Not everyone who accesses PHI has to sign a BAA.
When you’re working with medical records, nothing is more important than maintaining the privacy of the patient. There are times, however, when an entity accesses protected health information (PHI).
Good news: Most of the entities that access medical records are considered business associates (BAs), and thus subject to the Health Insurance Portability and Accountability Act (HIPAA) when handling PHI.
Bad news: “A lot of companies and people aren’t required to comply with HIPAA, and there are many times when health information may be available to these people and companies,” says Jo-Anne Sheehan, CPC, CPC-I, CPPM, senior instructor with Certification Coaching Org., LLC, in Oceanville, N.J.
As a covered entity (CE), you will be able to your patient’s PHI by obtaining a signed business associate agreement (BAA) from certain entities. With others, however, you cannot legally bind them to HIPAA.
Check out this who’s who of entities that might access PHI.
BAs Come Bearing Many Services
If a provider is considered a BA, you must get a BAA contract signed in order to safeguard by PHI and HIPAA standards, says Sheehan.
Remember: Many BAs perform services that don’t involve patient interaction, Sheehan says. So make sure you’re on the lookout for BAs of all shapes and sizes.
According to Sheehan, “BAs can perform many different services for a covered entity,” including (but not limited to):
BAs Bound By Associate Agreement
When you have identified an entity as a BA, you “must execute written contracts … to make sure they safeguard PHI according to HIPAA standards. Business associates must do the same with any of their subcontractors who can be considered business associates,” Sheehan explains.
When you’ve got a signed BAA on file, it binds the entity to HIPAA — so make sure you get them signed, if law allows, before sharing PHI. “Business associates are subject to most of the same privacy and data security standards that apply to covered entities, and may be subject to HHS [Health and Human Services] audits and penalties,” Sheehan says.
Best bet: Protect your practice from any missteps a BA makes by getting a signed BAA on file. For more information on constructing BAAs, see www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html.
HIPAA Doesn’t Apply to Gyms, Marketers
Obviously, you’ll want to get a signed BAA from any entity that you can consider a BA. Don’t go chasing waterfalls, though. Some entities aren’t bound by HIPAA and a BAA might not do much good.
Sheehan offers these examples of entities that aren’t covered under HIPAA but may handle health information:
Best bet: Consider each request carefully, and consult with an attorney if you have any questions about disclosing PHI. Handling patient information is situational, and will largely depend “on whom the provider has a BAA with,” Sheehan says.
For more information on BAs, see: http://www.hhs.gov/hipaa/for-professionals/faq/business-associates.