How do you know who is a HIPAA Business Associate?

One of the first processes we go through for HIPAA Compliance is to identify all Business Associates (BAs).  That has to be done for CEs and BAs alike.  The Final Rule has changed the status and viewpoints for many CEs and BAs. We have addressed a lot of questions on the topic lately.  Now seemed like a good time to go through some of the examples and tips we have discussed with a variety of clients.

The new rule makes it clear.  Signing an agreement doesn’t make you a BA, doing work that gives you access to PHI makes you a BA.  People have claimed exemptions for various reasons for years and that can’t be done any longer.  There are many BAs struggling with the process right now.  Last week, a BA responded to a readiness survey from one of the CEs in our compliance program with a single question “Do we have to fill this out?”.  I am certain that business qualifies as a BA and they obviously have no idea what is going on.  Checking on your BAs should be a top priority based on what we are seeing and hearing.

A great way to make sure you have all BAs on a list is to use your accounts payable as well as the 1099s you generated.  Take a minute to think about every one of them because some may need attention for other HIPAA reasons than being a BA.  We expect at least 5 or 6 BAs for most groups we work with on compliance.  Depending on their structure, size and activities there can many more.  Small CEs and BAs have a different environment than large entities.  It is worth going through the whole list.

Here is a list of similar businesses you may find on your AP/1099 list.

  1. Scrubs That Are Best   – Scrubs Service – We will call them STAB
  2. Clean and Pretty – Cleaning Service – CaP
  3. People Ask You,  Inc – Collections Service  – PAY
  4. Patterson, Salvatori, Bitterman and Enis – Attorneys –  PSBE
  5. Zimmerman and Pierce – Heating and Air Service –  ZaP
  6. Melissa Odum-Madison – Contracted bookkeeper – MOM
  7. Shred, Haul, Install and Track – document management – we will just call them shredding company
  8. Hippert, Ikemoto, Paine, Abruzzo and Alvarez  –  CPA Firm – HIPAA
  9. Advanced Concepts for Your Information Technology – IT support – what everyone calls them –  the computer guy
  10. Medical Equipment Devices – provide medical devices for tests – MED

Now, let’s go through the list and discuss how they may be classified and evaluated.

1- STAB only supplies scrubs for the office so that shouldn’t be a big deal and no HIPAA involved right.  But, in our conversation about BAs we learned that the STAB delivery staff has keys to the back door to drop off the clean and pick up the dirty each week.  That leads to more questions and decisions that must be made due to their physical access controls.  While they aren’t a BA for the work they do, they have access that does involve HIPAA regulations and may have been missed without this exercise.  Don’t put them on your BA list but put it on your “gotta deal with that one” list.

2- CaP only comes in to clean so they should be fine.  We have had them for years and it is a family business.  No HIPAA problems, right.  That depends.  Do you lock up all your charts and computers every night?  Do they only clean when someone is at the office who watches over their work?   In March, the Atlanta Journal reported a case of identify theft that involved office cleaning companies.  People would work for a cleaning company just for a week filling in for someone and stick a usb device in a couple of computers the first night.  Pick it up the last night of their temp job.  The whole time it is logging keystrokes on each computer.  They end up with all the information typed on that computer for the week.  Personally, I find it hard to give cleaning companies the benefit of the doubt in offices any longer.  I think they need to be BAs to be cleaning offices for CEs and BAs now.  There are some cases where they aren’t but it requires laying out very specific guidelines on how the service will be managed in your office.  Most small businesses don’t have that ability.

3- PAY gets a list of patients and all their contact information in order to do the collections.  I have heard some collection companies claim they don’t get treatment information so they aren’t BAs.  What do you give them to contact your patients?  To do your collections they know they saw your practice and they have to have some reference like date of service maybe.  Then, you have to give the date of birth, address, phone.  Well, you see what I mean.  I recommend you treat them as a BA or get a HIPAA attorney involved with an opinion.

4- PSBE handles malpractice claims among other duties for your practice.  There are plenty of references pointing out that they are BAs.  Don’t be surprised if they aren’t eager to admit it, though.  It isn’t unheard of but should be less likely under the new rules.

5- ZaP doesn’t need access to any PHI in order to do their job for you.  But, just as with STAB, the discussion does bring up another issue.  When they come in to work on things in your office does anyone notice what they are doing or where they are at while they are doing it?  Incidental disclosures may happen through the vents they are working on but what about the story about the USB drive and the cleaning crew.  Should you really just let them roam around the office without a thought?  Add another one to the “gotta deal with that one” list.

6- Good ol’ MOM comes in and helps do the bookkeeping.  She works for us on a 1099 basis but only for us and no other practices or businesses.  Part of the bookkeeping work does make it necessary for her to have access to PHI so what do we do?  Is MOM a BA?  Oh no!  That will just not work – what are we going to do?  Who is going to tell Dr. Madison that MOM is a BA.  Wait, calm down.  No one needs to upset MOM or Dr. Madison.  A 1099 does not make anyone a BA.  In this case, MOM is a member of your workforce under HIPAA definitions.  Include her in the same training and rules you use for all your other employees.  Add it to your “gotta deal with that one” list to make sure she is included in all the training programs.

7- The shredding company.  We have them covered, they know they are a BA and we have a BAA with them.  But, we still need to see the status of the BAA and update it with the latest requirements.  They also need to provide some assurance they actually are following compliance requirements.  Another thing, though.  As you were pointing out your shredding bins they are just large garbage containers with a lid on them.  There are no locks or anything.  Anyone can open them up and take things out, at will.  They sit over out of the way so no one notices them.  When you contact your shredding company you should probably ask for a more secure container.  One that isn’t so likely to dump things out on the street or be easy access to grab a handful of documents.

8- HIPAA knows they have to deal with HIPAA.  It is in their name!  They write refund checks and have all the details of that patient to reference for accounting for the refund checks.  BA.

9- The computer guy is what everyone calls IT companies in their office.  We are used to it.  We are also used to having access to everything.  There are some “computer guys” that make a case for not being a BA themselves because they never look at the patient data.  Having access to everything means access to everything including ePHI.  You really must have an IT company that is a BA and understands HIPAA Security Rule requirements.  They have to help you implement, monitor and manage your compliance.  BA, big time, because you need them to be one unless you have your own in house IT skills to manage it.

10- MED is like most device companies trying to figure out exactly how they will handle HIPAA.  They have to do it.  It is in discussions all over the place how much data those devices hold now.  They should be prepared more than any of the others on this list for your BA readiness survey.

Hopefully, this helps answer some questions concerning BAs for all those involved.  It may open up more questions but at least we are talking about it differently than before.

Special prize to the first person who correctly identifies PSBE relevance in the example.

Filed under: HIPAA Tagged: Breach Notification Rule, Business Associate Agreements, Business Associates, HIPAA, HITECH, information hipaa, Privacy Rule, Security Rule, Small Provider