One of the fundamental compliance requirements for healthcare providers is protecting the confidentiality and security of the patient health information you maintain. Most healthcare providers are subject to a federal law called the Health Insurance Portability & Accountability Act, commonly known as HIPAA, which implemented a national standard for the confidentiality and security of protected health information maintained by covered entities.
Covered entities include healthcare providers who conduct covered transactions electronically, such as claims submissions. If your organization is subject to HIPAA, you may only use or disclose individually identifiable health information (often referred to as “protected health information” or “PHI”) without the patient’s written authorization if the disclosure is for one of the following purposes:
- Treatment
- Payment
- Healthcare operations
- Specifically required or authorized by law (such as abuse reporting)
This is where the business associate agreement comes in. If you are disclosing PHI to a third party for “health care operations,” that third party is considered a “business associate” and required to sign a business associate agreement agreeing to comply with HIPAA’s privacy and security requirements as a condition of receiving the PHI. “Health care operations” are defined as certain administrative, financial, legal, and quality improvement activities of a covered entity that are necessary to run its business and to support the core functions of treatment and payment. Information technology, legal, accounting, and consulting services are examples of “health care operations” that, if performed by a third party for the covered entity and require access to PHI, require that third party to sign a HIPAA business associate agreement.
Essentially, HIPAA requires covered entities to contractually bind third parties that provide services and access the entity’s PHI to comply with HIPAA. The covered entity itself can face HIPAA penalties if it does not sign and enforce a business associate agreement with these third parties. Here is where the confusion occurs, there are a number of exceptions to the business associate agreement requirement, so it is not always readily apparent when you need one.
For example, the business associate agreement requirement does not apply to third parties accessing a covered entity’s PHI solely for “treatment purposes.” If you contract with another healthcare provider to assist you in treating your patients and the only access the provider has to your PHI is for these treatment purposes, you do not need a business associate agreement with that provider. If, however, the other provider is also providing you with administrative services, such as medical director services, and requires PHI to perform those administrative services, a business associate agreement is required.
Ultimately it is the covered entity’s responsibility under HIPAA to ensure it has a signed business associate agreement with third parties that qualify as “business associates.” The covered entity can be penalized for failing to implement this requirement. For help determining who is a “business associate” requiring a business associate agreement, check out this week’s podcast!
Free Resource: