A Business Associate is anyone you pay money to for a specific task and they will be working with Patients’ P.H.I. (Protected Health Information) as part of the reason for why you hired them. They are not your direct employees but they do utilize P.H.I. as the reason for why you hired them. Examples of common Business Associates are establishments such as a Clearinghouse, a Billing Service, a Collection Agency, Storage Companies, IT Services, EHR Platforms, Consultants and Shredding Companies.
Further explanation – A Business Associate can be thought of as a third party you hire for a task you could theoretically perform in-house but it may be more cost effective, or convenient for you to outsource these tasks. For example, you could perform your own billing, but this is time consuming. Instead you outsource this, making that Organization with whom you now share PHI obliged to sign a BAA.
If you are a Covered Entity you will be sending the BAA for CE to your Business Associates.
If you are a Business Associate you will be sending the BAA for CE to any of your clients who did not already provide you one. For your downstream BA’s (partners), you will be sending the document titled BAA for BA.
Best Examples of those who should receive a BAA for BA – Third party backup facilities, IT partners you may work alongside with, Consultants with access to PHI (such as developers), Industrial Shredders, Phone providers for VOIP, and Cloud services (such as Box, DropBox, AWS).
Now, there are other folks you will work with who are not in your direct employ but are paid for a specific task which does not involve them utilizing P.H.I. However, there is a risk of exposure to P.H.I. due to their presence in the building. They may see or hear sensitive information which is not meant for them. For each and every one of these individuals who enters your facility you would want to ensure you have a Confidentiality Agreement in place. A couple of good examples of a regular Vendor is someone such as a member of a Janitorial Staff, a Contractor, Landlords for leased spaces, Drug Reps (if they come behind the counter), or Shared Work Environments. Whether you are a CE or BA, the above applies and the document which is to be signed is titled the HIPAA Confidentiality Agreement Form.
Last fact to consider when developing your vendor list is the concept of Treatment, Payment or Operations. Certain entities do not need any sort of agreement in place based on what they do for you. Anything that affects your ability to treat your patients, receive payment, or carryout healthcare operations does not require a BAA or CA. Examples include Giant insurance Companies like Blue Cross Blue Shield, United Healthcare, but also this trickles down to Labs worked alongside with, frame fitters, lens manufacturers, latex glove suppliers. None of these need agreements in place.
Below is a quick snapshot of our Vendor Management System.
This ties back to The Seven Fundamental Elements of an Effective Compliance Program by “Developing effective lines of communication.”