Health Information Compliance Alert
Are BAAs Always Necessary?
PDF
Question: With the HIPAA Omnibus Final Rule now in effect, it seems as though we need to have a Business Associate Agreement (BAA) with just about everyone we come into contact with. In what situations do we not need to have a BAA?
“They’re not business associates,” Sheldon-Dean states. “They should be under a confidentiality agreement so that they know if they see anything or hear anything, they shouldn’t repeat it. But they’re not business associates. They’re not doing anything with PHI on your behalf.”
HIPAA regulations provide a narrow exception for “conduits” (FedEx, UPS, U.S. Postal Service) when the conduit provides “simple delivery only,” Sheldon-Dean says. These types of entities don’t have any persistence of custody of PHI.
Meaning: “Persistence of custody” means that the entity is storing or holding onto the PHI in some way. A common example is your regular email service provider.
What you send via your email provider “winds up being stored,” Sheldon-Dean points out. “It may wind up being backed up in different email services.” And so, your email service provider does “have persistent custody of messages.”
“If somebody’s providing email services for you and handling PHI, they are a business associate whether they like it or not,” Sheldon-Dean says. And in many cases, cloud vendors are your business associates, too — “even if they’re handling information that’s encrypted, it’s still information that’s covered under the business associate rules.”
Bottom line: “If the information [is] being held on to in some kind of persistent ways, there’s some persistence of custody, then that’s how you decide what the business associate relationship is in those situations,” instructs Sheldon-Dean.
Answer: You do not need a BAA when there is no access, management, or “persistence of custody” of protected health information (PHI), according to Jim Sheldon-Dean, founder and director of compliance services for Lewis Creek Systems, LLC. You don’t need a BAA with payers, other providers, and your own workforce members.
Those who would have no reason to use, disclose, create, receive, maintain, or transmit PHI on your behalf also fall into the no-BAA-needed category, Sheldon-Dean notes. This would include people like tradesman (plumbers, electricians, etc.) and housekeeping or cleaning services.
Health Information Compliance Alert
- HIPAA Compliance:
Heed Expert Tips To Craft Effective HIPAA Policies & Procedures
Make sure you cover these 7 big changes under the new rules. If you’re like [...] - Know 4 Principles Your Policies Must Never Be Without
Do your policies set forth clear responsibilities and accountability? What makes a “good” policy? According [...] - Reader Question:
Taking Secrets To The Grave: When You Can Share Decedents' PHI
Question: Our practice treated a patient who passed away two years ago, and now we [...] - Reader Question:
Are BAAs Always Necessary?
Question: With the HIPAA Omnibus Final Rule now in effect, it seems as though we [...] - Reader Question:
Can You Send Medical Records Via Email (Securely)?
Question: One of our patients has requested a copy of his medical records, and he [...] - Tool:
Use This Chart To Dispel Security Risk Analysis Myths
HHS OCR gives you a little help on getting your risk analysis down pat. As [...] - Enforcement News:
Brace Yourself For Increased HIPAA Audits
Plus: OCR now handing out fines for not having breach policies. The HHS Office of [...]