“A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.” – source HHS.gov
In other words, a Business Associate (BA) would be any individual or entity that your office shares patient information with, excluding other Covered Entities (Eg. Doctors, Hospitals, Labs. By patient information, this can be as little as a patient’s first name.
Examples of Business Associates can include
- EHR Vendors
- Digital Imaging Software
- IT Companies
- Remote Backup Services
- DME Vendors
- Answering Services
- Transcription Services
- Billing Services
- Shredding Services
- Collections Agencies
- MIPS Registries
- Any person or organization that is not a member of your workforce that has access to patient information
Anybody who you directly supervise such as employees, 1099 workers, students, interns and volunteers are considered members of your workforce. You should consider them all the same way and are responsible for providing them with HIPAA training.
Business associates do not include cleaning or janitorial services. They do not provide services that involve the treatment or billing of the patients. Thus, they should not have access to patient information. This means that you need to have all patient information PUT AWAY at the end of the day before a cleaning crew comes in so they do not accidentally come into contact with patient information.
There is often confusion on who is a Business Associate (BA) and who is a Covered Entity (CE). The difference between CEs and BAs is that covered entities have a direct relationship with patients.
A good rule of thumb – if the entity bills the patient (This includes billing the patients insurance company) for the services then they have a direct relationship with the patient and they are a Covered Entity
- If the entity bills YOU for the services, then they are your BUSINESS ASSOCIATE, and you need to have a Business Associate Agreement in place.
Your office must obtain a Business Associate Agreement (BAA) with each of your business associates. A BAA states how your BA is allowed to use the patient information and that they are required to notify you in case they experience a Breach. The BAA is a legal document between your office and your BA. The law requires that YOU get the BAA, it does not require the BAA to give you the document. This means it is your responsibility to get the BAA in place. The BAA protects you and places responsibilities on the Business Associate, so many organizations who should sign a BAA may be reluctant to sign the form.
TLD Systems clients has access to the BAA template we created. We recommend that you consult with your Health Care Attorney before using any legal document in your practice.
Read Comments