Business Associate Agreements, HIPAA, and Physician Practices

October 1, 2018

HIPAA compliance can seem far reaching sometimes, but compliance is required by every physician practice and those they partner with. Keep in mind that not everyone who accesses Protected Health Information (PHI) has to sign the Business Associate Agreement (BAA). When you’re working with medical records, nothing is more important than maintaining the privacy of the patient. There are times, however, when an entity accesses PHI.

Keep it mind most of the entities that access medical records are considered business associates (BAs), and thus subject to the Health Insurance Portability and Accountability Act (HIPAA) when handling PHI. However, a lot of companies and people aren’t required to comply with HIPAA, and there are many times when health information may be available to these people and companies.

As a covered entity (CE), you will be able to access your patient’s PHI by obtaining a signed business associate agreement (BAA) from certain entities. With others, however, you cannot legally bind them to HIPAA. As you know, if a provider is considered a BA, you must get a BAA contract signed in order to safeguard by PHI and HIPAA standards. Remember, many BAs perform services that don’t involve patient interaction so make sure you’re on the lookout for BAs of all shapes and sizes.

BAs can perform many different services for a covered entity, including (but not limited to):

  • Accounting
  • Actuarial
  • Administrative accreditation
  • Billing
  • Benefit management
  • Certain patient safety activities
  • Consulting
  • Data aggregation
  • Data analysis
  • Data transmission
  • Legal
  • Management
  • Practice management
  • Processing or administering claims
  • Quality assurance
  • Re-pricing.
  • Utilization review

BAs Are Bound By Association Agreement

When you have identified an entity as a BA, you must execute written contracts in order to make sure they safeguard PHI according to HIPAA standards. Business associates must do the same with any of their subcontractors who can be considered business associates.

When you’ve got a signed BAA on file, it binds the entity to HIPAA – so make sure you get them signed, if law allows, before sharing PHI. Business associates are subject to more of the same privacy and data security standards that apply to covered entities and may be subject to HHS (Health and Human Services) audits and penalties.

Suggestion: Protect your practice from any missteps a BA makes by getting a signed BAA on file. For more information on constructing BAAs, search for sample business associate agreement at

HIPAA Doesn’t Apply to Gyms, Marketers

Obviously, you’ll want to get a signed BAA from any entity that you can consider a BA. Don’t go chasing waterfalls, though. Some entities aren’t bound by HIPAA and a BAA might not do much good.

The following are examples of entities that aren’t covered under HIPAA but may handle health information:

  • Live and long-term insurance companies
  • Worker’s compensation insurers, administrative agencies, or employers (unless they are otherwise considered covered entities)
  • Agencies that deliver Social Security and welfare benefits
  • Automobile insurance plans that include health benefits
  • Search engines and websites that provide health or medical information and are not operated by a covered entity
  • Marketers
  • Gyms and fitness clubs
  • Direct to consumer (DTC) genetic testing companies
  • Many mobile applications (apps) used for health and fitness purposes
  • Those who conduct screenings at pharmacies, shopping centers, health fairs, or other public places for blood pressure, cholesterol, spinal alignment, and other conditions
  • Certain alternative medicine practitioners
  • Most schools and school districts
  • Researchers who obtain health data directly from health care providers
  • Most law enforcement agencies
  • Many state agencies, like child protective services
  • Courts, where health information is material to a case

Suggestion: Consider each request carefully and consult with an attorney if you have any questions about disclosing PHI. Handling patient information is situational and will largely depend on who the provider has a BAA with.

Previous post:

Next post: