Revision of the Health Insurance Portability and Accountability Act (HIPAA) rules has prompted numerous questions about business associates (BAs) and business associate agreements (BAAs). Apparently there is confusion about exactly which businesses qualify as BAs and how your BAAs should be modified to reflect the new provisions.
The criteria for identifying BAs are admittedly vague: The act defines them as nonemployees, performing “functions or activities” on behalf of the “covered entity” (your practice) that involve “creating, receiving, maintaining, or transmitting” personal health information (PHI).
Clearly, answering and billing services, independent transcriptionists, hardware and software companies, and any other vendors involved in creating or maintaining your medical records always qualify as BAs. Other businesses may or may not qualify, depending on whether they need direct access to PHI in order to provide their service. These include practice management consultants, attorneys, companies that store or microfilm medical records, and record-shredding services.
Specialty pharmacies are seldom mentioned in the BA discussion, but they probably should be. Pharmaceutical manufacturers are increasingly using them as intermediaries for their products – particularly the more expensive ones, such as biologics. Many of them ship products directly to patients, for which they require home addresses and other personal information, and in order to file payment paperwork and claim forms, they usually request diagnoses and associated medical information. By any reasonable interpretation of the new rules, this makes them BAs, and you should have BAAs in place before allowing them to fill your prescriptions.
To further complicate the situation, manufacturers and insurers routinely compile information about the real world uses of their products. To that end, they often ask specialty pharmacies to provide them with any patient data that they collect. Under the new rules, patients may restrict any PHI shared with third parties when patients pay for the drugs or services themselves. Your specialty pharmacy BAA should include a provision noting that the pharmacy is forbidden from disclosing any data to pharmaceutical companies or insurers from patients who self-pay and request confidentiality.
Mail carriers, package delivery people, cleaning services, copier repairmen, bank employees, and the like are not considered BAs. While they might conceivably come in contact with PHI on occasion, they don’t need it to do their job. You are required to use “reasonable diligence” in limiting the PHI that these folks may encounter, but you do not need to enter into written BA agreements with them.
Independent contractors who work within your practice – aestheticians and physical therapists, for example – are not considered BAs either, and do not need to sign a BA agreement. Just train them, as you do your employees.
Another source of confusion is the provision in the new rules that makes BAs directly responsible for their own HIPAA violations. While this might seem to eliminate the need for BAAs entirely, unfortunately that is not the case. In fact, even more responsibility has been placed on physicians for confidentiality breaches committed by their BAs. It is not enough to simply have a BAA in place; you are expected to use “reasonable diligence” in monitoring the work of your BAs. While BAs and their subcontractors are responsible for their own actions, the primary responsibility remains with you. Furthermore, you now must assume the worst-case scenario. Previously, when PHI was compromised, you would have to notify affected patients (and the government) only if there was a “significant risk of financial or reputational harm”; but now, any incident involving patient records is assumed to be a breach, and must be reported. Failure to do so could subject your practice, as well as the contractor, to significant fines.
If you haven’t yet revised your Notice of Privacy Practices (NPP) to explain your relationships with BAs, and their status under the new rules, do it now. (You should have done it last September.) You need to explain the breach notification process too, as well as the new patient rights mentioned above. You must post your revised NPP in your office, and make copies available there, but you need not mail a copy to every patient.
Dr. Eastern practices dermatology and dermatologic surgery in Belleville, N.J. He is the author of numerous articles and textbook chapters, and is a longtime monthly columnist for Dermatology News.