No matter your role, if you’re involved in healthcare, you know HIPAA. For those who may not be intimately familiar with the acronym, HIPAA is the Health Insurance Portability and Accountability Act, which governs the rules for maintaining patient privacy and the security of protected health information (PHI).
In the past, maintaining the privacy of patient records was much simpler—before the days of cloud storage and digital documentation. The modern era, with all its conveniences, has undermined the simplicity of locked file cabinets, dusty rooms, and secure buildings. The technological equivalent of such measures simply doesn’t exist—and that has made securing PHI more important than ever.
For practices, this also means making sure that any outside organizations involved in the day-to-day business of your practice will be held accountable as well. That’s where business associate agreements come in.
The business side of running a practice requires assistance from a variety of non-healthcare entities, such as credit card processors and legal offices, to name a few. Per HIPAA Privacy Rule provisions added in 2013, these organizations are known as “business associates”.
According to the Department of Health and Human Services, a business associate is “a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.” Covered entities include organizations held directly accountable to HIPAA laws, such as insurers, practices, healthcare clearinghouses, and other healthcare providers.
Other entities involved in the business of healthcare, however, may not fall under HIPAA provisions—which could be a bad thing for your patients’ privacy.
These entities include:
- Merchant service providers or billing service providers
- Software and hardware technology vendors
In order to safely secure PHI and patient privacy, practices will need to create contracts known as business associate agreements with outside vendors before disclosing any protected information.
While it might seem self-explanatory that all organizations involved with healthcare be held to the same legal standard, the laws simply don’t play out that way. A business associate agreement is therefore vital for cementing the standards into place for any transaction between healthcare and non-healthcare businesses.
The Department of Health and Human Services, in fact, made the following statement on their website:
The Privacy Rule allows covered providers and health plans to disclose protected health information to these “business associates” if the providers or plans obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the Privacy Rule.
The key term with regard to business associate agreements is “satisfactory assurances,” meaning that a signed contract explaining the terms is necessary. Once the agreement is in place, the individual or organization will be required to comply with HIPAA privacy law provisions—and punishments, if necessary.
If your practice hasn’t already created business associate agreements with outside vendors, review the samples available through the Department of Health and Human Services to get an idea of verbiage and necessary provisions. Should the unthinkable happen, it’s important to protect your practice from legal liability. Even more, knowing the expectations will help outside merchants to adjust their security standards where necessary and hopefully prevent future accidents or thefts.