Does your company provide goods or services to health care providers? If so, the subject of business associate agreements (BAAs) can be daunting.
If your health care provider customer requests that you sign a BAA, you may wonder whether this agreement is actually necessary and whether the terms being presented to you are appropriate. In the first of our two-part series, we’re going to start with the basics.
What is a Business Associate?
BAAs need to be in place between health care providers and their business associates. So what is a business associate?
HIPAA generally defines a business associate as a person who is not a member of a health care provider’s workforce and who creates, receives, maintains, or transmits protected health information (PHI) or performs functions or activities on behalf of, or provides certain services for, a health care provider that involve the use or disclosure of PHI from the provider or a business associate of the provider.
Some examples of business associates are:
- Third party coding and billing companies
- Software companies that handle PHI
- Attorneys or accountants who are provided PHI
Business associates do not include conduits like phone companies, internet providers, UPS, etc., that transport information without accessing it and do not store copies of the data. But, if entities like email, fax, cloud, or messaging service providers store PHI or transmit it in a manner that makes it possible to be viewed by their employees, they are considered business associates.
Business associates also do not include entities like janitorial companies and landlords that could inadvertently or covertly access PHI in the course of their work, since those entities are not being hired for the purpose of creating, receiving, maintaining or transmitting PHI or performing functions that involve the use or disclosure of PHI. In those circumstances, a Confidentiality Agreement would be the more appropriate means of ensuring the confidentiality of the PHI.
Are Subcontractors Considered Business Associates?
Subcontractors are people or entities who are not members of the workforce of the business associate and who create, receive, maintain, or transmit PHI on behalf of the business associate. If a business associate hires a subcontractor to assist it in its work for a health care provider and the subcontractor will have access to PHI, a BAA is needed between the subcontractor and the business associate. And, if the subcontractor hires another subcontractor that will have access to the PHI, a BAA is likewise needed between those subcontractors – HIPAA rules protect PHI no matter how far “down the chain” the PHI goes.
Here are some examples of when a BAA may be needed between a business associate and a subcontractor:
- A law firm hired by a health care provider to defend a medical malpractice matter is provided with a patient’s PHI. The law firm hires expert witnesses and provides the PHI to them.
- A hospital hires a consulting firm, which hires a case manager to review lengths of stay.
- A business associate hires a company to shred PHI that it received from the health care provider.
Now that we’ve defined what a business associate is and when you need a BAA, next week we will dive into what terms must be included in a BAA. For more information about BAAs, please contact Atty. Lora L. Zimmer or one of our attorneys at McCarty Law LLP.
Latest posts by Lora L. Zimmer (see all)
- Client Alert: Updated Rule Narrows Definition of Health Care Provider Exempt from FFCRA Leave - September 21, 2020
- Title IX Corner: Meet Our Team! - September 18, 2020
- Title IX Corner: McCarty Establishes Team for Title IX Compliance - August 7, 2020
- Q&A on CARES Act Loans Available to Small Businesses and Non-Profits - April 2, 2020
- Businesses: Be Ready to Offer FFCRA Benefits on April 1 - March 31, 2020