Business Associate, Yes or No?
The HIPAA Privacy Rule requires Covered Entities to take certain steps to ensure that contractors and vendors requiring access to Protected Health Information (PHI) manage and use that information safely and responsibly. Such a vendor or contractor, of course, is called a “business associate” (BA). While most of us think we know what a BA is, do we know exactly who is a BA?
When your organization runs into a new sort of vendor or contractor, you may wonder if the expectations of a BA applies. To protect your organization and your patients’ data, don’t guess. Be sure you know when a BA Agreement (BAA) is required and when it may not be necessary. The table below show a few examples of companies, partners, and vendors who may or may not be considered BAs.
Common Types of Business Associates
- Covered Entities providing services beyond treatment. This may be an associated hospital providing training or other services to another.
- Accreditation Organizations if the examination of PHI is necessary for the approval or review process.
- Medical Claims processing services.
- Utilization Review consultants or services.
- Medical Transcriptionist services or independent contractors.
- CPAs and Attorney providing litigation services.
Not Usually Considered Business Associates
- Physicians working with a Health Plan. As Covered Entities, both are responsible independently (unless also providing other services).
- Insurance Issuer or HMO (unless they are performing other services as well).
- Software Vendors requiring only a “limited data set” to maintain systems.
- USPS, UPS, Fed Ex or other delivery services acting merely as a conduit for data.
- Telecommunications Relay Services for hearing impaired patients to facilitate doctor/patient communications.
- Experts employed by attorneys to provide expert testimony, investigation, or other services on behalf of the firm.
Note that these examples are somewhat generalized. There may be circumstances that alter the nature of the relationship between your organization and a potential BA from what is generally described above.
Keep in mind that your organization’s liability in the case of a data breach or incident does not stop with what happens within your own facility or systems. The security of patients’ PHI in the possession of your BA is your organization’s responsibility as well. Do not guess or rely on vague information. If you have further questions about the requirements of the Privacy Rule, it is important to seek expert advice based on the nature of your relationships with other companies, their need for patient data and how shared data is used by each entity.