Does This Arrangement Require a Business Associate Agreement?

Shannon Lipham
Maynard Nexsen
Contact
LinkedIn
Facebook
X
Send
Embed

Nexsen Pruet, PLLC

At Nexsen Pruet, we work with clients across the full spectrum of healthcare to manage compliance with HIPAA, and often we receive questions about associates and business associate contracts.

The HIPAA Privacy Rule requires that a covered entity obtain satisfactory assurances from its business associate that the business associate will “appropriately safeguard” the protected health information (PHI) it receives or creates on behalf of the covered entity, in the form of a business associate agreement (BAA). Covered entities to which HIPAA applies are health care providers, health care clearinghouses, and health plans.

In complying with HIPAA, one of the most common questions we tend to see is: Do we need a business associate agreement?

In order to determine whether a BAA is needed, we ask the following questions.

  • Are working with a business associate? A business associate is a person or entity that performs certain functions or activities that involve the disclosure of PHI on behalf of or provide services to, a covered entity.
  • Is the potential business associate is a member of a covered entity’s workforce (i.e., an employee)? This could include employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such covered entity or business associate, whether or not they are paid.
  • Will PHI be disclosed to the potential business associate? If the answer is no, or if the information is just incidental, then no BAA is required.

To help identify potential business associates, some of their typical functions include, on behalf of covered entities:

  • Claims processing and administration
  • Data analysis
  • Utilization review/quality assurance
  • Billing
  • Benefit management
  • Practice management
  • Legal services
  • Consulting

In order for a covered entity to disclose PHI to a business associate, a business associate agreement must be in place. Disclosures may only be made pursuant to, and as contemplated by, the agreement. BAAs can be detailed and include lots of information, but the basic requirements are:

  • Describe the permitted and required uses of PHI by the business associate;
  • Provide that the business associate will not use or further disclose the PHI other than as permitted or required by the contract or as required by law; and
  • Require the business associate to use appropriate safeguards to prevent use or disclosure of the PHI other than as provided for by the contract.

There are some exceptions to whether a business associate agreement is needed. Common exceptions where no BAA is needed involve, generally, disclosures to a healthcare provider for treatment purposes, and disclosures from a provider to a health plan for payment purposes.

Business associate relationships and BAAs can be complicated and nuanced, but it’s important to be able to recognize when a BAA might be needed.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Maynard Nexsen | Attorney Advertising

Written by:

Maynard Nexsen
Maynard Nexsen
Contact
more
less

Maynard Nexsen on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide