THE CRUNCH · EPISODE 11 · 0:32 · HEALTHCARE

The BAA Question

THE CRUNCH · EP 11
TAP TO PAUSE
PAUSED — TAP TO RESUME
Tap ♫ for music
Or keep scrolling — the full text is below
0:32 runtimeFully captioned · music optionalDrag the top bar to seekEpisode 11 of 25

Prefer to read it?

When retired hospital equipment leaves the building, the drives inside carry protected health information — and the vendor taking custody of them is performing a function involving PHI. Under HIPAA, that makes them a business associate, and business associates require a Business Associate Agreement.

Health systems reliably execute BAAs with billing vendors, transcription services, and cloud providers — and then hand pallets of data-bearing equipment to a recycler on a handshake. If that recycler mishandles a drive, the breach notification, the OCR scrutiny, and the penalties land on the covered entity.

The fix is structural: put disposal under a BAA, demand NAID AAA-certified destruction with serialized certificates, and fold the whole engagement — destruction, recycling, remarketing — under one agreement with one accountable vendor.

CYBERCRUNCH · NAID AAA · R2v3 · RIOS · PA DEP

Is disposal under your BAA umbrella?

CyberCrunch packages HIPAA-compliant destruction, R2v3 recycling, and remarketing under a single BAA for health systems nationwide.