Q: Is a Business Associate Agreement ("BAA") needed?
A: Some hospitals require a BAA to launch their Breast Pump Depot®. We will readily execute a BAA if your hospital deems it necessary, but we do not require it.
The purpose of a BAA is to ensure that an entity that obtains PHI from a CE and is acting on behalf of the CE will take the appropriate steps to ensure compliance with HIPPA. A BAA is required when a CE is going to be sharing its information with another entity to allow that entity to perform activities on behalf of the CE. In the case of Breast Pump Depot®, it is providing care directly to the patient as a CE. The information being provided by the hospital is to facilitate the coordination of care of the patient. It is not so Breast Pump Depot® can perform an activity on behalf of the hospital. For this reason, a BAA is not required. However, since Breast Pump Depot® will be acting in its capacity as a CE, it must be compliant with HIPPA and ensure that all PHI is secure.
As mentioned, Breast Pump Depot® has an active HIPPA Compliance Plan in place and is compliant with the requirements of HIPPA.