Question: With the HIPAA Omnibus Final Rule now in effect, it seems as though we need to have a Business Associate Agreement (BAA) with just about everyone we come into contact with. In what situations do we not need to have a BAA?
“They’re not business associates,” Sheldon-Dean states. “They should be under a confidentiality agreement so that they know if they see anything or hear anything, they shouldn’t repeat it. But they’re not business associates. They’re not doing anything with PHI on your behalf.”
HIPAA regulations provide a narrow exception for “conduits” (FedEx, UPS, U.S. Postal Service) when the conduit provides “simple delivery only,” Sheldon-Dean says. These types of entities don’t have any persistence of custody of PHI.
Meaning: “Persistence of custody” means that the entity is storing or holding onto the PHI in some way. A common example is your regular email service provider.
What you send via your email provider “winds up being stored,” Sheldon-Dean points out. “It may wind up being backed up in different email services.” And so, your email service provider does “have persistent custody of messages.”
“If somebody’s providing email services for you and handling PHI, they are a business associate whether they like it or not,” Sheldon-Dean says. And in many cases, cloud vendors are your business associates, too — “even if they’re handling information that’s encrypted, it’s still information that’s covered under the business associate rules.”
Bottom line: “If the information [is] being held on to in some kind of persistent ways, there’s some persistence of custody, then that’s how you decide what the business associate relationship is in those situations,” instructs Sheldon-Dean.
Answer: You do not need a BAA when there is no access, management, or “persistence of custody” of protected health information (PHI), according to Jim Sheldon-Dean, founder and director of compliance services for Lewis Creek Systems, LLC. You don’t need a BAA with payers, other providers, and your own workforce members.
Those who would have no reason to use, disclose, create, receive, maintain, or transmit PHI on your behalf also fall into the no-BAA-needed category, Sheldon-Dean notes. This would include people like tradesman (plumbers, electricians, etc.) and housekeeping or cleaning services.