Articles / Business Associates
January 17, 2018
What if we have a BAA in place that needs to be terminated, but it is difficult to reach the party for signature on the termination of BAA form?
It is super important if they still have access to any PHI or ePHI. You may try to reach them either physically or remotely and make sure they understand the termination.
However, if you still can’t reach them, as long as you have something on your end that has been disseminated to accounts receivable and other parties who may need…
January 17, 2018
Way back in 2003, the hospital has sent a BAA to any vendor the hospital did business with, whether BAA is applicable or not (i.e., an Air Ambulance company, which doesn’t need a BAA as it provides patient care). With this, do we still need to send a termination letter even though it wasn’t needed to begin with?
A formal BAA termination is not necessarily required.
However, it is suggested to send out a letter to that entity laying out the facts pertaining to their relationship and explain that the agreement which had formerly been executed between the two parties will no longer be in effect. Keep a copy of this along with your terminated business associate agreement…
October 16, 2017
Is a physician or other provider considered to be a business associate of a health plan or other payer?
Generally, providers are not business associates of payers. For example, if a provider is a member of a health plan network and the only relationship between the health plan (payer) and the provider is one where the provider submits claims for payment to the plan, then the provider is not a business associate of the health plan. Each covered…
October 16, 2017
Are business associates required to restrict their uses and disclosures to the minimum necessary? May a covered entity reasonably rely on a request from a covered entity’s business associate as the minimum necessary?
A covered entity’s contract with a business associate may not authorize the business associate to use or further disclose the information in a manner that would violate the HIPAA Privacy Rule if done by the covered entity. See 45 CFR 164.504(e)(2)(i). Thus, a business associate contract must limit the business associate’s uses and disclosures of, as well as requests…
October 16, 2017
When is a health care provider a business associate of another health care provider?
The HIPAA Privacy Rule explicitly excludes from the business associate requirements disclosures by a covered entity to a health care provider for treatment purposes. See 45 CFR 164.502(e)(1).
Therefore, any covered health care provider (or other covered entity) may share protected health information with a health care provider for treatment purposes without a business associate contract. However, this exception does…
October 16, 2017
In addressing the visitor/vendor policy, there are certain vendors that we have that are here on a regularly scheduled basis and are not in areas where there is ePHI, such as the laundry delivery, food delivery, and such ones as FedEx and UPS. The business of these particular vendors are confined to the hallways. Do we need to treat these the same as others that may be here on an extended basis (repair personnel, on site trainers, students shadowing personnel, etc.) where we have these sign a confidentiality/non-disclosure form and must log-in? What are the recommendations for writing this into policy? Can I differentiate between the 2 types?
The vendors who do not come in any possible contact with PHI, may just have a confidentiality agreement but, you need that in place. If they have a key to access any room(s) after hours, or unattended in which PHI is possibly in their path, you should consider that contact with PHI. Some hospitals have confidentiality/non-disclosure agreements, so I…
October 16, 2017
I am checking the BAAs for our facility. I don’t see a Gap Analysis attached to their BAAs. The ones that I have to resend for a new one, has to include the Gap Analysis when sent back to us. Is this correct?
Yes, technically, they are required to have had one, but you can just ask them to certify that they have had one, and verify that it was recent. Attach the certification form or letter to their BAA.
October 16, 2017
In our lab, we have several different machines that are serviced/maintained by the companies that manufactured them. In preparing to arrange for a BAA, our lab manager said she thought they were covered entities and for that reason they had never done BAA’s before. Do you think this is correct?
These people who come in to service the lab equipment would be exposed to PHI, or ePHI, so a BAA needs to be put in place.
October 16, 2017
Our radiology is sent electronically to a service provider to read our radiology services and they faxes results to us. Do they need to complete a BAA?
No. They would not need a BAA. HIPAA explicitly exclude from the BA requirements, disclosures by a covered entity to a Health Care Provider for treatment purposes.
However, you need to look for a more secure way to deliver the results because faxes are not the most secure for many reasons. Maybe check with them on that or work…
October 16, 2017
If we have an Anesthesiologist that is on contract, does he need to complete a BAA as he would be considered “treatment”?
No. He is considered a Covered Entity himself, and any healthcare professional who provides treatment will not need a BAA.
