So what is a Business Associate Agreement?
The Business Associate Agreement (BAA) is not a contract for services or a typical non-disclosure agreement. It deals only with CenturyLink’s responsibilities as a Business Associate (BA) under the Health Insurance Portability and Accountability Act (HIPAA), as amended. Most clients in the medical and dental professions are Covered Entities (CE) under HIPAA because they collect, maintain, or process protected health information.
The HIPAA Privacy Rule protects all Protected Health Information (PHI) held or transmitted by a covered entity or its business associate (CenturyLink for certain services), in any form or media, whether electronic, paper, or oral. PHI includes "individually identifiable health information” that relates to: (i) the individual’s past, present, or future physical or mental health or condition; (ii) the provision of health care to the individual; or (iii) the past, present, or future payment for the provision of health care to the individual; and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).
CenturyLink’s Position CenturyLink has implemented an information security program, and conducted assessments of such program, for the Cloud services subject to HIPAA.
Official Response CenturyLink will enter into a standard Business Associate Agreement (BAA) that can be leveraged as part of the customer’s overall HIPAA compliance program. Such a BAA is limited to those services in which CenturyLink is operating in the capacity of a BA to the customer and the customer remains responsible for its own HIPAA compliance.