Under HIPAA and HITECH, when “covered entities” and “business associates” share patient information (PHI), there must be a Business Associate Agreement (BAA) between the two. Think of BAAs like the baton used in a relay race – without it, everyone would be running separate races.
Covered Entities are companies that provide healthcare to patients, such as doctors, dentists, chiropractors, medical transport companies, home healthcare agencies, pharmacies, etc. They receive PHI directly from patients.
Business Associates are companies that perform services for Covered Entities, such as medical billing companies, software vendors, collection agencies, accountants, etc. They receive PHI from the Covered Entity.
Business Associates may also share PHI with other Business Associates. Along the chain of contractors, one is either an upstream contractor (closer to the Covered Entity) or a downstream contractor (farther from the Covered Entity). BAAs contain information that requires each party to take reasonable measures to protect PHI. (This is why BAAs are your friend. Really.)
EACH LINK IN THE CHAIN OF CONTRACTORS MUST BE SUPPORTED BY A BAA.
(… Pause to let that sink in…)
Without a Business Associate Agreement in place for each link of the chain, you’re leaving yourself open to liability. It’s a simple document required by the federal government. Make sure you protect yourself and PHI!!
Erica Pero, an attorney with Pero Law, focuses her practice on health law. She helps healthcare professionals navigate the complexities of running a business in today’s healthcare industry. Pero Law is a lean law firm committed to excellent customer service and exceptional legal representation. perolaw.com
