According to the regulations, any vendor or service that has access to patient health information is required to execute a business associate agreement with you, the healthcare provider. Communications systems that store voicemail, chat and text messages is part of that requirement and you as a healthcare provider are responsible for ensuring compliance.
According to the Department of Health and Human Services (HHS), a Business Associate (BA) is:
“[A] person or entity, other than a member of the workforce of a covered entity who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information. A [BA] also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another [BA].”
There are 5 landmark cases in the HIPAA era, including a $5.55 million fine against Advocate Health Care for multiple data breaches that affected almost 4 million individuals.
And if you think you don’t have to worry because you’re not a major hospital or health organization, an Indiana dentist Dr. Joseph Beck was fined $12,000 and had his license permanently revoked for a breach that impacted 5,600 people. Read more about these 5 breaches and penalties at https://compliancy-group.com/5-landmark-ocr-settlements-20-years-hipaa/.
Based on information from the Compliancy Group, the following are the most common examples of businesses from whom you will need a Business Associate Agreement:
For more questions and more in depth answers, we suggest visiting https://www.hhs.gov/hipaa/for-professionals/faq.