after a breach of student health data.   Storing PHI Compliantly While choosing the right cloud service provider can be extensive, it will significantly benefit your practice.  In fact, 83 percent of small healthcare practices surveyed named cloud-based EHR implementations the most meaningful business decisions they had made in the last few years.  By doing your due diligence, working alongside your IT team, completing a BAA, and continuing to ensure the proper safeguards are in place, your patients’ PHI can be stored safely in the cloud.  As your practice adopts more innovative data management methods, your HIPAA compliance should keep pace. With the right compliance software, your practice can easily streamline requirements like the BAA.  Meet with an expert today to learn more about HIPAA compliance in your practice.

HIPAA Business Associate Agreements
Abyde News, Best Practices, Business Associates, HIPAA

Under the Microscope: Your Business Associates Are Now the OCR’s Top Priority

August 4, 2025 No comments yet

August 4, 2025   Let’s talk paperwork. While that might not seem like the most interesting or important thing to focus on when running your practice, having the right documentation is key to its success.  A Business Associate Agreement (BAA) is one of the many documents you need to be HIPAA compliant when running a practice.  When working with Business Associates (BAs), or the third-party vendors who can access your practice’s Protected Health Information (PHI), you must have a signed agreement in place. These BAs can include anyone from your IT company to the company that handles your shredding. In short, if a business has any access to PHI, it’s required.  The Office for Civil Rights (OCR) has put Business Associates (BAs) in the hot seat, with proposed new legislation strengthening their requirements and millions of dollars in fines imposed this year alone. It’s time to take a fresh look at your partnerships, and the best place to start is by having a solid BAA.    What does a BAA do?  First things first, what does a BAA even do for your practice? What does it include?  Well, this required agreement outlines all responsibilities your practice and business partner must follow when handling PHI. The document includes the definition of PHI, when the BA can use the data, and how each party must secure data. This legally binding agreement ensures each party understands the serious nature of handling PHI.  Overall, it’s another layer of protection to clearly define your relationship with a BA.  A BAA is essential, especially when a Business Associate experiences a data breach. Business Associates are frequent targets for malicious actors.  One of the first fines in 2025 was a $90,000 penalty for a ransomware breach that targeted a data hosting company. This breach exposed the PHI of patients from 12 different healthcare practices. These 12 healthcare practices would also need a BAA with the hacked party. If not, the Covered Entity could also be liable for the BA’s missteps.  The OCR has also fined Covered Entities for missing a BAA. Here’s a prime example: A healthcare provider was in a nasty dispute with their BA. They even reported the BA to the OCR, claiming the BA was holding PHI hostage for a $50,000 payment. But here’s where it took a turn: The OCR didn’t just investigate the BA; they also focused on the healthcare provider. The result? The OCR slapped the provider with a $100,000 fine for missing crucial documentation, including, you guessed it, a BAA.   Keeping BA Partnerships Secure While ensuring documentation is in order is no one’s idea of fun, protecting your practice and keeping patients’ data safe is imperative.  With the right solution, your practice can make documentation a piece of cake. While a BAA may not be as appealing as chocolate fudge, software can streamline the process, creating a legally sound and complete document that is just as satisfying. Meet with an expert today to learn more about ensuring compliant vendor relationships. 

