HIPAA Q&A: Who is a BA?
HIPAA Weekly Advisor, May 17, 2010
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Q. Can you provide a comprehensive list of business associates (BAs)?
A. BAs are individuals and companies that require access to PHI to perform a service on behalf of a covered entity. Many different types of BAs exist, depending on the organization’s business practices, such as:
- Billing services
- Coding auditors and consultants
- Collection agencies
- Comparative database vendors (if the information reported to the vendor identifies individual patients)
- Contract coders
- Financial auditors and consultants
- Law firms that provide malpractice defense
- IT vendors that have access to computer systems containing protected health information
- Medical equipment vendors (if the equipment records patient-identifiable information)
- Medical transcription companies
- Patient satisfaction survey vendors
- Record storage companies
- Release-of-information vendors
- Shredding vendors
Not all vendors are BAs. Vendors that don’t need to access PHI to provide services to the covered entity are not BAs. Incidental or accidental access to PHI doesn’t make a vendor a BA.
Vendors not considered BAs include:
- Architects and space planning consultants
- Building engineering companies
- Delivery companies (e.g., FedEx or UPS)
- Environmental services companies
- Management consultants
- Valet parking services
Editor’s note: Mary Brandt, president of Bellaire, TX-based Brandt & Associates, LLC, answered this question. This is not legal advice. Consult your attorney regarding legal matters. Brandt is president of Brandt & Associates, Inc., a healthcare consulting firm in Bellaire, TX. She is a nationally recognized expert on patient privacy, information security, and regulatory compliance, and her publications provided some of the basis for HIPAA’s privacy regulations. She is also the former director of policy and research for the American Health Information Management Association.
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Related Products
Most Popular
- Articles
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- Identify potential Medicaid RAC target areas
- HIPAA Q&A: Level of encryption needed for email
- Topic: CMS, OESS post new security compliance review information, checklist
- Capturing all necessary codes for IUD insertion and removal can be challenging
- What does case-mix index mean to you?
- QA:Coding multiple initial infusions
- OB services: Coding inside and outside of the package
- E-mailed
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- HIPAA Q&A: Level of encryption needed for email
- Q&A: Follow CMS' coding guidelines when using modifier -25
- What does case-mix index mean to you?
- Catch up on what's new with injections and infusions
- CMS has reformulated payments for some bilateral procedures
- New conflicts of interest create new challenges
- Q/A. One injection code or two?
- ED-to-inpatient transfers are flawed with safety gaps
- Searched