Most practices are aware that the HIPAA Omnibus Rule requires them to take necessary steps to prepare for the enforcement date of September 23. They realize the importance of having Business Associate Agreements in place. Some even have an updated template Business Associate Agreement (BAA) prepared and available. However, many find it challenging to determine which vendor relationships require a BAA.
The definition of a Business Associate is provided in 45 CFR § 160.103 and other helpful information can be found here:
A basic definition of a business associate is any entity that a covered entity (physician practice) allows to create, receive, maintain or transmit Protected Health Information (PHI). Some common examples of business associates are:
- A billing company
- A clearinghouse
- An answering service
- A document shredding company
- A collection agency
- An attorney
Generally, physicians and those they trust to run their practices are thorough and analytical. They prefer to leave no stone unturned. Below are a few questions that I’ve heard frequently during my discussions with physicians and practice managers.
What about the phone company or the Internet provider? They could access my patient information, so we need a BAA with them, right?
Business Associate Agreements are not necessary with certain organizations considered to be mere conduits. Examples are the US Postal Service, some private couriers, telephone companies, and Internet Service Providers. This is because a conduit transports the information, but does not access it. No disclosure is intended by the covered entity (physician practice) and there is low likelihood of disclosure of PHI in these situations.
What about the landlord or the cleaning service? They have access to the office where we keep PHI.
It is unnecessary to have a BAA with the cleaning service because they are not contracted to perform services involving use or disclosure of PHI. However, you need to have reasonable safeguards in place to protect PHI. Ideally, you should store paper PHI in a locked cabinet.
Do I have to have a BAA with _______? She’s been doing our accounting for years, but she isn’t an employee.
It is common to overlook a business associate who has been working in your organization for a long period of time. However, if an independent contractor is providing services such as accounting or anything that involves PHI, then you must have a BAA in place.
Hopefully, your practice has BAA’s at the top of your priority list this month. If you don’t have appropriate BAA’s in place, your procrastination could be expensive. Every time a business associate accesses your patients’ information without the proper agreement, your practice is potentially exposed to very large fines.