A Business Associate is anyone you pay money to for a specific task and they will be working with Patients’ P.H.I. (Protected Health Information) as part of the reason for why you hired them. They are not your direct employees but they do utilize P.H.I. as part of the reason for why you hired them. Examples of common Business Associates are establishments such as a Clearinghouse, a Billing Service, a Collection Agency, Storage Companies, IT Services, EHR Platforms, Consultants and Shredding Companies.
Now, there are other folks you will work with who are not in your direct employ but are paid for a specific task which does not involve them utilizing P.H.I. However, there is a risk of exposure to P.H.I. due to their presence in the building. They may see or hear sensitive information which is not meant for them. For each and every one of these individuals who enters your facility you would want to ensure you have a Confidentiality Agreement in place. A good example of a regular Vendor is someone such as a member of a Janitorial Staff.
Last fact to consider when developing your vendor list is the concept of Treatment, Payment or Operations. Certain entities do not need any sort of agreement in place based on what they do for you. Anything that affects your ability to treat your patients, receive payment, or carryout healthcare operations does not require a BAA or CA. Examples include Giant insurance Companies like Blue Cross Blue Shield, United Healthcare, but also this trickles down to Labs worked alongside with, frame fitters, lens manufacturers, latex glove suppliers. None of these need agreements in place.
Below is a quick snapshot of our Vendor Management System.
This ties back to The Seven Fundamental Elements of an Effective Compliance Program by “Developing effective lines of communication.”