HIPAA Compliant Phone Calls
Best Practices, Business Associates, HIPAA

1-800-HIPAA: Guide to Compliant Phone Calls

April 12, 2024 Comments Off on 1-800-HIPAA: Guide to Compliant Phone Calls

April 12, 2024 Brrring Brrring Brring! It’s your friends from Abyde calling! Pick up! We have some worthwhile tips and tricks to share with you today.  While we all love a good chat on the phone when working with Protected Health Information (PHI), it’s key to keep things confidential.  That’s why today, pick up our call and learn how your practice can make compliant phone calls. By following our tips, you’ll be a confident phone pro, ready to chat with patients while keeping their privacy a top priority. So, are you ready to answer? Let’s get started! Hello, it’s HIPAA In the digital age, there are numerous ways to connect and share information with patients. Reaching out to patients through the phone is still a common practice, but you need to be able to navigate it safely.  First, ensure your phone systems are HIPAA-compliant before sharing any PHI. This includes end-to-end encryption, user authentication, audit control, automatic log-off, and other strong security features.  When onboarding with a cloud-based phone service, make sure a Business Associate Agreement (BAA) is signed with the provider, ensuring accountability and liability when it comes to the protection of patient data.  Listen, we know you might be itching to chat after your visit –   you genuinely care about our patients and their well-being, but there aren’t a ton of reasons to call a patient.  While HIPAA restricts casual chit-chat, some of the reasons to call a patient include: Additionally, if you are calling a Business Associate (BA), make sure a BAA is signed before communicating any PHI through the phone.  When in Doubt, Leave it Out! When on the phone with a patient or a BA and you’re disclosing PHI, the Minimum Necessary Requirement is at play. As in the name, this standard means only the minimum necessary information about a patient’s health information should be disclosed.  FCC, or the Federal Communications Commission has come out and given guidance on HIPAA-compliant phone calls. Keep it short and sweet! Phone calls should be less than 60 seconds or less than 160 characters in text length.  And, don’t blow up any patient’s phone with calls! The FCC says patients should only receive three calls a week, or one text a day.  To ensure patient privacy and clear communication, keep calls brief and focused.  Before sharing any information, take a moment to verify the patient you are speaking with.  Phoning Family While it’s only normal for a family to worry about a patient’s health, sharing this information is a different story.  Under HIPAA, the patient has to agree for their PHI to be shared with family. Once again, only the minimum information required can be shared.  However, if a patient is incapacitated, PHI can be shared with the family if it’s considered in their best interest. Once a patient is lucid again, the patient can retract permission for PHI to be shared with family.  Dialing Up Patient Trust Phone calls are a common and effective way to quickly share information with patients. Like anything regarding PHI, it’s vital to stay compliant, keeping patient information secure.  By properly handling phone calls at your practice, you’ll strengthen patient trust, improve communication, and reduce compliance risks with the right tools. Abyde can be one of those trusted tools, being a cloud-based solution that streamlines the compliance process. Abyde will assist you in having everything you need to be compliant, keeping you in check and creating a culture of compliance at your practice.  To learn more about what your practice needs to do to be compliant, email info@abyde.com, call us at 1.800.594.0883,  and schedule a consultation here.     

Business Associate Agreements Portal
Best Practices, Business Associates, HIPAA

Abyde Feature Week: BA | CE Portal

March 21, 2024 Comments Off on Abyde Feature Week: BA | CE Portal

March 21, 2024 Let’s go! Day number four of Feature Week. We hope you’ve stayed tuned as we go over all the wonderful features that make Abyde the leading compliance software for Business Associates (BAs). We know that running your business can be tough, so we simplify compliance, so you can focus on being successful in your business.  So far, this week we’ve gone over our intuitive Security Risk Analysis (SRA), our unique Scorecard, telling you what you need to do to be compliant based on your answers, and yesterday, our dynamically generated custom Policies and Procedures, saving your business countless hours in drafting documentation.  How does this software get even better? Well, it does!  Today, we’ll go over our state-of-the-art BA and CE (Covered Entity) Portal, where you can manage your Business Associate Agreements (BAAs).  As we say here at Abyde, who does it better than us? NOBODY!  BAA-lieve It or Not: The Importance of Business Associate Agreements A Business Associate Agreement, or a BAA, is an agreement between a BA and CE, or a Sub-BA, that outlines the roles and responsibilities of both parties when it comes to securing Protected Health Information (PHI).  In simpler terms: a contract that spells out what each party needs to do when it comes to HIPAA compliance.  One of the top HIPAA violations BAs make is not having a Business Associate Agreement in place.  This agreement is required by the government, making sure both parties are aware of the responsibilities that come along with handling sensitive patient information.  BAs must have agreements in place with all CEs and Sub-BAs they work with.  Managing these agreements could be complicated without Abyde, being unaware of what needs to go into an agreement, getting it over to be signed and knowing when these agreements expire.  But with Abyde, you don’t need to worry about this, simplifying the compliance process even more. Like how we dynamically generate custom Policies and Procedures, we create BAAs for you.  All we need you to do is digitally sign. The BAA will be sent over by email through the software and will be stored in our nifty BA | CE Portal.  Have an agreement expiring soon? We’ll notify you, giving you plenty of time to update your documentation so you can stay compliant.  All BAAs are easily downloadable from the software and can be reviewed at all times. Have a partner who hasn’t signed yet? We’ll send reminders for them, too.  With our revolutionary features, we think it’s clear: we want to make compliance the easiest part of running your business.  To learn more about how you can manage your Business Associate Agreements with the Abyde software, email info@abyde.com and see it in action here.

