Welcome solo and group practice owners! We are Liath Dalton and Evan Dumas, your co-hosts of Group Practice Tech.

In this episode, we’re diving into Business Associate Agreements (BAAs) for group practice owners.

We discuss what a BAA is; who is considered a business associate; how to execute and enforce a BAA; documenting BAAs; evaluating if a BAA is sufficient; why a HIPAA statement is not a replacement for a BAA; precedent for enforcement action from the Office of Civil Rights; and what qualifies under the conduit exception.

Resources

PCT Resources

  • PCT article:  What Is a HIPAA Business Associate?
  • PCT free CE course:  Introduction to HIPAA Security for Group Practice Leaders
  •  Group Practice Care Premium 
    • for weekly (live & recorded) direct support & consultation service, Group Practice Office Hours
    • + assignable staff HIPAA Security Awareness: Bring Your Own Device training + access to Device Security Center with step-by-step device-specific tutorials & registration forms for securing documenting personal & practice-provided devices (for *all* team members at no per-person cost)
    • +  assignable staff HIPAA Security Awareness: Remote Workspaces training for all team members + access to Remote Workspace Center with step-by-step tutorials & registration forms for securing documenting Remote Workspaces(for *all* team members at no per-person cost)
    • + more
    • PCT’s  Group Practice PCT Way HIPAA Compliance Manual & Materials  — comprehensive customizable HIPAA Security Policies & Procedure and materials templates specifically for mental health group practices. with a detailed step-by-step project plan and guided instructions for adopting & implementing efficiently
      • Policies & Procedures include: Customizable templates that address each of the HIPAA Security Rule Standards. Ready for plug-and-play real practice application.
        • Computing Devices and Electronic Media Technical Security Policy
        • Bring Your Own Device (BYOD) Policy
        • Communications Security Policy
        • Information Systems Secure Use Policy
        • Risk Management Policy
        • Contingency Planning Policy
        • Device and Document Transport and Storage Policy
        • Device and Document Disposal Policy
        • Security Training and Awareness Policy
        • Passwords and Other Digital Authentication Policy
        • Software and Hardware Selection Policy
        • Security Incident Response and Breach Notification Policy
        • Security Onboarding and Exit Policy
        • Sanction Policy Policy
        • Release of Information Security Policy
        • Remote Access Policy
        • Data Backup Policy
        • Facility/Office Access and Physical Security Policy
        • Facility Network Security Policy
        • Computing Device Acceptable Use Policy
        • Business Associate Policy
        • Access Log Review Policy
      • Forms & Logs include:
        • Workforce Security Policies Agreement
        • Security Incident Report
        • PHI Access Determination
        • Password Policy Compliance
        • BYOD Registration & Termination
        • Data Backup & Confirmation
        • Access Log Review
        • Key & Access Code Issue and Loss
        • Third-Party Service Vendors
        • Building Security Plan
        • Security Schedule
        • Equipment Security Check
        • Computing System Access Granting & Revocation
        • Training Completion
        • Mini Risk Analysis
        • Security Incident Response
        • Security Reminder
        • Practice Equipment Catalog
      • + Workforce Security Manual & Leadership Security Manual — the role-based practical application oriented distillation of the formal Policies & Procedures
      • + 2 complimentary seats of the Security Officer Endorsement Training Program (1 for Security Officer; 1 for Deputy (or future Deputy) Security Officer.

    v1.25.07-beta

    Scheduled Maintenance

    We will be temporarily taking the website offline at 10:00 PM Pacific (1:00 AM Eastern) tonight, July 6, in order to make some improvements. We plan to be back online by midnight Pacific (3:00 AM Eastern). We apologize for any inconvenience this may cause. Dismiss