Should You Sign a Business Associate Agreement Under HIPAA?
Dr. Smith left you a voicemail at 10 p.m. on a Sunday night. You couldn’t make out the entire message due to a weak cellphone signal and background noise, but you gathered he was talking about the Health Insurance Portability and Accountability Act and needing you to sign something called a Business Associate Agreement.
Dr. Smith is an excellent dermatologist, but you know from doing his taxes that regulatory compliance isn’t necessarily his forte.
The Business Associate Agreement isn’t a contract for services or a typical non-disclosure agreement. It deals only with your responsibilities as a “business associate” under HIPAA. The Department of Health and Human Services’ released a whole new set of HIPAA rules on Jan. 23, 2013, with an effective date of Sept. 13, 2013. Most clients in the medical and dental professions are “covered entities” under HIPAA because they collect, maintain or transmit protected health information.
You play phone tag with Dr. Smith for a few days. When you finally reach him, you explain that you don’t have access to his patients’ medical records and thus don’t think the Business Associate Agreement applies to you.
“No, it does,” says Smith. “You have my patients’ names from the refunds account in QuickBooks; that’s PHI too.”
Dr. Smith is right. The HIPAA Privacy Rule protects all "individually identifiable health information” held or transmitted by a covered entity or its business associate (in this case your firm), in any form or media, whether electronic, paper or oral. PHI goes beyond medical records. Patient names, addresses and social security numbers are also protected.
Remember the key word, “identifiable.” If patients can’t be “identified” from the data that you “hold” or “transmit” on behalf Dr. Smith, you don’t have PHI and should not be required to sign a Business Associate Agreement.
Avoid holding PHI whenever possible. As a business associate, anytime you hold PHI on behalf of a client, you are directly liable under the HIPAA rules and subject to civil and criminal penalties for unauthorized use and disclosure of PHI. You’re also liable for failing to safeguard electronic PHI in accordance with the HIPAA Security Rule. This also means you must require any cloud-based software or data storage providers that you use to sign a Business Associate Agreement as well.
Because HIPAA puts no restrictions on the use or disclosure of de-identified health information, you should request de-identified data whenever possible in lieu of signing a Business Associate Agreement.
Dr. Smith concedes that his staff can de-identify patient refund data before providing it to you. “But you prepare our payroll too,” says Smith. “This potentially gives you access to PHI on my employees.”
This time, Dr. Smith is wrong. The HIPAA Privacy Rule excludes employment records that a covered entity maintains in its capacity as an employer.
Equally important, HIPAA contains a “minimum necessary” rule which provides only that PHI required for the engagement should be shared by the healthcare provider with the Business Associate. If you encounter a situation (in an audit for example) where in your professional opinion it is necessary for you to access PHI, you will likely need to sign a Business Associate Agreement. You should limit the quantity of patient data to ONLY what you need and no more. If you’re not 100 percent sure your electronic systems meet HIPAA security standards including data encryption, request printed copies only.
Most BAAs use standard language provided by the sample agreement available on the HHS website. You should familiarize yourself with the standard language so that you can focus on any additional language unique to the engagement when you review a Business Associate Agreement provided by a client.
AU-C section 250, Consideration of Laws and Regulations in an Audit of Financial Statements, provides general guidance applicable to Business Associate Agreements. More specific guidance is available in Health Care Industry Developments - Audit Risk Alert 2013/14. You can download the above reference chart for future use as well.
Mark O. Dietrich, CPA/ABV. Mark is co-author of The Financial Professional’s Guide to Healthcare Reform and served as chairperson of the AICPA’s Healthcare Industry Conference in 2012 and 2013.
HIPAA compliance image via Shutterstock