Pain Management Coding Alert

Reader Question:

ID All Business Associates to Stay Compliant

Question: I have read about business associate agreements (BAAs) in past issues of this newsletter. What does HIPAA consider a business associate, and thus bound by the confines of a BAA?

Hawaii Subscriber

Answer: Medical practices often have to do business with outside vendors. Many of these outside vendors are bound to follow business associate (BA) guidelines under the Health Insurance Portability and Accountability Act (HIPAA).

To avoid any confusion or angst during your vendor negotiations, be sure to know if, and when, a vendor is a BA.

The basics: Any vendor that gets anywhere close to your patient’s health information is a potential BA, according to HIPAA.

The vendor is a HIPAA BA if it receives, maintains, stores, accesses, or transmits health-related information in the course of providing services, according to a blog posting by partner attorney Laurie Cohen for the law firm Nixon Peabody LLP. 

The feds might also consider a vendor a BA if the health-related information is protected health information (PHI), as defined by HIPAA, and if that PHI originates from a covered entity (CE).

Though it’s rare, some vendors might initially object to being categorized as a BA, because any BA must play by some pretty stringent rules. According to Cohen, at a minimum, a HIPAA BA must:

  • develop HIPAA privacy, security, and breach notification policies;
  • perform a security risk assessment;
  • provide HIPAA education to its workforce; and
  • prepare a BAA to use with its own subcontractors who receive, maintain, store, access, or transmit PHI in the course of providing services.

Any BAs that you work with must understand the requirements and their responsibilities under HIPAA, or you could have a potential HIPAA breach hotspot.

Clarification: The story “CPT® Update: Here’s Your Rundown on the Latest CPT® Code Changes for 2016,” from the volume 2, number 10 issue of Pain Management Coding Alert contained the following paragraph:

“Providers can perform these blocks at any vertebral level, but most often administer them at the thoracic level because of anatomic considerations, says 95971, which also does not have a time requirement,” says Marvel J. Hammer, RN, CPC, CCS-P, ACS-PM, CPCO, owner of MJH Consulting in Denver, Co.

The paragraph should have read:

“Providers can perform these blocks at any vertebral level, but most often administer them at the thoracic level because of anatomic considerations,” says Marvel J. Hammer, RN, CPC, CCS-P, ACS-PM, CPCO, owner of MJH Consulting in Denver, Co.