Tag Archive for: business associate agreements

Business Associates vs. Vendors

/in /by

Most covered entities have business relationships with vendors or service providers that fall into the category of business associates, as defined by HIPAA rules. The factor that will decide whether or not there is a business associate relationship with a particular service provider is whether the individual or entity handles protected health information (PHI) as part of the services that they provide to the practice. 

Business Associates

Following is a definition of a business associate, according to the Privacy Rule:

Business Associates – In general, a business associate is a person or organization, other than a member of a covered entity’s workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information. 

Examples of business associates include:

  • Companies that help doctors get paid for providing health care, including billing or collection companies and companies that process health care claims
  • People like outside lawyers, accountants and IT specialists (if their work requires access to or disclosure of PHI)
  • Companies that store or destroy medical records, such as shredding companies, storage facilities (for paper records) and cloud-based data storage vendors (for electronic records)
  • Companies that provide data transmission services with respect to PHI, such as secure email or Internet-based fax services
  • Voice Over Internet Protocol (VOIP) phone service providers
  • Companies that provide phone answering, mailing or transcription services

It is not necessary that the entity use the protected health information, but only that your practice intentionally provides access to or discloses it to the business associate as part of the service relationship. For example, although a cloud-based data storage company may simply store data (that contains PHI) for the practice and does not use it, the covered entity has made an intentional disclosure of PHI to the company and in turn it is providing the service of storage to the covered entity. Therefore, the data storage company is considered a business associate subject to HIPAA rules. It is very important to establish a written Business Associate Agreement with such entities prior to disclosing PHI to them.

Vendors

There are some entities that may have inadvertent access to PHI due to their presence in your practice, such as janitorial staff or a pharmaceutical rep, that are not considered business associates. In most cases these vendors will only have incidental access, such as overhearing a part of a conversation concerning a patient or seeing a patient’s name on a chart. Protected health information is not intentionally disclosed to these entities, nor are they provided with persistent access to it. And, as long as the covered entity has reasonable safeguards in place and these disclosures are limited in nature, they are not a violation of HIPAA Rules. 

For complete information regarding business associate agreements and vendor confidentiality agreements, please refer to the article on page 5 of the May issue of the American Practice Advisor® titled “Business Associate vs. Vendor Confidentiality Agreements.”

Failure to Establish Business Associate Agreements

/in /by

The Office for Civil Rights (OCR) has taken a recent enforcement action concerning the failure to establish business associate agreements in a timely manner. The following information overviews OCR actions with a practice that failed to establish a Business Associate Agreement (BAA) with one of its vendors for several years.

What Happened…

In August 2015, OCR initiated a compliance review of the practice following an investigation of a Business Associate (BA) that stored records containing protected health information (PHI) for the practice. While the practice began disclosing PHI to the BA in 2003, neither party could produce a BAA signed prior to October 2015.  So, while the practice had a current BAA (since 2015) it was discovered that they began using the vendor’s services in 2003 without a BAA.

Citations…

The citation from the failure included:

  1. Practice failed to obtain satisfactory assurance (in the form of a BAA) that vendor would appropriately safeguard patient information (PHI) of the practice.
  2. Practice impermissibly disclosed PHI to vendor without satisfactory assurances (in the form of a BAA) that the vendor would appropriately safeguard PHI.

Results…

As a result of the citations, the practice had to agree to pay a Resolution Amount (i.e., fine or penalty) of $31,000 for failing to have a BAA with the vendor, in addition to complying with a Corrective Action Plan (CAP) that OCR imposed.

Lessons learned…

It is important to ensure that a BAA is established with each new vendor that fits the definition of a business associate, as soon as service is initiated with the vendor.  A practice may designate one person to fulfill this responsibility, or ensure that each workforce member who has the authority to engage the services of a business associate is trained to obtain a BAA.  One person should be designated to periodically review records to ensure that required business associate agreements are in place (e.g., once per year).

For more information about this enforcement action, please see the article titled Business Associate Agreement Enforcement in your June copy of the Advisor®.

Disclosure to Medical/Dental Device Companies

/in /by

We are often asked whether a patient authorization is required in order to disclose protected health information (PHI) to a medical or dental device company. Similarly, practices have asked whether device companies will be considered business associates of the practice. The answer to both questions lies in whether or not the device company is considered a healthcare provider, as defined by the Privacy Rule.

A healthcare provider is defined as an entity that furnishes, bills or is paid for healthcare in the normal course of business.

If the device company provides healthcare (care, services or supplies related to the health of an individual), the company will be considered a healthcare provider (and must comply with HIPAA requirements as a covered entity). A patient authorization is not required in order to disclose PHI to other healthcare providers that are involved in the treatment of a patient. Nor is a business associate agreement required with such entities.

For more detailed information, please see the article “Medical & Dental Device Companies” in the December 2015 Advisor.