Business Associate Agreements: What Medical Practices Need to Know

June 1, 2014

Let's take the mystery out of business associate agreements. Here's when you need to use them and why.

Last week I discussed the real reason behind HIPAA’s enactment and why the federal government is so serious about protecting the information contained in your patients' records.

This week, let’s take some of the mystery out of a new thing created by HIPAA, called a business associates agreement (BAA).

Let’s again focus attention on your position in the chain of trust, which occurs when a patient trusts you with personal financial, medical, and insurance information. This information is valuable to patients, but more to the federal point, the information is valuable to criminals and must be protected.

So what exactly is a BAA and when do you use it? The government defines a business associate as "a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information."

In plain English, anytime you and your practice have a need, in carrying on the affairs of your practice, to allow someone access to protected health information (PHI) in your possession, you may need a BAA. Some functions are exempt, like licensing boards, peer review, and insurance audits.

A business associate includes billing companies, audit specialists, computer IT professionals, and perhaps law firms and accountants.

The question isn’t so much, “Who is receiving the information?” but, “For whose benefit are they being provided access to PHI?”  If the outside person or company is helping you, then likely you need a BAA with them, unless they are exempt.

Why? Think of it as a type of “security clearance.” You have secure information. A business associate is one more link in the chain of trust.

Business associates earn a living helping you, and they will need to gain access to secure PHI to do their jobs. 

You have a medical ethical (and now a federal HIPAA) duty to protect secure information.

Absent HIPAA, there really isn’t any law speaking to the duty of the outside contractor you might hire to help you. Thus, HIPAA creates a new rule for business associates. A business associate agrees to become directly liable under the HIPAA rules, and subject to civil and, in some cases, criminal penalties for making uses and disclosures of protected health information that are not authorized by their contract or required by law.

A business associate also becomes directly liable and subject to civil penalties for failing to safeguard electronic protected health information in accordance with the HIPAA Security Rule.

As a general rule, you should consider creating a BAA you are comfortable using, and attach it as an addendum to all contracts you have with companies that are helping you if the company will come in contact with PHI in your possession. If the company will not sign a BAA, it doesn't have the required security clearance, and you should not give it access to your PHI. It’s the law.