Health Information Compliance Alert

Published on Fri Oct 17, 2008 PDF

When do TPAs fit better than BAAs? The answer may surprise you.

A business associate agreement (BAA) alone might not be enough to safeguard protected health data in all your organization's transactions with vendors and trading partners.

There are situations that may require several contract types to thoroughly protect your patients' health information.

Trading partner or confidentiality agreements may serve your purpose more closely than a BAA does, says David Szabo, an attorney with McClennen Nutter & Fish in Boston.

Your first step in choosing the agreement that best suits your needs is to understand the differences between the contract types. Here's the breakdown:

Business associate agreements (BAA): The privacy and security rules require that you use BAAs to establish safeguards and other responsibilities business associates (BAs) must provide, says Mark Eggleston, the HIPAA compliance

program manager for Health Partners of Philadelphia.

Use a BAA when a person or organization performs a service for you that you would normally do in-house. Key: That service must involve patients' PHI.

For example, a service that handles your billing is a business associate because they 1) handle patients' information and 2) perform the service on your behalf. On the other hand, an independent maintenance worker is not a business associate

because she neither performs a service that you would normally do for yourself nor comes into contact with PHI.

Caveat: When you sign a contract"whether it's a business associate agreement or another type of binding agreement"you are responsible for both abiding by that contract's terms and enforcing those terms on the other party, explains

Matthew Rosenbaum, COO for CPI Directions, a regulatory consulting firm in New York, NY.

Trading partner agreement (TPA): These contracts are permitted--but not required--by the transactions and code sets rule to set up a protocol for you to share electronic data for payment, says Kirk Nahra, an attorney with Wiley Rein &

Fielding in Washington, DC. These agreements are different from BAAs because they only exist between providers and payers.

For example, you might ask your payers to sign a TPA that outlines how you'll exchange electronic data (e.g., electronic claims) and what security measures you'll implement, Szabo says.

Confidentiality agreement (CA): These agreements protect business secrets--such as financial or operating information--from those outside your organization. A CA is typically used with employees in higher-level positions who might have

access to your business information, Szabo notes.

For example, you would ask an external consultant to sign a CA if she is helping you develop a new business or beef up your business plan.

Note: While you can ask each employee to sign a CA to protect customer lists, prices and other business information, a strict confidentiality policy will be easier to implement. Good idea: Ask your employees to sign your confidentiality policy to

acknowledge that they understand their obligations, Szabo suggests.

The bottom line: By signing the contract that most closely matches your business need, you'll save valuable resources and ensure that no PHI is inappropriately exposed, Rosenbaum says.