Your Guide To The Business Associate Agreement: Medical Scribe Outsourcing

What  Is A Business Associate Agreement (BAA)?

Business Associate Agreements are agreements that a business enters into with its service providers. These agreements protect the interests of both parties involved.A Business Associate Agreement is a contract between a business and its service providers to ensure that all parties are protected in the event of any disputes or litigation. The agreement also provides protection for the provider from any liability or legal issues related to their work on behalf of the business. The Business Associate Agreement (BAA) is a contract between a healthcare provider and their business partner. It is used to define the rights and responsibilities of both parties. The healthcare provider will provide the business partner with access to protected health information (PHI) in order to provide services related to providing care, conducting medical research, or marketing products or services.These agreements are necessary for any company that wants to work with a healthcare provider, as it provides transparency for both parties involved.

How A BAA Can Help With 5 Relevant Use Cases For Medical Scribes

BAA is a term that stands for Business Associate Agreement. It is a legal document that defines the relationship between two parties, the business, and its business associate. A BAA can help with 5 specific use cases for medical scribes:

• Protects both parties from any type of liability in case of an error
• Ensures confidentiality of information
• Defines how to handle data and intellectual property rights
• Defines how to handle payment terms and royalties
• Provides guidance on what kind of data can be shared with third parties

Why You Should Sign A BAA Agreement With An Outsourced Medical Scribe Service Provider

A BAA is an agreement between a company and its Medical scribe service provider. The company pays for the services provided by the third-party service provider. Outsourcing to a third-party billing service provider is when a company hires another company to do its billing for them.There are many benefits of outsourcing, such as cost savings, time savings, and more control over your business operations. However, there are also some drawbacks that come with outsourcing your billings.The main drawback of outsourcing is that you have less control over your business operations when using a third-party service provider because they have access to all of your data and will be able to make changes without consulting you first.

What Should My Company Include In The BAA For Medical Scribes?

Any third party that handles protected health information must sign business associate agreements (BAAs) with HIPAA-covered companies (PHI). Healthcare businesses are increasingly depending on third parties to manage enormous amounts of PHI as the cyber threat landscape changes and data privacy and security concerns grow. The need for thorough business associate agreements has arisen as a result, and they are now essential for privacy, security, and compliance. 

The following details must be included in the Business Associate/Subcontractor Agreement: 

• Uses of PHI that are allowed and authorised by the Business Associate/Subcontractor 
• Make it clear that the Business Associate/Subcontractor will only utilise PHI in accordance with the terms of the contract, as well as any legal requirements;
• Require the Business Associate/Subcontractor to use appropriate safeguards to prevent inappropriate PHI use or disclosure once a covered entity has identified its applicable business associates, it must ensure that these third parties will only use any provided PHI in a secure and established manner.

Recommended Reading : Ambient Voice Technology: What Is It?

Sample Business Associate Agreement Template: S10.AI Business Associate Agreement

S10.AI is a company that provides AI assistance for medical scribes.  S10.AI signs BAA with all its customers before starting to work with them. S10.AI business associate agreement covers the following key aspects 

1. Duties and Responsibilities of Business Associate.
2. Permitted Uses and Disclosures of Business Associate
3. Obligations of Covered Entity
4. Term and Termination

1. Duties And Responsibilities Of Business Associate 

a. General. Business Associate agrees not to Use or Disclose PHI other than as permitted or required by the Agreement or as required by law.
 

b. Safeguards. Business Associate agrees to use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to Electronic PHI, to prevent the Use or Disclosure of PHI except as provided by this Agreement.
 

c. Agents. Business Associate agrees to ensure that any agent, including a subcontractor, that creates, receives, maintains, or transmits PHI on behalf of the Business Associate agrees (or has agreed), in writing, to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information. Business Associate also agrees to ensure that any such agent or subcontractor, to whom it provides Electronic PHI agrees (or has agreed
to) in writing, to implement reasonable and appropriate safeguards to protect such Electronic PHI.
 

d. Right of Access. Business Associate agrees to provide access promptly during normal business hours, and in any case no later than seven (7) days from the request of Covered Entity, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 CFR §164.524.
 

e. Audit and Inspection. Upon written request, the Business Associate agrees to make internal practices, books, and records relating to the Use and Disclosure of PHI available to the Covered Entity, or at the request of the Covered Entity, to the Secretary of the U.S. Department of Health and Human Services (“Secretary”) in a time and manner reasonably designated by Covered Entity or the Secretary, for purposes of the Secretary determining Covered Entity’s compliance with HIPAA. The provisions of this section shall survive termination of this Agreement.
 

