Q: Who is a Business Associate and what do we do if they refuse to sign the BAA (Business Associate Agreement)?
A: See the link below, as that will define for you exactly who your business associates would be. When uncertain or in doubt, it is always good to double check the HHS guideline to be confident. The information is defined in the following link: http://www.hhs.gov/ocr/privacy/hipaa/faq/business_associates/#businessassociate
Privacy rules identify that Business Associates too have responsibilities to comply as well as Covered Entities. And in fact, with fairly recent updates pertaining to HIPAA, Business Associates have greater liability in their negligence to adhering to the rules set forth. In the event that a Business Associate does refuse to sign the BAA, according to privacy experts, Covered Entities should either terminate the arrangement with the BA (if feasible, and if not, the refusal to comply should be reported to the Secretary.) Please see the following link for complete details: http://privacyguidance.com/blog/i-dont-need-no-stinkin-ba-agreementor-do-i/
It is likely, in the event that a Business Associate did refuse to sign the BAA, if you contacted managerial personnel of the Business Associate(s) and notified them that due to their refusal to comply with those rules set forth to them as a Business Associate, you, the Covered Entity are required to notify the Secretary of Health & Human Services (HHS) of their refusal to comply as this becomes a potential hazard for the privacy of patient PHI (Protected Health Information). Again, it may also be useful to remind them that there is increased scrutiny on Business Associates that do not have proper agreements on file or that fail to comply with requirements. Here is the link with information to file a complaint: http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html
Though it may not relate directly to the question above, here is what the OCR (Office of Civil Rights) says about cloud service provider’s refusal to sign the BAA:
“If you use a cloud service, it should be your Business Associate. If they refuse to sign a Business Associate Agreement, don’t use the cloud service.”
-David Holtzman, Information Privacy Division, Office for Civil Rights
In closing, neglecting to obtain the proper BAA from Business Associates is nothing to overlook. This very topic is of interest to regulatory agencies and penalties are fierce for the mismanagement of this rule.