Practice Management Alert

Question: I have read about business associate agreements (BAAs) in past issues of this newsletter. What does HIPAA consider a business associate, and thus bound by the confines of a BAA?

Ohio Subscriber

Answer: Medical practices often have to do business with outside vendors. Many of these outside vendors are bound to follow business associate (BA) guidelines under the Health Insurance Portability and Accountability Act (HIPAA).

To avoid any confusion or angst during your vendor negotiations, be sure to know if, and when, a vendor is a BA.

The basics: Any vendor that gets anywhere close to your patient’s health information is a potential BA, according to HIPAA.

The vendor is a HIPAA BA if it receives, maintains, stores, accesses, or transmits health-related information in the course of providing services, according to a blog posting by partner attorney Laurie Cohen for the law firm Nixon Peabody LLP. 

The feds might also consider a vendor a BA if the health-related information is protected health information (PHI), as defined by HIPAA, and if that PHI originates from a covered entity (CE).

Though it’s rare, some vendors might initially object to being categorized as a BA, because any BA must play by some pretty stringent rules. According to Cohen, at a minimum, a HIPAA BA must:

• develop HIPAA privacy, security, and breach notification policies;
• perform a security risk assessment;
• provide HIPAA education to its workforce; and
• prepare a BAA to use with its own subcontractors who receive, maintain, store, access, or transmit PHI in the course of providing services.

Any BAs that you work with must understand the requirements and their responsibilities under HIPAA, or you could have a potential HIPAA breach hotspot.