When Do I Need a HIPAA Business Associate Agreement?

Your medical practice has responsibility for protecting the privacy of health information under the HIPAA Privacy Rule while carrying out health care activities. In order to focus on health care delivery, you might utilize non-employee service professionals for functions such as claims processing, data analysis, quality assurance or billing.

For example, a consultant performing utilization reviews or an independent medical transcriptionist may use, create or disclose protected health information, PHI, in its duties to provide services to you.  Your CPA firm may receive detailed accounts receivable or refund information containing PHI in the normal course of compiling financial information for you.  You should have a signed agreement with the vendor that addresses services to be performed for your practice.  Your medical practice must also obtain assurances that PHI will be used appropriately and safeguarded by these business associates (BA) by entering into a business associate agreement.

This business associate agreement outlines requirements of the BA that may protect your practice from a HIPAA penalty in the event the business associate fails to protect PHI. The agreement must describe authorized uses of PHI by the BA; specify that the BA will not use or disclose the PHI other than as permitted or required by agreement or by law, and require the BA to have safeguards to prevent unauthorized use or disclosure of the PHI. This agreement must require the BA to report any use or disclosure of the protected information not consistent with the contract, including incidents that may be a breach of protected information.

There are some exceptions to the business associates standard. Your medical practice is not required to have a business associate agreement in place to make disclosures of PHI to another person or entity defined as a covered entity under the HIPAA Privacy Rule; such as disclosures from a physician to a laboratory for treatment of a patient. Your practice also will not need business associate agreements with vendors whose services don’t involve the use or disclosure of PHI (or where the exposure to PHI is incidental), such as arrangements for facility maintenance services.

For access to Health and Human Services (HHS) guidance on business associates and business associate agreements, visit www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates.