HIPAA ALERT: Business Associate Agreement

As a covered entity, you are required to have a written agreement in place with all business associates. This includes any third party vendors who handle your computer equipment, including servicing, reuse, resale or electronic recycling. Even if you have an in-house data destruction policy, an agreement will cover you if by chance a hard drive is missed in your internal process, which we’ve seen firsthand happen with some of our customers.

HIPAA penalties are not something to mess around with. Earlier this year, the Center for Children’s Digestive Health paid $31,000 for not having a business associate agreement in place with their medical records storage provider. Another case from March 2016, cost North Memorial Health Care of Minnesota 1.55 Million.

These examples are clear: Having a properly executed agreement in place with all vendors managing your data or data-containing equipment is critical to ensure HIPAA compliance.

In the agreement:

Make sure your vendor has compliant security and data destruction policies in place. HIPAA’s Privacy Rule refers to NIST SP 800-88 Guidelines, which outline proper disposal methods.

Make sure everyone who touches the process understands the requirements. All employees, whether at your location or working off-site, must receive training on your disposal policies and procedures. 

You also need to accurately account for all potential PHI under your control, so make sure you or your disposition vendor are tracking all devices, functioning and non-functioning, all the way through disposal. All of the effort you put into compliance will be wasted if you can’t show documentation. Make sure you receive a Certificate of Destruction for all data containing equipment you send out like phones, tablets, or computers, just in case you are ever challenged in an audit. 

Using an experienced partner like SEAM will make this process much easier.  With auditable documentation, industry knowledge and advice, more predictable costs, and peace of mind that you are in compliance with all current regulations, we strive to make your experience truly seamless.

We have experience creating business associate agreements to help you implement and execute compliant, secure and responsible procedures while gaining the most value back from your equipment. We provide on-location data destruction using our secure mobile shredding truck, as well as facility-based shredding and data wiping services. We also provide a transparent chain-of-custody audit trail from the point of collection all the way through final disposition.

At SEAM, your data security is our highest priority. Contact us to learn how we can help keep you in compliance.