It’s virtually impossible to do everything in house, which is why most healthcare organizations—and most organizations in general—outsource critical functions. After all, there are many benefits to hiring external companies to provide expert services. But if you’re a Covered Entity under the Health Insurance Portability and Accountability Act (HIPAA), it is critical that you know which of your vendors are business associates.
Business Associates (BAs) are vendors that have access to your patients’ sensitive data. HIPAA requires you to protect that data, and that protection extends under your BAs, too. That’s why it’s critical to accurately identify BAs and implement the proper contracts with them—to ensure compliance with HIPAA, and protection for your patient data.
Vendor management begins when you identify your BAs and establish agreements with them. But how do you know if the company you’re hiring qualifies as a BA? Today, we’re covering who is a BA under HIPAA—and when you must have a Business Associate Agreement (BAA) in place.
Plus, download a FREE Business Associate Decision Tree tool at the end of this blog.
Who is a Business Associate Under HIPAA?
A vendor becomes a Business Associate when you outsource a service that requires them to use or disclose your organization’s Protected Health Information (PHI).
You must consider a vendor a BA if:
- they create, maintain, receive, or transmit (CMRT) PHI on behalf of your organization for a function or activity regulated by the HIPAA Privacy Rule, and
- they are not a member of your workforce.
That’s right—any vendor that handles PHI on your behalf but isn’t a part of your workforce is a BA. See the Business Associate Decision Tree for a step-by-step approach.
Let’s look at some examples of BAs that have CMRT functions:
- Creates: Utilization review, quality assurance, practice management, and claims processing vendors create PHI.
- Maintains: Personal health record and cloud storage providers maintain PHI.
- Receives: A CPA firm that provides accounting services receives PHI.
- Transmits: An independent medical transcriptionist transmits PHI.
Other vendors that have CMRT functions on behalf of your organization may include:
- Accounting or actuarial consultants
- Attorneys/legal counsel
- Benefit management organizations
- Collection agencies
- Computer hardware or software providers
- Data transmission providers
- E-prescribing gateways
- IT/IS vendors
- Medical staff credentialing software providers
- Paper recycling or waste disposal services
- Physician billing services
- Radiology services
- Record storage vendors
- Risk management consultants
- Telemedicine programs
This list isn’t comprehensive. There are many more types of vendors that may use or disclose PHI on your behalf.
Since so many vendors are BAs under HIPAA, it’s easy to jump to the conclusion that all your vendors are BAs. But there are many activities in which the other party isn’t a BA, such as:
- Disclosing PHI to a laboratory for a patient’s treatment. This disclosure falls under the treatment, payment, and healthcare operations (TPO) umbrella.
- Referring a patient or sending their medical chart to a specialist for treatment. Again, this is a TPO disclosure.
- Using a service, such as the U.S. Postal Service or an electronic equivalent, to transport PHI. These services are conduits that serve to move PHI, not access or store it. However, a cloud fax or email provider is a BA because it stores and has access to electronic PHI.
- Using a service, such as a janitorial or electrical service, that doesn’t involve PHI. They may come across PHI by accident as part of their day-to-day work. Nevertheless, these are incidental disclosures and not violations.
When Do You Need/Not Need a HIPAA Business Associate Agreement?
Once you identify a vendor as a BA, and before disclosing PHI to them, you must enter into a contract, called a Business Associate Agreement (BAA). In a BAA, the BA provides assurances that they will protect the PHI they use or disclose on your organization’s behalf.
Want to learn more about BAAs? Check out our blog post: Business Associate Agreements Explained: What is a BAA and When Do You Need One?
In summary, a vendor must meet two main requirements to be considered a BA:
- they must create, maintain, receive, or transmit PHI on behalf of your organization, and
- they cannot be a member of your workforce.
Take a moment to review your contractual relationships. Are any of your vendors business associates and require a BAA? In the HIPAAtrek platform, you can create, negotiate, and sign BAAs, eliminating unnecessary back-and-forth with your vendors. Schedule a Demo today to learn how HIPAAtrek can simplify your vendor management process.
The goal of this five-part series is to show healthcare CEOs and CFOs that effective, HIPAA-compliant vendor management is vital to the finances, performance, and reputation of their organizations. Furthermore, healthcare organizations will see a positive ROI when they foster successful vendor relationships that yield high-quality, secure services.
Easily determine whether a vendor is a BA using Our BA Decision Tree!
A quick & easy cheatsheet to help you decide if a vendor is a Business Associate.