Do you need to have a Business Associate Agreement?

Get a Business Associate Agreement

In either case you need to get a Business Associate Agreement (BAA) or a contract signed. The HHS.gov has this to say about it.

“A covered entity is a provider such as a doctor, clinic, psychologist, dentist, chiropractor, nursing home, pharmacies …but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard.

A “business associate” is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information. A “business associate” also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate. The HIPAA Rules generally require that covered entities and business associates enter into contracts with their business associates to ensure that the business associates will appropriately safeguard protected health information. Read more at http://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html

No matter how you collect ePHI and what you do with it, if you are using an outside vendor, you need to get a Business Associate Agreement (BAA) signed. This is mandatory for your technology service providers who manage and handle ePHI among other things.