One of the most frequent topics we hear questions about is business associates. Whether you are a covered entity or a business associate you need to understand the rules and how you can comply with your part under HIPAA.
- which vendors are HIPAA business associates?
- what is a subcontractor business associate?
- what is my responsibility for managing business associates?
A new practice manager at a dental practice (ABC Dental) wanted to make sure she correctly identified all the practice’s business associates and had business associate agreements with each. She realized the dental practice uses a dental lab to produce products for their patients; retainers, braces, crowns, bridges and dentures, and they share protected health information (PHI) to accomplish this, but there was no business associate agreement on file.
ABC Dental also leases space to an independent orthodontist. The orthodontist uses their own separate WiFi connection and does not serve ABC Dental’s patients, except coincidentally – they don’t share patient records or coordinate care.
Does she need business associate agreements with the lab and the orthodontist?
Similar scenarios at hospital systems, doctors’ offices, behavioral health clinics, chiropractors, physical therapists and home health agencies raise similar questions. We also hear questions from business associates – billing and coding companies, practice management consultants, collection agencies and law firms.
Business Associates Defined
Business associates are vendors (to a covered entity) that “create, receive, maintain or transmit” PHI while performing a service involving the PHI. Common examples include billing and coding companies, storage companies, IT and EHR vendors, medical device makers, cloud service providers, collection agencies and accounting firms. A member of the workforce is not a business associate, even if they are an independent contractor and not an employee.
A subcontractor business associate is a vendor (to a business associate) that “creates, receives, maintains or transmits” PHI while performing a service involving the PHI. Examples include cloud service providers, IT vendors and storage companies.
Business Associate Questions
Note that HHS makes it clear that answers to each scenario is a fact-dependent. If you have a question not directly answered here, let us know and we can guide you to further educational resources for answers.
Business Associate or Covered Entity
Question: Is a dental lab that provides products for a dental practice a business associate of the practice?
Answer: No. The dental lab is another covered entity and should have its own policies and procedures for HIPAA compliance. A business associate agreement between the dental practice and the dental lab is not required. The HIPAA Privacy Rule permits covered entities to disclose PHI to another covered entity without the patient’s authorization, if the disclosure is for the purpose of treatment.
However, in some situations that do not involve treatment of individual patients, a dental lab may qualify as a business associate under HIPAA. In those situations, a business associate agreement would be required.
Question: Is an orthodontist who leases space from a dentist a business associate (orthodontist uses a separate WiFi, has no access to the practice’s electronic records and doesn’t provide care to the practice’s patients)?
Answer: No. The answer is the same as for the dental lab. The orthodontist is another covered entity and should have its own policies and procedures for HIPAA compliance. A business associate agreement between the dental practice and the orthodontist is not required.
Business Associate, Workforce Member or Neither
Question: We are a community health clinic that regularly relies on volunteers to help with fundraising and community outreach events. Are the volunteers we use business associates?
Answer: No. Volunteers are not business associates but are considered workforce members under HIPAA. You should provide them with basic HIPAA training and have them sign a confidentiality agreement to fulfill your HIPAA responsibilities.
Question: We use a janitorial service to keep our medical office clean. The janitorial staff may be exposed to PHI in our office even though we are following HIPAA protocols to maintain patient privacy. Is the janitorial company a business associate?
Answer: No. A contractor who is not performing a service that directly involves PHI is not a business associate so a business associate agreement is not required. However, because the janitorial staff may incidentally be exposed to PHI, we recommend obtaining a confidentiality agreement with them.
Medical Device Manufacturers
Question: Is a medical device manufacturer a HIPAA business associate?
Answer: It depends. If the manufacturer provides a medical device to a covered entity and then services the medical device for the covered entity in a manner that requires the manufacturer to “create, receive, maintain or transmit” PHI to enable the covered entity to provide healthcare, the manufacturer is a business associate. The covered entity must have a business associate agreement with the manufacturer and the manufacturer must comply with the HIPAA rules that apply to business associates.
If the manufacturer does not perform services related to the medical device that involve disclosure of PHI from a covered entity it is not a business associate. Note when a medical device manufacturer supples a device only to an individual and not on behalf of a covered entity, the HIPAA rules do not apply, e.g., a company that makes pulse oximeters only sold at retail stores.
What Happens After a Breach
Question: We provide billing and coding services for several physician groups in our region. Our system was hacked recently and we believe PHI may have been breached. We don’t know the extent of the damage yet, but an investigation is underway. Will we need to notify affected patients? Should we report this breach to the U.S. Department of Health and Human Services (HHS)?
Answer: Your first priority is to follow the business associate agreement you have with the covered entity physician groups. Usually you are required to let them know as soon as possible, provide all the facts you have, and continue to follow their directions. It is the covered entity’s responsibility to notify patients and HHS, and you can assist by promptly providing all the information requested.
Both covered entities and business associates need their own HIPAA polices and procedures and both need to conduct HIPAA Risk Analysis and Risk Management.
Review the HIPAA requirements related to business associates – whether you are a covered entity or a business associate with subcontractor business associates, you need to conduct due diligence and have business associate agreements in place.
If you have questions, The HIPAA E-Tool® can help.