Welcome solo and group practice owners! We are Liath Dalton and Evan Dumas, your co-hosts of Group Practice Tech.
In this episode, we’re diving into Business Associate Agreements (BAAs) for group practice owners.
We discuss what a BAA is; who is considered a business associate; how to execute and enforce a BAA; documenting BAAs; evaluating if a BAA is sufficient; why a HIPAA statement is not a replacement for a BAA; precedent for enforcement action from the Office of Civil Rights; and what qualifies under the conduit exception.
Resources
PCT Resources
- PCT article: What Is a HIPAA Business Associate?
- PCT free CE course: Introduction to HIPAA Security for Group Practice Leaders
- Group Practice Care Premium
- for weekly (live & recorded) direct support & consultation service, Group Practice Office Hours
- + assignable staff HIPAA Security Awareness: Bring Your Own Device training + access to Device Security Center with step-by-step device-specific tutorials & registration forms for securing documenting personal & practice-provided devices (for *all* team members at no per-person cost)
- + assignable staff HIPAA Security Awareness: Remote Workspaces training for all team members + access to Remote Workspace Center with step-by-step tutorials & registration forms for securing documenting Remote Workspaces(for *all* team members at no per-person cost)
- + more
- PCT’s Group Practice PCT Way HIPAA Compliance Manual & Materials — comprehensive customizable HIPAA Security Policies & Procedure and materials templates specifically for mental health group practices. with a detailed step-by-step project plan and guided instructions for adopting & implementing efficiently
- Policies & Procedures include: Customizable templates that address each of the HIPAA Security Rule Standards. Ready for plug-and-play real practice application.
- Computing Devices and Electronic Media Technical Security Policy
- Bring Your Own Device (BYOD) Policy
- Communications Security Policy
- Information Systems Secure Use Policy
- Risk Management Policy
- Contingency Planning Policy
- Device and Document Transport and Storage Policy
- Device and Document Disposal Policy
- Security Training and Awareness Policy
- Passwords and Other Digital Authentication Policy
- Software and Hardware Selection Policy
- Security Incident Response and Breach Notification Policy
- Security Onboarding and Exit Policy
- Sanction Policy Policy
- Release of Information Security Policy
- Remote Access Policy
- Data Backup Policy
- Facility/Office Access and Physical Security Policy
- Facility Network Security Policy
- Computing Device Acceptable Use Policy
- Business Associate Policy
- Access Log Review Policy
- Policies & Procedures include: Customizable templates that address each of the HIPAA Security Rule Standards. Ready for plug-and-play real practice application.
-
- Forms & Logs include:
- Workforce Security Policies Agreement
- Security Incident Report
- PHI Access Determination
- Password Policy Compliance
- BYOD Registration & Termination
- Data Backup & Confirmation
- Access Log Review
- Key & Access Code Issue and Loss
- Third-Party Service Vendors
- Building Security Plan
- Security Schedule
- Equipment Security Check
- Computing System Access Granting & Revocation
- Training Completion
- Mini Risk Analysis
- Security Incident Response
- Security Reminder
- Practice Equipment Catalog
- + Workforce Security Manual & Leadership Security Manual — the role-based practical application oriented distillation of the formal Policies & Procedures
- + 2 complimentary seats of the Security Officer Endorsement Training Program (1 for Security Officer; 1 for Deputy (or future Deputy) Security Officer.
- Forms & Logs include: