Pathology/Lab Coding Alert

HIPAA:

3 Steps Keep BAA Compliance Costs Down

Get needed agreements on file in your lab.

If one of your lab’s business associates (BA) is involved in a HIPAA breach, having an appropriate agreement in place could be the very thing that protects your bottom line.

Follow our experts’ three steps to make sure you’re ready.

Step 1: Decide Who Constitutes a Business Associate

Business associates and their subcontractors maintain protected health information (PHI) and electronic protected health information (ePHI) just as your lab does. The level of their interaction with your lab depends on the complexity of the service they provide. A business associate is someone who performs one of these five services for a covered entity, suggested Ryan Boggs, CISA, CRISC, HCISPP, CCSFP, manager of IT advisory at BHG in Charlotte, N.C. during a session at HIMSS17 titled “Managing Risk As a Business Associate:”

  • Legal work
  • Accounting
  • Billing
  • Transcription
  • Claims processing

You may contract with other businesses, such as a cleaning service, but do they all require a BA agreement (BAA)?

“Business associate agreements include organizations that may create, receive, maintain or transmit health information,” notes HIPAA expert Jim Sheldon-Dean, founder and director of compliance services at Lewis Creek Systems LLC in Charlotte, Vt. Since your cleaning staff is not accessing health information in any way, they won’t typically be considered “business associates.”

Step 2: Execute BAAs

Once you’ve identified an entity as a BA, you “must execute written contracts … to make sure they safeguard PHI according to HIPAA standards,” explains Jo-Anne Sheehan, CPC, CPC-I, CPPM, senior instructor with Certification Coaching Org., LLC, in Oceanville, N.J. “Business associates must do the same with any of their subcontractors who can be considered business associates.”

When you’ve got a signed business associate agreement (BAA) on file, it binds the entity to HIPAA and protects your lab if a breach occurs. Make sure you get the BAA signed, if law allows, before sharing PHI. “Business associates are subject to most of the same privacy and data security standards that apply to covered entities, and may be subject to HHS audits and penalties,” Sheehan says.

Tip: For more information on constructing BAAs and medical exceptions, see www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html.

Step 3: Enact ‘Cleaners’’ Confidentiality Contracts

For third parties you contract with that don’t handle PHI, such as your cleaners, you can establish a Confidentiality Contract instead of the more complicated and expensive BAA.

This type of contract protects you should an accident or theft happen, but it doesn’t completely discharge you from liability. The language of the confidentiality agreement “puts the company on the hook if it should breach its obligations with respect to confidentiality,” says attorney Kathleen D. Kenney, Esq., of Polsinelli LLP in Chicago. “Most third parties with access to PHI will meet the definition of a business associate, but in the rare instances where they do not, having contractual protections in place puts a provider in a better position.”

Kenney adds, “But this certainly does not absolve the provider from its own obligations to ensure safeguards as OCR will only look at the provider if an incident occurs and the third party does not meet the definition of a business associate.”