Is a Business Associate Agreement Necessary?
Imagine you recently hired a cleaning company who comes in after business hours. While doing their duties in your facility the cleaning company may come across protected health information (PHI). Is a business associate agreement necessary?
First off, a business associate is not considered a part of the covered entity's workforce. A business associate is a person or entity who performs functions or activities that create, receive, maintain or transmit PHI on behalf of, or provide services to, a covered entity.
Quick HIPAA definition: What is a Business Associate?
You can understand a business associate as:
- A person that offers a personal health record to one or more individuals on behalf of a covered entity.
- A Health Information Organization, E-Prescribing Gateway, or other person that provides data transmission with respect to PHI to a covered entity and requires access on a routine basis to such PHI.
- A subcontractor that creates, receives, maintains, or transmits PHI on behalf of the business associate.
Yes, especially in these situations.
A business associate agreement is needed if:
- A person or entity creates, receives, maintains, or transmits PHI for a function or activity regulated by HIPAA, such as: claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities, billing, benefit management, and practice management.
- A person or entity who provides legal, accounting, consulting, management, administrative, accreditation or financial services where services involve disclosure of PHI to the person or entity.
- A person or entity who will be able to access PHI on a routines basis, and/or there is a possibility that the PHI in the person or entity's custody or control could be compromised. For example, a document shredding company.
According to HHS, janitorial services that clean offices or facilities of a covered entity are generally not business associates. Therefore, a business associate agreement would not be necessary. However, If a janitorial service is hired to do work for a covered entity where disclosure of protected health information is not limited in nature (such as routine handling of records or shredding of documents containing protected health information), it likely would be a business associate.
Requirements of Business Associate Agreement
At the foundational level, BAAs must encompass three provisions:
- Decide the permission level of what PHI the Business Associate can access.
- Require that the Business Associate will use appropriate safeguards to secure PHI.
- Provide that the BA will not disclose protected health information save when permitted by the agreement.
If you have additional questions about business associates, business associate agreements, or need further assistance, please do not hesitate to contact one of our professional consultants.