Frequently Asked Question: FAQ:

How do I get a Business Associates Agreement (BAA)?

Other FAQs

PicSafe allows you to comply with HIPAA & HITECH but there is no need for a Associates Agreement.

PicSafe is not deemed a Business Associate, in short, because PicSafe is considered a "conduit" and does not access protected health information "on a routine basis". Just like the US postal service, UPS or FedEx, PicSafe acts as a digital courier and does not fall under HIPAA's purview. This does not mean that you can't and don't comply with HIPAA when using PicSafe. See the Is PicSafe HIPAA & HITECH compliant? FAQ.

Shouldn't we execute a Business Associate Agreement (BAA) to be safe?

No. Given PicSafe is not deemed a Business Associate, entering into a BAA is technically not required. Entering into a BAA out of an abundance of caution would mean both parties become subject to contractual liabilities they would not have but for the agreement.

From a covered entities perspective, there is a commonly held mistaken assumption that a covered entity is vicariously liable for a contractor's HIPAA violations. HIPAA clearly states that covered entities are only liable for a business associate's action if the business associate is acting as an agent of the covered entity. That is, the covered entity had the right to control the business associate's actions. (45 CFR 160.402(c); 78 FR 5581). Executing a BAA may serve to suggest an agency relationship or give the covered entity greater control over the actions of the contractor. This relationship may, in turn, trigger vicarious liability. Given it is in the covered entities interest to limit their liability, it is in their interest to avoid signing a BAA.

From a PicSafe perspective, frankly, PicSafe does not want to bear the costs of complying with regulations that do not otherwise apply. Similarly, PicSafe does not wish to expose itself to HIPAA penalties for noncompliance. That said, PicSafe takes every precaution to ensure that PHI is safe and secure.