Healthcare providers work with other companies to perform certain business functions. Some of the contracted companies will access your facility, IT Systems and even your patient data to perform their activities. If the contracting companies have access to your patients’ data, either directly or through your IT systems then HIPAA considers them Business Associates (BA).
HIPAA defines a Business Associate as:
A person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.
Some examples of Business Associates are:
- Billing Companies that access your patient information to bill patients.
- IT companies that access your IT systems to provide support.
- Software/EHR companies that access your EHR for maintenance and updates.
- Data Backup companies that store your patient data.
- Electronic Fax company that receives, sends and stores patient data.
The commonality and most important point is access to your patients’ electronic Protect Health Information (ePHI). If they have access to it, they are a Business Associate. Some contracted companies like a Web Design company may not need access to your patients’ ePHI so they are not considered a Business Associate. A member of your workforce is not considered a business associate.
If you are not sure a contracted company is a Business Associate, then its better to assume they are. Under HIPAA Security and Privacy Rules, Business Associates are required to sign Business Associate Agreements/Contacts that protect you and your patients’ ePHI.
As an IT Service provider we sign a Business Associate Agreement with all our healthcare clients for their protection and also ours. Signing a BA agreement with our clients lets them know we take HIPAA compliance seriously.