Failing to have HIPAA business associate agreements (“BAAs”) can result in significant penalties for healthcare providers and business associates. Last month, the OCR imposed a $500,000 settlement and robust corrective action plan against a physician group that failed to have a BAA with its billing company. After the billing company improperly allowed access to protected health information on its website, the OCR looked to the physician group to pay the price. (See https://www.hhs.gov/about/news/2018/12/04/florida-contractor-physicians-group-shares-protected-health-information-unknown-vendor-without.html).
Under HIPAA, “business associates” are essentially those entities who create, access, maintain or transmit PHI on behalf of a healthcare provider. (45 CFR § 160.103, definition of “business associate”). HIPAA requires healthcare providers to execute a BAA before disclosing protected health information (“PHI”) to their business associate. (45 CFR § 164.502(e)). It also requires business associates to execute a BAA with their subcontractors who handle PHI on behalf of the business associate. (Id.). The BAA must contain certain required terms. As recent settlements confirm, healthcare providers who fail to execute a BAA are subject to HIPAA penalties and may be vicariously liable for their business associate’s misconduct.
Common business associates for healthcare providers include, but are not limited to, the following if they create, maintain, transmit or access PHI as part of their job duties on behalf of the provider:
- Management company
- Billing company
- Consultants and auditors
- Answering service
- Transcription service
- Interpreter or translator if contracted by the healthcare provider
- Marketing or public relations firm
- Malpractice carrier when responding to a malpractice claim
- Collection agency if performing services on behalf of the provider
- Data storage, data processing or data management companies, including cloud service providers
- Document destruction companies
- Health information exchanges
- Electronic health record vendors
- E-prescribing gateways
- Software vendors or IT support that handle PHI
- Vendors of equipment or services if they access PHI as part of their duties
- Medical device manufacturers if they access PHI
- Third party administrators for employee benefit plans
- Accreditation organizations
- Patient safety organizations
- State or national industry associations that provide services involving PHI
- Peer reviewers who review records
- Medical directors who perform administrative tasks.
The following are generally not business associates so no BAA is required; however, providers may want to execute confidentiality agreements with them in case the person inadvertently accesses, uses or discloses PHI:
- Employees or members of the healthcare provider’s workforce, including volunteers or others over whom the healthcare provider has control.
- Other healthcare providers while rendering treatment.
- Persons who do not work with PHI as part of their job duties even though they may periodically see PHI, e.g., janitors.
- Entities that are mere conduits for PHI but who do not regularly access PHI, e.g., internet service providers, telecommunications companies, or the U.S. post office.
- Entities acting on their own behalf and not on behalf of the provider, e.g., payers, credit card companies, and other financial institutions.
- Members of an organized health care arrangement as defined by HIPAA, including a hospital and its medical staff members when performing administrative functions for the hospital.
- Government agencies performing their required functions.
For more help identifying business associates, see our BAA Decision Tree. For a checklist of required BAA terms, see our article on this topic.