f. Amendments. Business Associate agrees to make any amendment(s) to PHI in a designated record set as directed or agreed by the Covered Entity pursuant to 45 CFR 164.526 promptly and in any case no later than in ten (10) business days of receipt thereof. In the event that a request for amendment is delivered directly to Business Associate, Business Associate shall notify Covered Entity of such request promptly and in any case no later than in five (5) business days of receipt thereof.
 

g. Accounting of Disclosures. Business Associate agrees to document any Disclosures of PHI by Business Associate or its agents or authorized subcontractors, and information related to such disclosures, as would be required for Covered Entity to respond to a request by an individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528. Business Associate agrees to provide to Covered Entity information collected in accordance with this Section promptly, and in any case no later than in five (5) business days of receipt of a request by Covered Entity. In the event that a request for an accounting of disclosures is delivered directly to the Business Associate, Business Associate shall notify the Covered Entity of such request promptly and in any case no later than in five (5) business days of receipt thereof. The covered Entity shall determine, in its sole discretion and with the cooperation of the Business Associate, whether the accounting will be provided by Business Associate or by the Covered Entity to the Individual. 

To the extent the Business Associate is to carry out one or more of the Covered Entity’s obligation(s) under Subpart E of 45 CFR 164, Business Associate agrees to comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation.
 

h. Breach Notification. Business Associate agrees to adhere to regulations and policies as required by United States Law. Business Associate agrees to report to Covered Entity promptly and in any case no later than in three (3) calendar days (a) of Business Associate’s discovery, any Use or Disclosure of, or improper or unauthorized Use, Disclosure or access of PHI, including breaches of unsecured PHI as required at 45 CFR 164.410; (b) any Security Incident of which Business Associate becomes aware; and (c) any suspected or actual breach of Personal Information (“PI”), as defined by the Massachusetts Data Security Law, G.L. c. 93H (“Reportable Incident”). 

a.Except as provided in 45 CFR § 164.412, Business Associate will give Covered Entity notice of any Reportable Incident under this Section promptly, and in any case no later than two (2) business days after the first day on which Reportable Incident is known, or by the exercise of reasonable diligence would have been known, to Business Associate. Business Associate further agrees to report to Covered Entity, in writing, any Security Incident promptly, and in any case no later than one (1) business day after confirming such Security Incident relating to Covered Entity’s PHI and any remediation or mitigation efforts taken. Business Associate agrees to comply with any subsequent reasonable requests from Covered Entity for Business Associate to notify media or individuals about any Reportable Incident of Covered Entity’s PHI or PI, as such media or individual notice may be required by state and/or federal law.
 

b.Any notice of a Reportable Incident referenced in this Section 2(i) will include the results of a written risk assessment, if applicable, demonstrating whether there is a low probability that the PHI has been compromised based on the required factors set forth in 45 CFR 164.402, and, to the extent possible, the names, addresses and phone numbers of each individual whose Unsecured PHI has been, or is reasonably believed by Business 

Associate to have been accessed, acquired, used or disclosed.
 

c.The notice to Covered Entity required by Section 2(i) will be written in plain language and will include, to the extent possible or available, the following, unless otherwise required by law:

i.The identification of the Individual(s) whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, used or disclosed during the Breach; 

ii. A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach; 

iii. A description of the types of Unsecured PHI that were involved in the Breach (such as whether the full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved); 

iv. Any steps Individuals who were subjects of the Breach should take to protect themselves from potential harm that may result from the Breach; and 

v. A brief description of what Business Associate is doing to investigate the Breach, to mitigate the harm to Individuals, and to protect against further Breaches. 

d. Mitigation. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a Use or Disclosure of PHI by Business Associate in violation of the requirements of this Agreement or applicable law. 

2. Permitted Uses And Disclosures Of Business Associate 

a. Performance of Services. Business Associate may Use or Disclose PHI in connection with the performance of the Services if (a) such Use or Disclosure of PHI would not violate HIPAA if done by Covered Entity or (b) such Use or Disclosure is expressly permitted under this Section 3.
 

b. Minimum Necessary. Business Associate agrees to take reasonable efforts to limit requests for, Use and Disclosure of PHI to the minimum necessary to accomplish the intended request, Use, or Disclosure.
 

