Health care providers and plans may not have as many Health Insurance Portability and Accountability Act business associate agreements to pull together as they thought. In a May 23 program memorandum (AB-03-078;
http://cms.hhs.gov/manuals/pm_trans/AB03078.pdf), the Centers for Medicare & Medicaid Services lays out the ground rules for fiscal intermediaries and carriers as far as dealing with the business associate provisions of the HIPAA privacy standards. In a nutshell, FIs and carriers are business associates of Medicare fee-for-service itself - not of individual health care providers and health plans. "Medicare contractors that perform health care activities involving the use of protected health information on behalf of the Medicare FFS health plan are not business associates of providers, physicians, suppliers or other health plans," CMS says. "Likewise, providers, physicians, suppliers, or other health plans are not business associates of the Medicare contractor, unless the provider, physician, supplier or other health plan is doing work on behalf of the Medicare contractor." CMS orders FIs and carriers not to sign business associate agreements with providers unless the latter criterion is met. Lesson Learned: Health care providers may not need HIPAA business associate agreements with their Medicare contractors.