Health Information Compliance Alert

YOU BE THE SECURITY EXPERT:

Two Questions Help Create A BA Agreement

Question: "We're a small hospital and we have several business associate agreements contracts in place, but we're not always sure whom to contract with and what would constitute a business associate. Is there an efficient and easy way to determine the necessity of a BA agreement?"

Answer: Yes, there is. Martha Baxter, an attorney in the Columbus office of Bricker & Eckler says there are a couple of threshold questions you should ask yourself when wishing to determine what qualifies as a BA:

(A) Does the business perform or assist in the performance of an activity or function involving the use or disclosure of protected health information? or

(B) Does the business provide legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services that require the disclosure of PHI from the physician? If you answered "yes" to either of these questions, then a business associate agreement may be needed.

Baxter tells Eli clients often ask her about service people who come into a covered entity to work on, say, an MRI or the CE's laser equipment, and those technicians might stumble across some PHI in the process. "Well, that's incidental to the agreement," she emphasizes, and a BA agreement wouldn't be required. "But if you're contacting a software vendor and that vendor will need to look at PHI in order to undertake their audits or develop the software, then they will be a BA."

Caveat: Baxter says some CEs are sending BA agreements that aren't needed. "Nursing homes often send BA contracts to hospitals when it's really just for treatment purposes," and BA contracts aren't required in that situation. She advises CEs to thoroughly examine their own circumstances before creating a BA agreement.

Other Articles in this issue of

Health Information Compliance Alert

View All