HIPAA

BAAs and Signatures

  • 1.  BAAs and Signatures

    Posted 05-21-2020 03:01 PM
    Hello all!

    I could not find anywhere in the Privacy Rule that the written BAA must have signatures from both parties.  Is this a required element?

    One of our clearinghouses has all of our agreements including the BAA posted on their portal, and found that it includes no signatures.

    I just was not sure if I am to pursue a copy with a signature, or we are with the understanding that if we registered with them for services, is implied that we are in agreement with what is delineated in the BAA.

    Any advice on this would be greatly appreciated.

    ------------------------------
    Mary Jordan, CHPC
    Privacy Officer

    ------------------------------
    19th Annual CEI Virtual Conference


  • 2.  RE: BAAs and Signatures

    Posted 05-21-2020 03:47 PM
    I would think they would be signed as how would you hold them accountable?

    ------------------------------
    David Garrison
    Compliance/Privacy Officer
    SEARHC
    Juneau,AK
    ------------------------------

    19th Annual CEI Virtual Conference


  • 3.  RE: BAAs and Signatures

    Posted 05-21-2020 03:56 PM
    It isn't a "Privacy Rule" issue exactly but to have a binding agreement, you need both sides to agree to it.   Signatures are the typical way we evidence agreement but your state law may allow other means/evidence to establish a binding contract (written evidence of acceptance, course of conduct etc.).

    From a practical perspective, get signatures and consult a lawyer if you realize you failed to and the validity of the BAA is being challenged by the purported BA or an auditor.

    ------------------------------
    Scott Intner
    Chief Compliance Officer
    GW Medical Faculty Associates
    Washington,DC
    ------------------------------

    19th Annual CEI Virtual Conference


  • 4.  RE: BAAs and Signatures

    Posted 05-21-2020 04:28 PM
    Mary,
    We no longer have or use standalone BAAs. Ours, incorporated as an Exhibit, form part of an overall signed Professional Services Contract.

    ------------------------------
    David Rothery, CHC, AWI-CH
    Compliance & Privacy Officer
    Health & Human Services
    Marin County, CA


    These are my personal opinions and not those of the County of Marin
    ------------------------------

    19th Annual CEI Virtual Conference


  • 5.  RE: BAAs and Signatures

    Posted 05-22-2020 11:19 AM
    Thank you all for your feedback!

    It does make it kind of confusing knowing what to do, when big corporations like Microsoft do not handle BAA signature requirements like the smaller local vendors.  they send all digitally and do not accept BAA signatures exchange.

    Thank you again!

    ------------------------------
    Mary Jordan, CHPC
    Privacy Officer
    Salem,OR
    ------------------------------

    19th Annual CEI Virtual Conference


  • 6.  RE: BAAs and Signatures

    Posted 05-23-2020 07:48 AM
    The Privacy Rule at 45 CFR 164.504 refers to these documents as "Business Associate contracts." As Scott pointed out, the generally accepted definition of a contract is a legally binding agreement between 2 parties. The way to effectuate the contractual agreement is with a signature.

    ------------------------------
    Brenda Manning J.D., C.H.C., C.H.P.C.
    Privacy Director
    Interim Privacy Officer
    Carilion Clinic

    The views expressed herein are my own and do not represent those of my employer. They are not meant to constitute legal advice or create an attorney-client relationship.
    ------------------------------

    19th Annual CEI Virtual Conference