Winthrop & Weinstine, P.A.

Navigating the day-to-day duties related to your practice includes many different responsibilities. From providing patient care, to making sure your office has the appropriate equipment, to managing your team, you have a lot of balls in the air.  With that balancing act, it can sometimes be difficult to make sure that nothing gets dropped.  One area where we routinely see clients struggle is with respect to Business Associate Agreements (“BAAs”).  Thankfully, this can be a quick fix if you have the right legal team at your side.  Not only must you consider whether a BAA is necessary, but also, if you already have a BAA in place, whether it meets the requirements set forth by federal and Minnesota law and adequately protects your practice. In fact, too often we see our clients presented with “boilerplate” BAAs by their vendors that were drafted for the benefit of the vendor, not you as the covered entity.

Below is some helpful background to determine whether you need a BAA, and if you already have one, whether it is compliant:

Why is a BAA necessary?  Dental practices are considered covered entities pursuant to HIPAA, which means you have numerous obligations related to the security of the protected health information (“PHI”) of your patients.  As you know, running an office requires you to enter into agreements to perform certain services on behalf of your practice, such as IT, attorneys, and accountants, just to name a few.  Pursuant to HIPAA, covered entities can only share PHI with others (other than in limited circumstances) if they receive satisfactory assurances from the receiving party that it will appropriately safeguard the PHI.

What is a Business Associate?  A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of PHI on behalf of, or provides services to, a covered entity.  Examples include:

  • A third-party administrator that assists a health plan with claims processing.
  • An attorney whose legal services to a health plan involve access to protected health information.
  • A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer.
  • A CPA firm whose accounting services to a health care provider involve access to protected health information.

What is a BAA?  In order to disclose PHI to a business associate, the covered entity must enter into a written agreement (a BAA) that contains the required information set forth by federal law.  Some of the key provisions:

  • Describe the permitted and required uses and disclosures of PHI by the business associate.
  • Require that the business associate will not use or further disclose the information other than as permitted or required by the contract or as required by law.
  • Require the business associate to report to the covered entity any use or disclosure of the information not provided for by its contract, including incidents that constitute breaches of unsecured protected health information.
  • Require the business associate to make available to governmental entities its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, the covered entity.

Minnesota Health Records Act.  Not only must the BAA comply with federal law, but it must also include provisions that ensure compliance with the Minnesota Health Records Act.  As you may know, if you regularly review our bi-weekly Roots of Wisdom articles, the Minnesota Health Records Act is more stringent that its federal counterparts.

You must ensure that your BAAs are actually compliant with the law and provide you with adequate protection.  Never assume that a BAA is compliant simply because you received it from an outside source—even if that source is prominent in the health or dental sector.  We frequently advise clients on BAAs that have been drafted by prominent dental or healthcare companies and are inadequate to provide proper protection, or, sometimes, even violate the law.