Health Information Management


HIM-HIPAA Insider, April 1, 2013

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Have a HIPAA question of your own? Please send your question to Editor Jay Kumar. (Editor's note: Due to the large volume of questions we receive, we are not able to answer all inquiries).

Q:  As a medical supplier, we contract with a group purchasing organization (GPO) that uses our services to bill medical supplies delivered to patients. Do we (the medical supply company) need to have a Business Associate Agreement (BAA) with each facility that we get claims from? Or can we have a general agreement that covers the GPO?
A:  A business associate is a person or vendor that needs access to Protected Health Information (PHI) to provide a service to a covered entity. As a medical supplier, you are a covered entity. You need to have a BAA with any person or company that needs access to the PHI you maintain to provide a service on your behalf. If you are billing for medical supplies for healthcare facilities, they are not your business associates. Since you are providing a service on their behalf, they may consider you a business associate. The individual facilities you serve may ask you to sign a BAA with their organization, or they may consider a BAA you sign with the group purchasing organization to fulfill their BAA requirement.

Q:  I am told if I elect to work from home, I will not be allowed to print any medical records. My home office is secure and I have a shredder. Would printing medical records violate HIPAA or is this too restrictive?
A:  Covered entities are required to establish policies and procedures to protect their PHI. Although many employers, including healthcare organizations, allow some staff to work from home, the organization has the obligation and the right to protect PHI. Prohibiting home-based employees from printing PHI is a reasonable step.

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Most Popular