The Basics of Business Associate Agreements: Part One

Does your company provide goods or services to health care providers? If so, the subject of business associate agreements (BAAs) can be daunting.

If your health care provider customer requests that you sign a BAA, you may wonder whether this agreement is actually necessary and whether the terms being presented to you are appropriate. In the first of our two-part series, we’re going to start with the basics.

What is a Business Associate?

BAAs need to be in place between health care providers and their business associates. So what is a business associate?

HIPAA generally defines a business associate as a person who is not a member of a health care provider’s workforce and who creates, receives, maintains, or transmits protected health information (PHI) or performs functions or activities on behalf of, or provides certain services for, a health care provider that involve the use or disclosure of PHI from the provider or a business associate of the provider.

Some examples of business associates are:

  • Third party coding and billing companies
  • Software companies that handle PHI
  • Attorneys or accountants who are provided PHI

Business associates do not include conduits like phone companies, internet providers, UPS, etc., that transport information without accessing it and do not store copies of the data. But, if entities like email, fax, cloud, or messaging service providers store PHI or transmit it in a manner that makes it possible to be viewed by their employees, they are considered business associates.

Business associates also do not include entities like janitorial companies and landlords that could inadvertently or covertly access PHI in the course of their work, since those entities are not being hired for the purpose of creating, receiving, maintaining or transmitting PHI or performing functions that involve the use or disclosure of PHI. In those circumstances, a Confidentiality Agreement would be the more appropriate means of ensuring the confidentiality of the PHI.

Are Subcontractors Considered Business Associates?

Subcontractors are people or entities who are not members of the workforce of the business associate and who create, receive, maintain, or transmit PHI on behalf of the business associate. If a business associate hires a subcontractor to assist it in its work for a health care provider and the subcontractor will have access to PHI, a BAA is needed between the subcontractor and the business associate. And, if the subcontractor hires another subcontractor that will have access to the PHI, a BAA is likewise needed between those subcontractors – HIPAA rules protect PHI no matter how far “down the chain” the PHI goes.

Here are some examples of when a BAA may be needed between a business associate and a subcontractor:

  • A law firm hired by a health care provider to defend a medical malpractice matter is provided with a patient’s PHI. The law firm hires expert witnesses and provides the PHI to them.
  • A hospital hires a consulting firm, which hires a case manager to review lengths of stay.
  • A business associate hires a company to shred PHI that it received from the health care provider.

Now that we’ve defined what a business associate is and when you need a BAA, next week we will dive into what terms must be included in a BAA. For more information about BAAs, please contact Atty. Lora L. Zimmer or one of our attorneys at McCarty Law LLP.

The following two tabs change content below.

Lora L. Zimmer

Health Law and Title IX Attorney at McCarty Law LLP
Lora focuses her practice in corporate and business transactions, with a particular focus on the business and regulatory needs of health care clients. In addition, Lora is a trained Title IX investigator, providing prompt, thorough investigations and objective reporting in response to alleged violations of schools’ sexual misconduct policies.