Most covered entities have business relationships with vendors or service providers that fall into the category of business associates, as defined by HIPAA rules. The factor that will decide whether or not there is a business associate relationship with a particular service provider is whether the individual or entity handles protected health information (PHI) as part of the services that they provide to the practice.
Following is a definition of a business associate, according to the Privacy Rule:
Business Associates – In general, a business associate is a person or organization, other than a member of a covered entity’s workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information.
Examples of business associates include:
- Companies that help doctors get paid for providing health care, including billing or collection companies and companies that process health care claims
- People like outside lawyers, accountants and IT specialists (if their work requires access to or disclosure of PHI)
- Companies that store or destroy medical records, such as shredding companies, storage facilities (for paper records) and cloud-based data storage vendors (for electronic records)
- Companies that provide data transmission services with respect to PHI, such as secure email or Internet-based fax services
- Voice Over Internet Protocol (VOIP) phone service providers
- Companies that provide phone answering, mailing or transcription services
It is not necessary that the entity use the protected health information, but only that your practice intentionally provides access to or discloses it to the business associate as part of the service relationship. For example, although a cloud-based data storage company may simply store data (that contains PHI) for the practice and does not use it, the covered entity has made an intentional disclosure of PHI to the company and in turn it is providing the service of storage to the covered entity. Therefore, the data storage company is considered a business associate subject to HIPAA rules. It is very important to establish a written Business Associate Agreement with such entities prior to disclosing PHI to them.
There are some entities that may have inadvertent access to PHI due to their presence in your practice, such as janitorial staff or a pharmaceutical rep, that are not considered business associates. In most cases these vendors will only have incidental access, such as overhearing a part of a conversation concerning a patient or seeing a patient’s name on a chart. Protected health information is not intentionally disclosed to these entities, nor are they provided with persistent access to it. And, as long as the covered entity has reasonable safeguards in place and these disclosures are limited in nature, they are not a violation of HIPAA Rules.
For complete information regarding business associate agreements and vendor confidentiality agreements, please refer to the article on page 5 of the May issue of the American Practice Advisor® titled “Business Associate vs. Vendor Confidentiality Agreements.”