BAA vs BASA: What Is the Difference Between a BAA and BASA?

You may be surprised to learn that there are two types of business associate agreements related to HIPAA compliance. Most healthcare professionals will already know what a BAA consists of, but did you know that there is also a Business Associate Subcontractor Agreement?

Both agreements are a vital part of HIPAA compliance, forming the basis of the contractual agreements between a covered entity and a business associate. Here is a breakdown of the two types of business associate relationships:

• BAA: Business Associate Agreement between a Covered Entity and a Business Associate
• BASA: Business Associate Subcontractor Agreement between a Business Associate and a subcontractor

While each agreement synergizes with the other and they share much in common, the key factor is that the Business Associate that has the subcontractor relationship, not the covered entity. A BASA is needed if the Business Associate outsources part of a service to another company or service provider.

To demonstrate, consider system backups that contain Protected Health Information; on occasion, there might be a requirement to archive PHI insurance data to an external data warehouse, perhaps on tape or in the cloud. The business associate may choose to outsource this responsibility to a subcontractor.

The Covered Entity must be made aware of the details of such an arrangement, but it is the Business Associate that maintains the relationship with the subcontractor. The BASA makes the subcontractor liable for the safeguarding of PHI as per the rules of HIPAA compliance, the BAA, and the BASA.

Both agreements outline the shared responsibilities between the Covered Entity and the Business Associate or the Business Associate and the Subcontractor.

What Is a BAA?

To recap, the requirement to hold a Business Associate Agreement was introduced in 2003 as part of the HIPAA Privacy Rule amendments. A Covered Entity (CE) is considered to be any healthcare provider, health plan provider, or clearinghouse. A Business Associate is someone that handles or processes PHI on behalf of the covered entity.

Atlantic.Net is a business associate, as we provide HIPAA Compliant hosting services to the healthcare industry. Covered Entities may use our service to process and transmit protected health information. We sign a BAA with each of our healthcare clients to document our responsibilities and the guarantees we adhere to when handling PHI.

Atlantic.Net’s BAA offers assurances regarding our HIPAA and HITECH accreditations and details the guarantees we provide for each of the administrative, physical, and technical safeguards we uphold to secure Protected Health Information.

What Is a BASA?

The Business Associate Subcontractor Agreement is very similar to a BAA, but with subtle differences that govern the obligations and activities of the subcontractor. The BASA permits the subcontractor to process or disclose PHI under HIPAA regulations (typically redacted information).

There are several additional obligations required of a subcontractor that creates, receives, maintains, or transmits on behalf of another business associate. The obligations vary depending on who the subcontractor is.

Types of subcontractors

There are numerous examples of subcontractors that need access to protected health information as part of their daily tasks. If any of this information is processed or transmitted by the Business Associate, then a Business Associate Subcontractor Agreement must be in place.

All subcontractors have a relationship with the business associate. here are the most common types of subcontractors that will process PHI:

• Accountants – medical accountants, or for example, those who work for insurance companies to process patient medical bills, will likely have access to sensitive protected health information. HIPAA compliant accounting software such as Clinko,  Lytec, or NueMD might use data collected on a Business Associate’s infrastructure
• Consultancy Firms   – many healthcare organizations outsource some or all of the HIPAA compliance responsibility to a consultancy firm, a company that specializes in gaining compliance for its customers. A business associate may be required by terms within the BAA to share PHI with the subcontractor consultancy firms
• Lawyers – any attorney who provides legal services to a health plan in reviewing a benefits claim would likely be a business associate subcontractor if the claim involves PHI
• Medical equipment engineering –  field engineers or service companies may be handling equipment that holds PHI, in particular, if the equipment must be sent offsite for repair or servicing. Consider a medical imaging device that has failed mid-consultation; it’s possible PHI would still be on the device, and as a result, the company responsible would need to sign a BASA
• Translator services – medical interpreters are bound by HIPAA regulations as well, similar to doctor-patient confidentiality; interpreters may need access to PHI to assess a client
• Shredding services – you may think that shredding services are just responsible for paper records, but in reality, any Protected Health Information that is stored digitally is still bound by the same rule. If a tape hosted at Iron Mountain is damaged in transit, a certified record will be needed to prove its destruction
• Cloud Service Providers – external cloud providers may be used by a business associate; a good example is Microsoft Office and OneDrive. Cloud vendors can be both under a BAA or BASA depending on if there is a middle vendor between the Cover Entity and the Cloud Vendor.

Why choose Atlantic.Net as your next Business Associate

Atlantic.Net has more than 25 years of experience exceeding the needs of health professionals and is one of the country’s leading healthcare technology companies. If you’re in this industry and you need help with IT, contact our sales team to find out how our managed services could help your organization.

If you are in the market for managed IT healthcare services, make sure you choose an experienced HIPAA compliant provider that focuses on security, business continuity, and scalability: a provider that can grow with you, and one that focuses on collaboration and data interoperability. We know that the regulations of the industry are intense, but Atlantic.Net can take away the stress of managing your entire IT operation.

We have an extensive list of healthcare clients who have trusted us for many years, and our managed service packages do allow you to forget about the complexities of IT and focus on your patients. We will protect your infrastructure from the very latest cybersecurity threats, as well as manage upgrades and maintenance behind the scenes. We will work with you to identify and secure PHI, protect you from ransomware attacks, and offer you the very best Healthcare Managed Services platform available.Atlantic.Net offers HIPAA Cloud and HIPAA Compliant Hosting services to support IT Solutions for Healthcare.