Q: Is a Business Associate Agreement ("BAA") needed?
A: Some hospitals require a BAA to launch their Breast Pump Depot. We are happy to execute a BAA if the hospital deems it necessary, but we do not require it. A Business Associates Agreement is attached for your review.
The purpose of a BAA is to ensure that an entity that obtains protected health information (“PHI”) from a Covered Entity (“CE”) and is acting on behalf of the CE will take the appropriate steps to ensure compliance with HIPAA. A BAA is required when a CE is going to be sharing its information with another entity to allow that entity to perform activities on behalf of the CE. In the case of the Breast Pump Depot, it is providing care directly to the patient as a CE. The information being provided by the hospital is to facilitate the coordination of care of the patient. It is not so Breast Pump Depot can perform an activity on behalf of the hospital. For this reason, a BAA is not required. However, since the Breast Pump Depot is acting in its capacity as a CE, it will need to be compliant with HIPAA and ensure that the patient’s PHI is secure. The Breast Pump Depot has an active HIPAA Compliance Plan in place and is complaint with the requirements of HIPAA.