A Business Associate (“BA”) is a third party that performs services or functions that require the use of or access to protected health information (“PHI”) for an entity that is covered by Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). It can also be a subcontractor of someone who does business with the entity, when that subcontractor might have access to this same information.
HIPAA requires that we have a signed agreement with our business associates. This agreement lists obligations and responsibilities of both organizations pertaining to the protection and use of the PHI. The agreement is called a Business Associate Agreement (“BAA”).
In order to determine whether you need a BAA, you need to know if PHI will be accessed or transferred to someone outside of our organization. A more detailed definition can be found on page (3), but PHI can be broadly defined as follows:
Any oral or recorded information relating to past, present, or future physical or mental health of an individual, the provision of health care to the individual, or the payment for health care and that also contains information which makes it possible to identify the individual.
Do you need a BAA?
Please see the Decision Tree below.
View Decision Tree
If you need a BAA, where do you find it?
Contact the Chief Legal Officer or Compliance Office for a copy of ARHS’s approved BAA. If the BA that you are working with requests you use their BAA, it will need to be reviewed by the CLO prior to signing.
How long is the agreement valid?
Due to revisions in the federal code, any BAAs completed prior to 2016 needs to be reviewed to ensure that they are still valid. Otherwise, each agreement should have an effective date and a termination date.
Who can approve the BAA?
All BAAs should be forwarded to a VP or higher for approval/signature. After the agreement has been signed by both parties, a copy should be sent to Deatra Sellers so that it can be included in our contract database.
Call either the CLO at 828-266-8915 or the Compliance Office at 828-262-4239.
- PHI is defined as, “Any oral or recorded information relating to past, present, or future physical or mental health of an individual, the provision of health care to the individual, or the payment for health care and that also contains information which makes it possible to identify the individual.” The eighteen (18) types of information that quality as PHI according to guidance from the department of Health and Human Services Office for Civil Rights are :
- Geographic subdivisions smaller than state: street address, city, county, precinct, zip code;
- Any dates (except years) that are directly related to an individual, including birthday, date of admission or discharge, date of death, or the exact age of individuals older than 89;
- Telephone number;
- Fax number;
- Email address;
- Social Security number;
- Medical record number;
- Health plan beneficiary number;
- Account number;
- Certificate/license number;
- Vehicle identifiers, serial number, or license plate numbers;
- Device identifiers or serial numbers;
- Web URLS;
- IP address;
- Biometric identifiers, such as fingerprints or voice prints;
- Full-face photos; and
- Any other unique identifying numbers, characteristics, or codes.
- “Members” of an ARHS workforce include employees, volunteers, interns, and other whose conduct in the performance of work is directly under the control of an ARHS entity. Individuals can be members of an ARHS entity’s workforce even if they are paid by another party, as long as their work is managed and controlled by an ARHS entity.
Other Instances in which a BAA may not be Required
In addition to the most commonly occurring situations mentioned above, there are other instances in which a BAA may not be required for disclosure by an ARHS entity, including:
- Disclosures to governmental agencies pursuant to official investigations (e.g., Centers of Medicate and Medicaid Services, US Department of Health and Human Services Office for Civil Rights, US Food and Drug Administration, Federal Bureau of Investigations)
- Disclosures to FDA-regulated medical device manufacturers for adverse event reporting or for other purposes relating to the quality, safety, or effectiveness of a FDA-regulated device. Research conducted pursuant to ARHS policies and in which appropriate informed consent forms are obtained from the subjects of the research.