Shred It Business Associate Agreement

A Business Association Agreement (BAA) is a written agreement between a covered entity and a counterparty (BA) by which ba undertakes to take appropriate measures to protect all PHI it receives or establishes during the provision of services to the covered business. The purpose of a BAA is to require BAs to provide PHI with the same data protection that currently applies to covered companies, in order to protect this information from unauthorized disclosure. In principle, BA is committed to complying with HIPAA security measures in connection with working with PHI. NAID (the National Association for the Destruction of Information) certifies that shredding services really know what they are doing. It is completely voluntary; Shredding services don`t need to have NAID certification, but it`s a quick way for you to get a comfort level as shredding services take privacy and confidentiality seriously. As part of your compliance with your HIPAA (or GLBA) counterparty agreement and state data protection laws), you can`t simply trust that your shredding service is doing all the right things. You need to be safe. These six tips will help you evaluate your current shredding service or choose a new one. In addition, NAID requires the use of a cross-grinding process that reduces paper to a small particle size. Together, all of these requirements significantly reduce data protection risks for PHI. Shred companies? That is what matters.

If a covered entity commissions a destruction company to destroy documents containing PHI and the company removes the shredding documents from the site, then the destruction company is probably a business partner and there should be a BAA between the covered entity and the destruction company. There are many shredder companies that apply to be HIPAA compliant and even provide their own BAAs to customers who need such an agreement, and it`s important to look for a company that understands and meets HIPAA requirements. The number and scope of HIPC audits have changed in recent times. In 2016, HIPAA launched Phase 2 of the audit program, which covers both covered entities and business associates, and there are fewer on-site audits. Instead, so-called “desk” audits are carried out, which contain requests for a list of all the counterparties of the companies covered. During Phase 1 of the audits, the Civil Rights Office (OCR) only asked the included entities to provide a list of counterparty contracts; In Phase 2, OCR not only reviews baas, but also checks BAs to determine if they are actually HIPC compliant. Covered companies must be sure to understand when a BAA is needed and to implement such agreements so that they can, in the event of an audit, draw up the requested documentation and demonstrate compliance with the relevant provisions of the ASA. The Health Insurance Portability and Accountability Act (PPTEA) was passed in 1996 as the federal law to combat insurance fraud and medical identity theft. The law`s data protection rule states that healthcare providers and their business partners must implement “adequate administrative, technical, and physical security measures to protect the privacy of protected health information (PHI).” Therefore, when eliminating PHI, you should prevent unauthorized access to this information..

. .