c. Proper Management and Administration. Business Associate may Use or Disclose PHI for the proper management and administration of Business Associate in connection with the performance of Services under the Service Agreement and as permitted by this Agreement; provided, however, that for any Disclosure pursuant to this paragraph Business Associate obtains reasonable assurances from the person or entity to whom the PHI is disclosed that (i) it will remain confidential and Used or further Disclosed only as required by law or for the purpose for which it was disclosed to the person or entity, and (ii) the person or entity will notify Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
 

d. Other Permitted Uses. Unless otherwise limited herein, Business Associate may: (a) perform data aggregation for the health care operations of Covered Entity, as permitted by 45 CFR § 164.504(e)(2)(i)(B); (b) as requested by Covered Entity or authorized governmental agent, Use, analyze, and Disclose PHI in its possession for the public health activities and purposes set forth at 45 CFR § 164.512(b); and (c) de-identify PHI obtained by Business Associate under the Agreement and use such de-identified data so long as such de-identification and usage is in accordance with the de-identification requirements set forth in 45 CFR § 164.514(b).
 

e. Disclosures Required by Law. If Business Associate believes it has a legal obligation to disclose any PHI, it will notify the Covered Entity promptly, and in any case no later than three (3) business days prior to the proposed release, as to the legal requirement pursuant to which it believes the PHI must be released. If Covered Entity objects to the release of such PHI, Business Associate will allow Covered Entity to exercise its legal rights or remedies to object to the release of the PHI, and Business Associate agrees to provide such assistance to Covered Entity, at Covered Entity’s expense, as Covered Entity may reasonably request in connection therewith. Should the Covered Entity fail to respond, the Business Associate shall be entitled to Disclose the PHI as it deems reasonably necessary to comply with the law. 

3. Obligations Of Covered Entity 

a. Notice of Privacy Practices. The Covered Entity shall notify the Business Associate of any limitation(s) in the Covered Entity’s Notice of Privacy Practices in accordance with 45 CFR § 164.520 to the extent that such limitation may affect the Business Associate’s Use or Disclosure of PHI.
 

b. Changes to Authorization. The Covered Entity shall notify the Business Associate of any changes in, or revocation of, permission by an Individual to Use or Disclose PHI to the extent that such changes may affect the Business Associate’s Use or Disclosure of PHI.
 

c. Restrictions on Consent. The Covered Entity shall notify the Business Associate of any restriction on the Use or Disclosure of PHI to which the Covered Entity has agreed in accordance with 45 CFR § 164.522, to the extent that such restriction may affect the Covered Entity’s Use or Disclosure of PHI.
 

d. Requests in Violation of HIPAA. The covered Entity shall not request the Business Associate to Use or Disclose PHI in any manner that would not be permissible under the HIPAA if done by the Covered Entity.
 

4. Term And Termination 

a. Term. The Term of this Agreement shall commence as of the Effective Date and shall terminate either (a) as provided herein or (b) when the provision of Business Associate 

Services terminate and all of the PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, or otherwise in Business Associate’s possession, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy PHI, protections are extended to such information in accordance with the termination provisions in this Section. Notwithstanding the foregoing, the Business Associate may retain PHI as required by applicable law. 

b.Termination for Cause. Upon the Covered Entity’s knowledge of a breach by the Business Associate under the terms of the Agreement, the Covered Entity may (i) provide a reasonable time for Business Associate to cure the breach provided that the Covered Entity may immediately terminate the Agreement if Business Associate does not cure the breach or end the violation within the time frame specified by Covered Entity; (ii) immediately terminate the Agreement if Business Associate has breached a material term of this Agreement and Covered Entity determines in its sole reasonable discretion that a cure is not possible; and (iii) if neither cure nor termination is feasible, may report the violation to the Secretary.
 

c. Effect of Termination.Except as provided in paragraph (a) of Section 5, upon the termination of this Agreement, for any reason, Business Associate shall return or destroy all PHI received from Business Associate, created or received by Business Associate on behalf of Business Associate, or otherwise in Business Associate’s possession. Business Associate shall retain no copies of the PHI in any form. In the event that Business Associate determines that returning or destroying the PHI is infeasible, Business Associate agrees to extend the protections of this Agreement to such PHI and limit any further Uses and Disclosures of such PHI to only those purposes that make the return or destruction infeasible.
 

d. Remedies for Breach of Agreement. In the event of any breach of this Agreement by Business Associate, the Covered Entity may seek injunctive relief and/or monetary damages, regardless of whether the Agreement is terminated, and Covered Entity’s recovery through such legal action shall not be subject to any limitation on liability covenant or condition in any other agreement or engagement between the Parties. Business Associate hereby agrees and acknowledges that irreparable damage to Covered Entity would occur in the event that any of the provisions of this Agreement are breached and, accordingly, agrees that Covered Entity shall be entitled to both temporary and permanent injunction or injunctions to prevent breaches of this Agreement, and Covered Entity shall be entitled to enforce specifically the provisions of this Agreement in any court of competent jurisdiction, in addition to any other remedy to which Covered Entity shall be entitled under this Agreement or in law or in equity. 

In order to sign a BAA with S10.AI Inc , click here