What is a HIPAA Business Associate and Why Should You Care?
by Dr. Jeff Brown
A "business associate" is a person or entity that performs a service on your behalf in which the service itself involves the use or disclosure of protected health information (PHI). In other words, if an entity is doing anything for your office to create, receive, use, disclose or maintain (store) your PHI, then they are a business associate.
Common business associate examples include:
- EHR / PM software
- PI attorney
- Transcription service
- Billing service
- Online patient scheduling
- Appointment reminder service
- E-mail provider
- Online data backup
You should care about knowing who is, and is not, a business associate because compliance is severely jeopardized if you get this wrong. Too many offices get in trouble with the Office of Civil Rights (the HIPAA police), not because they mess up, but because an organization they pay for this or that service messes up.
Good news! The HIPAA provides a protection for you in the form of a Business Associate Agreement (BAA).
According to the HIPAA law, a business associate is permitted to create, receive, maintain, or transmit electronic protected health information on your behalf only after satisfactory assurances are obtained, in writing, that the business associate will appropriately safeguard the information.
A signed BAA is the instrument through which you are able to obtain "satisfactory assurances." Additionally, a BAA passes liability from the yourself to the business associate. Therefore, it's paramount you get a signed BAA from every on one of your business associates.
The BAA is a fairly standard document. Here is a slightly modified version of the BAA H.H.S. provides on its website.
Business associates with hundreds of customers typically have a pre-signed BAA as part of their terms of service. Meaning, they don't physically sign a BAA with each individual customer; instead, they post a "pre-signed" agreement online for everyone. We recommend documenting the website link to the actual agreement as part of your HIPAA compliance record keeping.
What about non-business associates?
Everyone else who has regular contact with your PHI falls into one of two categories. Either they are a workforce member or not.
Workforce: A workforce member is anyone whose conduct is under the direct control of the business and their job involves the use of patient information. For example a provider, employee, volunteer, and spouse or family member would all be workforce members if their conduct is under the direct control of the practice and the work they perform involves patient information.
Read this article to learn what HIPAA document needs to be singed by your workforce.
Not workforce: Generally, a person or vendor is not a business associate if they do not create, receive, use, disclose or maintain your PHI as part of the relationship they have with your business. The two most common examples are an office cleaning service and the various scenarios in which office space is shared or rented.
Read this article to learn why a confidentiality agreement is better suited than a BAA for these folks.
DISCLAIMER: Because of the generality of this article, the information provided herein may not be applicable in every situation and should not be acted upon without specific legal advice based on particular situations.