How can we determine who our business associates are?
HIPAA Weekly Advisor, March 22, 2002
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Q: How can we determine who our business associates are?
A: Most covered entities require the assistance of contractors and vendors to help them carry out their day-to-day operational activities. These "business associates," as they are called in the privacy rule, are "any persons or entities that provide certain functions, activities, or services for or to a covered entity involving the use and/or disclosure of PHI."
Determining which contractors and vendors are business associates can be difficult. A company considered a business associate for one covered entity may not be for another. It all depends on whether the company has access to PHI.
Consider several scenarios:
- A covered entity's janitorial service has no need to use or disclose the covered entity's patients' PHI. However, if during the day-to-day routine of cleaning the facility, PHI is visible to the cleaning staff, the covered entity has violated the privacy rule. In this scenario, the covered entity should consider the janitorial service a business associate and make sure it has an agreement in place.
- A regulatory attorney provides legal services to a covered entity. If the services do not include the disclosure of PHI, the attorney is not a business associate. However, legal services provided by a malpractice attorney will likely involve the disclosure of PHI. In that case, the attorney is a business associate.
- Covered entities may be business associates of other covered entities. For example, a hospital may provide billing services for a medical practice. In this case, the hospital is a business associate of the medical practice.
When developing your list of business associates, do not overlook pharmaceutical representatives and others who may have access to PHI, but do not receive money from the covered entity.
The following list can serve as a guide to help identify who your business associates are:
- Billing service/agency
- Collection agency
- Accountant/consultant
- Lockbox service
- Transcription service
- Practice management software vendor
- Electronic medical records software vendor
- Hardware maintenance service
- Off-site record storage/disposal service
- Independent contractors who provide business/administrative services on-site
- Independent contractors who provide clinical services
- Outside cleaning services
- Repairmen (copier, x-ray, lab equipment, etc.)
- Courier services
Editor's note: Answered by Rebecca Jones, consultant for Gates, Moore, & Company in Atlanta. Go to http://www.gatesmoore.com for more information.
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Related Products
Most Popular
- Articles
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- Identify potential Medicaid RAC target areas
- HIPAA Q&A: Level of encryption needed for email
- Topic: CMS, OESS post new security compliance review information, checklist
- Capturing all necessary codes for IUD insertion and removal can be challenging
- What does case-mix index mean to you?
- OB services: Coding inside and outside of the package
- QA:Coding multiple initial infusions
- E-mailed
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- HIPAA Q&A: Level of encryption needed for email
- Q&A: Follow CMS' coding guidelines when using modifier -25
- What does case-mix index mean to you?
- Catch up on what's new with injections and infusions
- CMS has reformulated payments for some bilateral procedures
- New conflicts of interest create new challenges
- Q/A. One injection code or two?
- ED-to-inpatient transfers are flawed with safety gaps
- Searched