Firms providing support and assistance to healthcare organizations often enter into debate with their customers as to whether they and their offerings fall into the definition of a business associate and therefore require execution of a Business Associate Agreement (BAA) or Business Associate Contract (BAC).
In many cases, the answer is clear. According to the Health Insurance Portability and Accountability Act (HIPAA), a business associate is “a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information (PHI) on behalf of, or provides services to, a covered entity” (45 CFR 160.103). The regulation provides some examples of this relationship such as a firm providing claims processing services to a hospital, a CPA or attorney that requires access to PHI to provide their services, independent transcription services, and others. However, exceptions to this relationship also exist and include the two most commonly cited: the exception of disclosures by an entity to a health care provider for treatment of the individual and disclosures that are incidental when services provided do not involve the use or disclosure of PHI (45 CFR 164.502(e)).
In many cases, the wording provided by the regulation is clear, and the thought exercise to determine the relationships a health care provider has with supporting individuals or organizations can be easily accomplished. However, the continued adoption of electronic medical record technology and emphasis on quality and efficiency has placed PHI on the doorstep of many organizations that have never before had to consider their own ability to safeguard this data.
One such example is the evolution of the role of medical devices in the healthcare setting. Once “dumb” machines responsible for performing a very specified task, these devices have now become smarter, providing integration into the provider’s network and transmission of critical information, along with PHI, to the organization’s electronic medical record (EMR) or other systems such as the picture archiving and communication system (PACS).