Who needs a Business Associate Agreement (BAA)? Who doesn’t?

A smooth running medical practice requires patient information to be used for many purposes. The information is critical for treatment of patients, payment for their services, and making sure the practice is operating as a successful business. In order to assure that patient information is protected there are laws in place to govern how the practice can use information and what is required of any vendor. A billing service for example requires protected health information in order to make sure services are properly being paid and processed. This cannot happen without a Business Associate Agreement to assure that the billing service is properly protecting the information in their care. We receive questions regarding asking who needs a Business Associate Agreement and who does not? The definitions have changed and there are resources to help guide the way.

What is a business associate agreement?

The January 25, 2013 Final Rule (aka HIPAA Omnibus Rule) modified the definition of a Business Associate. Here is the short version:

    A Business Associate is an entity who….creates, receives, maintains, or transmits protected health information, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities, listed at 42 CRF 3.20, billing benefit management, practice management, and repricing or (ii) legal, actuarial, accounting, consulting, data aggregation (as defined in 164.501),management, administrative, accreditation, or financial services, where the provision of the service involves the disclosure of protected health information.

What about the Janitor? They will across paths with Protected Health Information. Does a Janitor need to have a Business Associate Agreement? The US Department of Health and Human Services (HHS) states the following:

    “Generally, janitorial services that clean the offices or facilities of a covered entity are not business associates because the work they perform for covered entities does not involve the use or disclosure of protected health information, and any disclosure of protected health information to janitorial personnel that occurs in the performance of their duties (such as may occur while emptying trash cans) is limited in nature, occurs as a by-product of their janitorial duties, and could not be reasonably prevented. Such disclosures are incidental and permitted by the HIPAA Privacy Rule. See 45 CFR 164.502(a)(1).”

What about a courier service? They will be delivering Protected Health Information. Does a courier or the Postal Service need to have a Business Associate Agreement? The US Department of Health and Human Services (HHS) provides the answer:

    No, the Privacy Rule does not require a covered entity to enter into business associate contracts with organizations, such as the US Postal Service, certain private couriers and their electronic equivalents that act merely as conduits for protected health information. A conduit transports information but does not access it other than on a random or infrequent basis as necessary for the performance of the transportation service or as required by law. Since no disclosure is intended by the covered entity, and the probability of exposure of any particular protected health information to a conduit is very small, a conduit is not a business associate of the covered entity.

What about a secure backup service? Should your backup provider be a business associate? We are not finding definitive guidance for this question but we do find a reasonable approach. If the data that is stored with the backup provider is encrypted in a compliant manner and the key is stored separately you may not need a Business Associate Agreement. There are backup providers and software providers that fully encrypt all data so even in providing their services they are unable to access or store data that could be accessed without your key. Here is the official guidance from (HHS) regarding encryption requirements that render Protected Health Information unusable.

      Protected health information (PHI) is rendered unusable, unreadable, or indecipherable to unauthorized individuals if one or more of the following applies:

Electronic PHI has been encrypted as specified in the HIPAA Security Rule by “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key” (45 CFR 164.304 definition of encryption) and such confidential process or key that might enable decryption has not been breached. To avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt. The encryption processes identified below have been tested by the National Institute of Standards and Technology (NIST) and judged to meet this standard.
Valid encryption processes for data at rest are consistent with NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices.1
Valid encryption processes for data in motion are those which comply, as appropriate, with NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL VPNs, or others which are Federal Information Processing Standards (FIPS) 140-2 validated.

Medical Management is definitely a Business Associate and we take that responsibility seriously. We also help guide our clients in the ever changing world of HIPAA compliance.

Here is a link to publicly available HIPAA Compliance Resources:

Department of Health and Human Services – HIPAA for Professionals