When physicians and other providers who are “covered entities” share protected health information (“PHI”) with a third party, there is always the need to assure compliance with the Health Insurance Portability and Accountability Act (HIPAA) by executing a business associate agreement (BAA). In my experience, I find that most providers understand a business associate to be the IT company, billing company and certain other contractors who regularly access PHI, but may not consider other business relationships to warrant a BAA.
Although regular HIPAA training is performed by most physician practices, routine training usually focuses on day-to-day patient interactions. The business staff of a covered entity also needs to be trained to question every business (and potential) business interaction to see if a BAA is needed and that when it’s in doubt, to execute a BAA. Your practice should always have a designated individual who can assess who is a business associate and to be the one who makes sure a BAA is in place when needed. This individual should also establish a process for maintaining all practice BAAs. Additionally, the process followed by your practice with regard to BAAs should be added to the practice’s HIPAA policies.
When putting together or amending the form of BAA your practice uses, consider adding a requirement that the business associate indemnify the practice for violations of HIPAA which may occur. I also recommend contracts with all third parties, who are also business associates, contain a requirement that the business associate maintain and show evidence of HIPAA/HITECH insurance which names the practice as an additional insured. Practices should make sure they acquire this type of coverage on the practice as well, since HIPAA breaches can be expensive