At Nexsen Pruet, we work with clients across the full spectrum of healthcare to manage compliance with HIPAA, and often we receive questions about associates and business associate contracts.
The HIPAA Privacy Rule requires that a covered entity obtain satisfactory assurances from its business associate that the business associate will "appropriately safeguard" the protected health information (PHI) it receives or creates on behalf of the covered entity, in the form of a business associate agreement (BAA). Covered entities to which HIPAA applies are health care providers, health care clearinghouses, and health plans.
In complying with HIPAA, one of the most common questions we tend to see is: Do we need a business associate agreement?
In order to determine whether a BAA is needed, we ask the following questions.
- Are working with a business associate? A business associate is a person or entity that performs certain functions or activities that involve the disclosure of PHI on behalf of or provide services to, a covered entity.
- Is the potential business associate is a member of a covered entity's workforce (i.e., an employee)? This could include employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such covered entity or business associate, whether or not they are paid.
- Will PHI be disclosed to the potential business associate? If the answer is no, or if the information is just incidental, then no BAA is required.
To help identify potential business associates, some of their typical functions include, on behalf of covered entities:
- Claims processing and administration
- Data analysis
- Utilization review/quality assurance
- Billing
- Benefit management
- Practice management
- Legal services
- Consulting
In order for a covered entity to disclose PHI to a business associate, a business associate agreement must be in place. Disclosures may only be made pursuant to, and as contemplated by, the agreement. BAAs can be detailed and include lots of information, but the basic requirements are:
- Describe the permitted and required uses of PHI by the business associate;
- Provide that the business associate will not use or further disclose the PHI other than as permitted or required by the contract or as required by law; and
- Require the business associate to use appropriate safeguards to prevent use or disclosure of the PHI other than as provided for by the contract.
There are some exceptions to whether a business associate agreement is needed. Common exceptions where no BAA is needed involve, generally, disclosures to a healthcare provider for treatment purposes, and disclosures from a provider to a health plan for payment purposes.
Business associate relationships and BAAs can be complicated and nuanced, but it's important to be able to recognize when a BAA might be needed.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