Why You Need a Business Associate Agreement
Best Practices, Business Associates, HIPAA

When & Why You Need a Business Associate Agreement

April 20, 2021 Comments Off on When & Why You Need a Business Associate Agreement

April 20, 2021 We’ve all heard the saying ‘sharing is caring’ but sometimes doing a good deed could actually steer you into some consequences later down the road. Let’s say, for example, you just loaned your car to your best bud whose “quick trip to the store” actually consisted of running red lights and racking up parking tickets. Though you might not have been the one in the driver’s seat – your name will be the one on all of the lovely fines that wind up in your mailbox, not your BFF’s. Now you’re probably wondering where we’re going with all of this. And while cars and protected health information (PHI) might not have a whole lot in common, it goes to show how certain situations in life require additional precautions to minimize the risk of being responsible for another’s wrongful actions. This idea rings especially true when it comes to working with and sharing something as valuable as sensitive health information. HIPAA law provides a pretty specific roadmap for how your practice should be safeguarding PHI and outlines certain standards that if not met – could result in a hefty fine. But with all the government requirements, advancements in technology, and changing patient needs – it’s impossible today to run a practice without the help of third-party vendors. So whether it be an outside medical billing company, IT support, or document shredding company – any vendor that comes into contact with PHI is a business associate (BA) of your practice and requires their own set of directions for proper handling.  Just as covered entities have obligations under HIPAA law, so do business associates – with one of the most important being a documented and signed Business Associate Agreement (BAA). A BAA is essentially a written agreement between your organization and the business associate, specifying each party’s responsibilities when accessing and maintaining PHI and it offsets the liability so that your practice can take a backseat if any incidents were to occur.  As you probably wouldn’t hand over your keys to just anyone without laying down some ground rules first, the same goes for providing access to patients’ sensitive health information. Like most contracts, the terms and conditions in a proper BAA can be pretty lengthy and may vary based on the type of vendor you’re working with – but here are some of the basic HIPAA requirements that should be outlined:  Permitted uses and disclosures of PHI Specific safeguards that the BA is expected to establish Breach Notification requirements Policies and procedures for providing PHI access at your practice’s or patient’s request Business Associate Training requirements Guidelines for how PHI should be returned or destroyed upon termination of the BAA Meeting all the requirements for what should be included in a BAA is just the first stretch of the drive, and something we’re often asked is, “What if one of my vendors refuses to sign?” Given the fact that having a signed BAA with all vendors you work with is a HIPAA requirement, it’s probably a good idea to put the brakes on any working relationship with a vendor who can’t agree to your terms and conditions. Just last year a medical practice found itself a victim of a HIPAA hit and run after filing a breach report stating that their EHR company was blocking access to the practices’ ePHI in exchange for $50,000 to be paid by the practice. While it might seem pretty obvious that the business associate was the driving force of the incident, because there was no BAA in place – the $100,000 in damage fell solely on the provider.  A Business Associate Agreement not only lays out the rules of the road for how PHI should be handled but holds the BA directly liable for any non-compliance that happens when they’re behind the wheel. Having a proper agreement in place with each and every vendor you work with ensures that they’re best protecting your patients’ PHI and means that your practice can steer clear of the hefty HIPAA fines if they don’t.

Missing Business Associate Agreements HIPAA Fine
Fines, HIPAA

Missing Business Associate Agreement with EHR Vendor Leads to $100,000 Fine

March 3, 2020 Comments Off on Missing Business Associate Agreement with EHR Vendor Leads to $100,000 Fine

March 3, 2020 Announced today, a medical practice in Utah has come to a $100,000 settlement with the OCR for their failure to meet HIPAA requirements under the Security Rule. The practice of Steven A. Porter, M.D. received the $100,000 monetary settlement in addition to submitting to a corrective action plan over the next two years after a breach report led to the OCR’s investigation of the practice’s HIPAA compliance program.  The investigation began after the practice filed a breach report regarding a complaint against a Business Associate of the practice’s EHR company. The Business Associate (BA) was blocking access to the practices’ patient’s electronic protected health information in exchange for $50,000 to be paid by the practice.  While the original complaint was against the BA, once the investigation was initiated by the Office for Civil Rights, it was the practice that found themselves in the government’s crosshairs. Within the compliance review, the OCR had found that the practice had failed to do the following:  Unfortunately for the practice, their lack of proper safeguarding and documentation of compliance cost them a hefty fine and put their patient’s PHI at risk. This breach, and corresponding financial settlement, highlights that even when working with typical healthcare vendors, such as EHR providers, the right Business Associate Agreements and HIPAA-compliant policies are required to prevent impermissible safeguarding or access to PHI. OCR Director, Roger Severino, included a statement in the HHS press release regarding the incident. “All health care providers, large and small, need to take their HIPAA obligations seriously, the failure to implement basic HIPAA requirements, such as an accurate and thorough risk analysis and risk management plan, continues to be an unacceptable and disturbing trend within the healthcare industry.” This fine follows a recent article highlighting the OCR’s focus on “low hanging fruit” and commitment to address an ongoing lack of HIPAA compliance among covered entities. As these violations continue to see costly outcomes, it is more important now than ever to ensure your practice has a full HIPAA program in place. 

How does AI impact your practice? Join our next webinar to learn the latest.

REGISTER NOW
X

Are you ready for an audit? Use our new HIPAA Audit Checklist to get prepared.

DOWNLOAD NOW
X