Pulmonology Coding Alert

You Be the Coder:

Who Qualifies As A Business Associate?

Question: We recently hired a cloud storage outsourcing company for our medical records, and our administrator said we need to have them sign privacy agreements due to their status as a business associate. How can we determine whether a company is a business associate or not?

Codify Subscriber

Answer: The HIPAA Privacy Rule clearly outlines what data covered entities (CEs) must protect when it comes to patient data – and your practice counts as a “covered entity.” However, most practitioners rely on business associates (BAs) to successfully address administrative responsibilities involving patients, and the compliance of those vendors is essential for you to stay out of hot water.

Make sure your practice remains HIPAA-compliant in business by knowing what protected health information (PHI) can be disclosed, and to whom, and when. “A ‘business associate’ is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity,” says the HHS Office for Civil Rights (OCR). “A member of the covered entity’s workforce is not a business associate. A covered health care provider, health plan, or health care clearinghouse can be a business associate of another covered entity.”

Tip: Those who may have access to PHI include not only attorneys and accountants, but also computer and medical hardware repair businesses, her software vendors, off-site billing and coding companies, physical security providers, and cleaning crews who might have access to your documentation or patients.

Most practices almost definitely work with at least one BA — but probably utilize many others, too. Here are some examples, as outlined by the OCR:

  • A third-party administrator who assists with claims processing.
  • A CPA firm whose accounting services involve access to protected health information.
  • An attorney whose legal services involve access to protected health information.
  • A consultant who performs utilization reviews.
  • A healthcare clearinghouse that translates a claim from a nonstandard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer.
  • An independent medical transcriptionist who provides transcription services to a physician.