Medicare Compliance & Reimbursement

Hint: Your practice cleaning service probably doesn’t need a BAA.

When there’s a HIPAA breach in your office, costs can stack up. And that’s why it’s essential to have business associate agreements in place that protect you and your livelihood should a violation occur. But before you go to the trouble of outlining another third-party BAA, make sure you need it.

Who Is a Business Associate?

Business associates and their subcontractors maintain protected health information (PHI) and electronic protected health information (ePHI) just as your practice does. The level of their interaction with your practice depends on the complexity of the service they provide. A business associate (BA) is someone who performs one of these five services for a covered entity, suggested Ryan Boggs, CISA, CRISC, HCISPP, CCSFP, manager of IT advisory at BHG in Charlotte, N.C. during a session at HIMSS17 titled “Managing Risk As a Business Associate:”

• Legal work
• Accounting
• Billing
• Transcription
• Claims processing

Basics: When you have identified an entity as a BA, you “must execute written contracts … to make sure they safeguard PHI according to HIPAA standards,” explains Jo-Anne Sheehan, CPC, CPC-I, CPPM, senior instructor with Certification Coaching Org., LLC, in Oceanville, N.J. “Business associates must do the same with any of their subcontractors who can be considered business associates.”

Tip: When you’ve got a signed business associate agreement (BAA) on file, it binds the entity to HIPAA — so make sure you get them signed, if law allows, before sharing PHI. “Business associates are subject to most of the same privacy and data security standards that apply to covered entities, and may be subject to HHS audits and penalties,” Sheehan says.

Best bet: Protect your practice from any missteps a BA makes by getting a signed BAA on file. For more information on constructing BAAs and medical exceptions, see www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html.

Consider this: But how broad is the “business associate” label? Does it expand to your office’s cleaning service? “Business associate agreements include organizations that may create, receive, maintain or transmit health information,” notes HIPAA expert Jim Sheldon-Dean, founder and director of compliance services at Lewis Creek Systems LLC in Charlotte, Vt. Since your cleaning staff is not accessing health information in any way, they won’t typically be considered “business associates.”

Enact a Confidentiality Contract for Third Parties That Don’t Handle PHI

An implemented BAA protects you and your partners if a breach occurs. Moreover, due to the costs, both financial and personal, that arise from a violation, the complexity of a BAA to enforce HIPAA compliance make it particularly complicated. That’s why it is important to know the difference between a BAA and confidentiality agreement.

Reasoning: “The cleaning staff should be under a confidentiality agreement but not necessarily a business associate agreement,” Sheldon-Dean advises. “If you start asking your cleaning staff to look in the waste baskets and bring you any pieces of paper that have health information as kind of a compliance check, then they are doing something with PHI on your behalf and they’d be a business associate.”

Reminder: This type of contract protects you should an accident or theft happen, but it doesn’t completely discharge you from liability. The language of the confidentiality agreement “puts the company on the hook if it should breach its obligations with respect to confidentiality,” says attorney Kathleen D. Kenney, Esq., of Polsinelli LLP in Chicago. “Most third parties with access to PHI will meet the definition of a business associate, but in the rare instances where they do not, having contractual protections in place puts a provider in a better position.”

Kenney adds, “But this certainly does not absolve the provider from its own obligations to ensure safeguards as OCR will only look at the provider if an incident occurs and the third party does not meet the definition of a business associate.”

Important: A BAA protects you and your practice up to a point, which is why it’s important to thoroughly vet your BAs and analyze and manage the risk from the get-go. “Essentially, it’s your brand. If something happens at a third party, it’s your news,” reminded Rodney Murray, CISA, CRISC, principal at IT advisory at BHG in Charlotte, NC at HIMSS17 in the “Managing Risk As a Business Associate” session.