Wiki Payer Wants us to Sign a Business Associate Agreement

CatchTheWind

Guest
Messages
649
Location
Boca Raton, FL
Best answers
0
A small insurance payer just sent us a Business Associate Agreement that they are asking us to sign. My understanding is that a medical practice is NOT a Business Associate of a Payer (nor vice versa) because neither one of us is working on behalf of the other; we are both working on behalf of the patient. (HIPAA defines Business Associate as "a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.") When a payer processes a payment, they are providing a service to their insured, not to us.

Am I mistaken?
 
HHS says that one covered entity can be a Business Associate of another. But that would only apply if they are providing a service to the other covered entity, not if they are both providing services to the patient.
 
All of the above answers are likely true, but what difference does it make? Either way, you have to be HIPAA compliant. I say just sign it and move on!
 
A business associate is also defined as: "a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate". The point of the agreement is to ensure that the business associate will "appropriately safeguard protected health information". It is in your best interest to sign it and insist that others sign one with you as well. If you are submitting claims to an insurance company, you ARE transmitting protected health information and therefore should be covered under a business associate agreement.
 
No - not a BA

A provider is not a BA of a payer and vice versa. Neither is providing services on behalf of the other, and the transmission of PHI is not on behalf of or for the benefit of the other organization. The provider, who is a covered entity and is bound by the HIPAA Privacy Rule, is sending the PHI to the payer in order to obtain payment and the payer, who is also a CE, is fulfilling its duties when submitting payment, sending remittance advice statements or performing audits. The BAA is worthless as both parties are CEs and bound by the Privacy Rule.
 
A provider is not a BA of a payer and vice versa. Neither is providing services on behalf of the other, and the transmission of PHI is not on behalf of or for the benefit of the other organization. The provider, who is a covered entity and is bound by the HIPAA Privacy Rule, is sending the PHI to the payer in order to obtain payment and the payer, who is also a CE, is fulfilling its duties when submitting payment, sending remittance advice statements or performing audits. The BAA is worthless as both parties are CEs and bound by the Privacy Rule.

Again, the answer above is likely true, but why waste time arguing over semantics. As a provider, you are required to be HIPAA compliant. The agreement requires you to do something that you are already doing. Why waste any more time debating this issue? It doesn't bind you to anything you aren't already bound to. Sign it. Move on.
 
While I understand what you are saying, figuring there are bigger fish to fry than this because both parties have to comply with HIPAA, by agreeing that you (speaking for the provider) are a Business Associate of a payer opens yourself up to additional scrutiny and risk under the HITECH rules. For example, if the payer has a data breach and the provider doesn't find out until everyone else does by hearing about it on the news, the provider could be open to inquiry about what they knew about the breach by the payer, how long had they known and the like. Without being designated as a BA, the provider wouldn't have to do this. Sure, the provider most likely would not be guilty of any wrongdoing - but why set yourself up for that? They are not a BA - no need to sign a BAA and take on the risks associated with it as the provider has enough to deal with for their own HIPAA compliance.
 
While I understand what you are saying, figuring there are bigger fish to fry than this because both parties have to comply with HIPAA, by agreeing that you (speaking for the provider) are a Business Associate of a payer opens yourself up to additional scrutiny and risk under the HITECH rules. For example, if the payer has a data breach and the provider doesn't find out until everyone else does by hearing about it on the news, the provider could be open to inquiry about what they knew about the breach by the payer, how long had they known and the like. Without being designated as a BA, the provider wouldn't have to do this. Sure, the provider most likely would not be guilty of any wrongdoing - but why set yourself up for that? They are not a BA - no need to sign a BAA and take on the risks associated with it as the provider has enough to deal with for their own HIPAA compliance.

Agreed, but to me the scenario where a provider would be guilty of wrongdoing because a payer had a data breach just seems so unlikely as to be not worth wasting time and energy over. As you say, providers have enough to deal with. Technically speaking, however, you are completely correct. I guess the practice that's being asked to do this will just have to weigh the odds and make a decision.
 
Last edited:
Top