Even the simplest\u00a0medical practice is actually fairly complex, and because of this, almost no healthcare organization handles all of its activities internally. With needs ranging from coding to billing to EHR software provision, a typical medical practice will have necessary relationships with at least a few outside\u00a0companies. The federal government regulates interactions with such\u00a0“business associates” via HIPAA, and a crucial piece of this regulation is found in the “business associate agreements” (BAAs) that the law mandates.<\/p>\n
For this piece, we’re also excited to welcome Dr. Carlene MacMillan of Brooklyn Minds<\/a> as an expert reviewer and commenter. Practicing in psychiatry, one of the most privacy-sensitive fields of medicine, Dr. MacMillan has developed a uniquely deep understanding of the crucial role that BAAs play in modern healthcare, and we’ll feature her tips and insights throughout the\u00a0article.<\/p>\n At heart, the BAA requirement under HIPAA is simple for care providers: every\u00a0covered entity<\/span> must have a\u00a0written agreement<\/span> with\u00a0each of its business associates<\/span>, or else it is not\u00a0compliant with HIPAA\u00a0regulations.1,2<\/sup><\/strong><\/p>\n That summation is succinct, but it likely raises a few\u00a0big questions for you:<\/p>\n So let’s answer those!<\/p>\n If you are providing\u00a0healthcare in the United States, you are most likely considered\u00a0a “covered entity” under\u00a0HIPAA, which means that you must\u00a0abide by all of its regulations.<\/strong><\/p>\n [perfectpullquote align=”right” cite=”” link=”” color=”” class=”” size=””]”There are many apps out there that offer high-level encryption for text and video, but all that is useless to me if the company will not sign a BAA.” – Dr. MacMillan[\/perfectpullquote]<\/p>\n The exact definition of a covered entity is slightly more nuanced, though, and if you want to dig deeper on this, we\u00a0covered the\u00a0topic more thoroughly in a\u00a0previous article<\/a>. The government also provides useful information<\/a>, including a flowchart<\/a>\u00a0to help you determine your status.<\/p>\n Again, though, if you’re providing healthcare in America, you are safest assuming that you are a covered entity and that you must follow HIPAA.<\/p>\n The short answer is that a “business associate” under HIPAA is any<\/strong>\u00a0outside person or company that interacts with\u00a0your organization’s protected health information (PHI).3<\/span><\/sup><\/strong><\/p>\n As always, the long answer is longer, but it does not change the overall correctness\u00a0of this rule of thumb for the majority of cases. Notably, the actual language\u00a0of HIPAA imparts business associate status on any entity that\u00a0“creates, receives, maintains, or transmits protected health information” on behalf of a covered entity. That set of verbs ensures that basically anybody outside of your organization counts as your business associate if they touch your PHI in any way.<\/p>\n [perfectpullquote align=”left” cite=”” link=”” color=”” class=”” size=””]”As an outpatient child and adolescent psychiatrist in private practice, being able to text with patients and use video chat are two aspects of my practice that are directly impacted by the need for a BAA. I do not want patients and families texting me on my personal cell, so looking for a service that would allow that and also sign a BAA was challenging.” – Dr.\u00a0MacMillan[\/perfectpullquote]<\/p>\n The government also provides\u00a0summary guidance<\/a>\u00a0on\u00a0the topic of HIPAA business associates, which gives more exact detail, should you want it. And if you’re wondering whether\u00a0the phone company or\u00a0postal service might count as your business associate because you use it\u00a0to\u00a0“transmit” PHI, don’t worry:\u00a0HIPAA prevents this with\u00a0the “conduit exception,” which we covered in a previous discussion<\/a>. This exclusion\u00a0only applies to certain types of transmission, however, so\u00a0the\u00a0phone company does\u00a0indeed\u00a0become\u00a0your business associate if you use it for other purposes, such as\u00a0storing voicemail.<\/p>\n One final important note: if a business associate has its own downstream business associate (a “subcontractor”), then the two\u00a0organizations must also have a HIPAA-compliant written contract in place between each other. There has to\u00a0be an intact chain of agreements stretching from the covered entity through to all organizations that touch its PHI. The covered entity itself does not need BAAs with subcontractors, but its business associates must have them.<\/p>\n HIPAA mandates\u00a0that every BAA contain certain basic\u00a0elements, and it enumerates these in a good amount of detail.4,5<\/sup><\/strong>\u00a0The major focus\u00a0of the requirements is to make it explicit that a\u00a0business associate is just as beholden to HIPAA as is a\u00a0covered entity, and the totality of the\u00a0requirements functions as\u00a0a blueprint that essentially every BAA should follow.<\/p>\n [perfectpullquote align=”right” cite=”” link=”” color=”” class=”” size=””]”It is also important to check if all the features of a company you work with are covered by the BAA. For example, the program we use in our practice for email and cloud storage has a BAA covering those aspects but not their VoIP phone service so we use a separate service for phone\/video\/texting.” – Dr. MacMillan[\/perfectpullquote]<\/p>\n Helpfully, the\u00a0government provides<\/span>\u00a0sample BAA language<\/a>\u00a0that\u00a0implements these stipulations, which can be used to construct\u00a0a new BAA or to compare against an existing agreement\u00a0that you are being offered. While BAAs do not have\u00a0to use the exact government language, they should all\u00a0be conceptually similar and have\u00a0mostly the same pieces.<\/span><\/p>\n BAAs may also contain contractual provisions that HIPAA does not require. You should review any BAA carefully before signing it to make sure that it protects you and your organization adequately and that it does not place any undue demands on you or cause you to forfeit any important rights. BAAs are legal documents, and as such, a lawyer may be useful (or vital) in your review of them.<\/p>\n The federal government<\/a> has the latitude to impose both civil monetary fines and criminal punishments upon individuals and organizations\u00a0that\u00a0violate HIPAA.<\/strong> Under the current\u00a0omnibus HIPAA rules, each violation can incur a penalty of up to $50,000, with repeat violations of the same provision costing as much as\u00a0$1.5 million per year.<\/p>\n These potential sums\u00a0are not just theoretical. In a recent case, the government imposed a $400,000 fine<\/a> on a healthcare organization that could have avoided the punishment by having an adequate BAA in place.\u00a0The modern healthcare regulatory environment clearly demands that physicians and other providers pay careful attention to HIPAA and its attendant BAAs or else be ready to pay out for the consequences.<\/p>\n Up-to-date and complete business associate agreements are vital to every healthcare organization’s HIPAA compliance plan. If a company will not sign an appropriate BAA with your organization, then you should not trust them with your patients’ PHI. It’s that simple and also that important.<\/p>\n This article is part of a series of posts relating to HIPAA law and regulation. The information provided is\u00a0meant as general guidance only and is not intended to be legal advice.<\/em><\/p>\n\n
Am I a Covered Entity?<\/h1>\n
Who Are My Business Associates?<\/h1>\n
What Things Have to Be in a BAA?<\/h1>\n
Why Should I Care?<\/h1>\n
\n
\n