How to Know if Your Vendor is a Business Associate Under HIPAA (Decision Tree Included)

Graphic that says HIPAA Business Associates over a silhouette of a handshake
Share on facebook
Share on twitter
Share on pinterest

Do you outsource some of your organization’s functions to other companies? Most likely, you do. It’s virtually impossible to do everything in house. Furthermore, there are many benefits to hiring external companies to provide expert services. But do you know which of your vendors are business associates? Business associates (BAs) are vendors that have access to your sensitive data. The Health Insurance Portability and Accountability Act (HIPAA) requires you to protect that data. Therefore, you must manage your vendors with care.

Vendor management begins when you identify your BAs and establish contracts with them. But how do you know if the company you’re hiring qualifies as a BA? This blog will clarify who is a BA under HIPAA and when you must have a business associate agreement in place.

Plus, download a FREE Business Associate Decision Tree tool at the end of this blog.

Graphic of vendors carrying out many functions in an organization

Who is a Business Associate Under HIPAA?

A vendor becomes a business associate when you outsource a service that requires them to use or disclose your organization’s protected health information (PHI).

You must consider a vendor a BA if:

  1. they create, maintain, receive, or transmit (CMRT) PHI on behalf of your organization for a function or activity regulated by the HIPAA Privacy Rule, and
  2. they are not a member of your workforce.

Therefore, any vendor that handles PHI on your behalf but isn’t a part of your workforce is a BA. See the Business Associate Decision Tree for a step-by-step approach.

Let’s look at some examples of BAs that have CMRT functions:

    • Creates: Utilization review, quality assurance, practice management, and claims processing vendors create PHI.
    • Maintains: Personal health record and cloud storage providers maintain PHI.
    • Receives: A CPA firm that provides accounting services receives PHI.
    • Transmits: An independent medical transcriptionist transmits PHI.

Graphic of vendor services in small icon groups

Other vendors that have CMRT functions on behalf of your organization may include:

    • Accounting or actuarial consultants
    • Attorneys/legal counsel
    • Auditors
    • Benefit management organizations
    • Collection agencies
    • Computer hardware or software providers
    • Data transmission providers
    • E-prescribing gateways
    • IT/IS vendors
    • Medical staff credentialing software providers
    • Paper recycling or waste disposal services
    • Physician billing services
    • Radiology services
    • Record storage vendors
    • Risk management consultants
    • Telemedicine programs

This list isn’t comprehensive. There are many more types of vendors that may use or disclose PHI on your behalf.

Graphic of a U.S. Postal Service truckWho is Not a BA?

Since so many vendors are BAs under HIPAA, it’s easy to jump to the conclusion that all your vendors are BAs. But there are many activities in which the other party isn’t a BA, such as:

  1. Disclosing PHI to a laboratory for a patient’s treatment. This disclosure falls under the treatment, payment, and healthcare operations (TPO) umbrella.
  2. Referring a patient or sending their medical chart to a specialist for treatment. Again, this is a TPO disclosure.
  3. Using a service, such as the U.S. Postal Service or an electronic equivalent, to transport PHI. These services are conduits that serve to move PHI, not access or store it. However, a cloud fax or email provider is a BA because it stores and has access to electronic PHI.
  4. Using a service, such as a janitorial or electrical service, that doesn’t involve PHI. They may come across PHI by accident as part of their day-to-day work. Nevertheless, these are incidental disclosures and not violations.
Clickable screen capture of a Business Associate Decision Tree

HIPAA Business Associate Decision Tree. Click to open and download your copy.

When Do You Need/Not Need a HIPAA Business Associate Agreement?

Before disclosing PHI to a BA, you must enter into a contract with them, called a business associate agreement (BAA). That’s why it’s important to know who is or is not a business associate. In a BAA, the BA provides assurances that they will protect the PHI they use or disclose on your organization’s behalf. We will look more closely at BAAs and vendor contracts in upcoming posts.

In summary, a vendor must meet two main requirements to be considered a BA:

  1. they must create, maintain, receive, or transmit PHI on behalf of your organization, and
  2. they cannot be a member of your workforce.

Take a moment to review your contractual relationships. Are any of your vendors business associates and require a BAA? In the HIPAAtrek platform, you can create, negotiate, and sign BAAs, eliminating unnecessary back-and-forth with your vendors. Plus, we’re rolling out a NEW Contract Management Module to help you manage all your organization’s contracts in one convenient location. Contact us today to learn how HIPAAtrek can simplify your vendor management process.

The goal of this five-part series is to show healthcare CEOs and CFOs that effective, HIPAA-compliant vendor management is vital to the finances, performance, and reputation of their organizations. Furthermore, healthcare organizations will see a positive ROI when they foster successful vendor relationships that yield high-quality, secure services.

Please share to your communities

Request A HIPAAtrek Demo

Compliance is complicated. Your compliance software doesn’t have to be. Schedule your demo today!
Learn about Hipaa

Join the HIPAA Huddle

The HIPAA Huddle is a monthly meeting for compliance officers and others with HIPAA oversight responsibility to meet LIVE in a collaborative  environment to work through a single issue or discuss best practices.