What is a Business Associate, and how do we know if we need an agreement?  As defined by the Department of Health & Human Services (HHS), a Business Associate (BA) is “a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provide services to, a covered entity.”  To comply with the HIPAA Privacy Rule, covered entities must ensure any disclosure of protected health information to a Business Associate is used solely for the purposes for which it is intended, and will be safeguarded.   Business Associate Agreements (BAAs) provide assurances to covered entities that the integrity of their data is maintained.

Requirements of a BAA include:

1. The BAA must be in writing and signed by all parties
2. How and when the BA is allowed to use or disclose PHI must be defined
3. Language should be included that the BA will not use or disclose PHI other than by permitted by contract or required by law
4. Include the safeguards put in place to prevent unauthorized disclosure of PHI or ePHI
5. Require the BA to report any use or disclosure of PHI/ePHI not covered by the agreement, and specify processes for reporting incidents and breaches to the covered entity
6. Upon termination of the agreement, the BA must return or destroy all PHI/ePHI received or created on behalf of the covered entity
7. Require BA have agreements in place with any of their subcontractors that may have access to PHI/ePHI
8. Termination clauses must be included if the BA violates any term of the agreement

Certain uses and disclosures of PHI are exempt for the BAA requirement, for example; disclosures by a covered entity to a healthcare provider for treatment purposes, disclosures to a health plan sponsor providing health insurance benefits, certain disclosures for research purposes, and more.

Business Associate Agreement review should be performed at least annually.  Perform audits of all organizations, individuals and entities you conduct business with and determine if PHI is used or disclosed, and determine whether a BAA is required.  Not having a current BAA in place when required under HIPAA can cost you dearly.  Last year a Raleigh, NC orthopedic clinic failed to have a BAA with a third party vendor, contracted to transfer plain films for over 17,000 patients to electronic format.  The electronic files were never created by the vendor, who sold the x-ray films to a recycling company to harvest the silver.  The clinic was fined $750,000.  Although the clinic was the victim of a scam, they were still held accountable as no BAA was obtained.  This case may sound extreme, but just recently a small pediatric subspecialty practice in the Chicago area was fined $31,000 for failing to produce a signed BAA for a specific vendor during a compliance review by the OCR.

Contact Billingology at [email protected] to learn how we can evaluate your current agreements, and ensure you are in compliance and safeguarding your PHI.