Many Smart Training clients conduct business with dental laboratories. We’re often asked about Business Associate Agreements between our clients and labs.
Many times, the lab has told our practice client that the lab is a Covered Entity under HIPAA, and that a BAA is not required. However, if the lab isn’t actually owned by a healthcare provider, then the lab is not a Covered Entity. Even if it were a Covered Entity, the law specifically states that “a Covered Entity may be a Business Associate of another Covered Entity.” Just being a Covered Entity doesn’t get the lab off the hook.
Under the Omnibus Rule, Business Associates must train employees on patient privacy, and labs thus become directly responsible under the HIPAA Security Rule. Both constraints pose problems for many lab owners. For example, current BAAs require labs to train their employees on patient privacy.
If your practice provides PHI to a lab with which you do not have a Business Associate Agreement in place, and the lab breaches the information, your practice is liable. And if you think having your lab sign a BAA is of little importance, ask yourself: If patients knew your office had provided their information to a dental lab that is unwilling to train employees on HIPAA privacy and security regulations, how would they feel?
If a lab you use will not sign a BAA with your office, find another lab.
Get help creating your own custom BAA's from Smart Training's experts.