HIPAA COMPLIANCE: Does your family practice know who your business associates are?
By Julie Sheppard, B.S.N., J.D., C.H.C.
Most physician practices, including family practices, are already aware that the HIPAA Omnibus Rule (enforcement date was Sept. 23, 2013) requires them to take necessary steps for compliance. Most realize the importance of having Business Associate Agreements in place, with some practices even having an updated BAA template prepared and available. However, many practices are still finding it a challenge to determine which vendor relationships require a BAA.
The definition of a business associate and other helpful information is provided in 45 CFR § 160.103, found at http://1.usa.gov/9cubLA.
A basic definition of a business associate is any entity that a covered entity (physician practice including family practices) allows to create, receive, maintain, or transmit Protected Health Information. Some common examples of business associates are a billing company, a clearinghouse, an answering service, a document shredding company, a collection agency, and an attorney.
Generally, physicians and those they trust to run their practices are thorough and analytical. They prefer to leave no stone unturned. Below are a few questions I encounter frequently during my discussions with physicians and practice managers.
What about the phone company or the Internet provider? They could access my patient information, so we need a BAA with them, right?
Business Associate Agreements are not necessary with certain organizations considered to be mere conduits. Examples are the U.S. Postal Service, some private couriers, telephone companies, and Internet service providers. This is because a conduit transports the information, but does not access it. No disclosure is intended by the covered entity, the physician practice, and there is low likelihood of disclosure of PHI in these situations.
What about the landlord or the cleaning service? They have access to the office where we keep PHI.
It is unnecessary to have a BAA with the cleaning service because they are not contracted to perform services involving use or disclosure of PHI. However, you need to have reasonable safeguards in place to protect PHI. Ideally, you should store paper PHI in a locked cabinet.
Do I have to have a BAA with _______? She’s been doing our accounting for years, but she isn’t an employee.
It is common to overlook a business associate who has been working in your organization for a long period of time. However, if an independent contractor is providing services such as accounting or anything that involves PHI, then you must have a BAA in place.
Hopefully, your practice has BAAs at the top of your priority list this month. If you don’t have appropriate BAAs in place, your procrastination could be expensive. Every time a business associate accesses your patients’ information without the proper agreement, your practice is potentially exposed to very large fines.
Julie Sheppard, B.S.N., J.D., C.H.C. is president and founder of First Healthcare Compliance. She is an adjunct professor at Widener University School of Law, where she serves as the course instructor for Healthcare Compliance & Ethics. A nurse, an attorney, certified in Healthcare Compliance by the Compliance Certification Board, and a physician’s spouse, Julie intersected her professional understanding of compliance issues with her personal motivations when establishing First Healthcare Compliance. First Healthcare Compliance addresses the challenges created by the recent compliance mandates of the Affordable Care Act for health care providers, specifically those applying to physician practices, by developing a timely, comprehensive and practical solution to meet the ongoing compliance needs of physician practices.