HIPAA Focus: Business Associates

By Mike McEvoy, Ph.D., RN, CCRN, REMT-P, and Paul Gillan, JD, EMT-B

According to a recent survey,1 the business associate (BA) requirements of HIPAA are the leading area of noncompliance. In this month’s HIPAA Focus, we look at the BA requirements and how they play out for fire/EMS services.

What’s a Business Associate?
A business associate, in the simplest sense, is a person or business that performs a function involving the use or disclosure of protected health information (PHI) for or on behalf of a covered entity. The rule lists some specific services that are “business associate” arrangements IF they involve the use or disclosure of PHI. Among these are the following, which are commonly employed by fire/EMS services:

  • Legal services
  • Accounting services
  • Consulting services
  • Management services
  • Administrative support services
  • Accreditation
  • Financial services

The rule also lists some specific functions that are business associate functions, including claims processing or administration, data processing or administration, quality assurance, and billing.

What’s the Purpose of the Business Associate Rule?
First let’s start with what the purpose is not. The purpose of the Business Associate rule is NOT to impose HIPAA requirements on entities that would not otherwise be bound by HIPAA. That is an absolute misstatement and has led many services to (wrongly) conclude that they don’t really need to pay attention to the BA requirements. The purpose of the BA rule is to apply YOUR services’ rules to any entity that is collecting or using PHI on your behalf. Remember that YOUR notice of privacy practices is going to set the standard for uses and disclosures of the PHI. If your BA’s protections don’t match up with your own standards, there’s potential for a violation.

Does My Fire/EMS Service Have Business Associates?
If your fire/EMS service is a covered entity, it is nearly certain that it has business associates. Few agencies do not employ at least one of the services or contract out at least one function specifically mentioned in the rule as a business associate arrangement. Keep in mind that the arrangement has to involve the use or disclosure of PHI before qualifying as a business associate arrangement. So a lawyer who assists a fire/EMS service at a real estate closing is not a business associate, but a lawyer who assists a department in dealing with a patient care complaint is. A consultant you hire to spec out a new ambulance is probably not a business associate, but a consultant who reviews your QI process is.

What Does My Service Have to Do with Its Business Associates?
First, find them. Begin by mapping your agency’s flow of PHI from cradle to grave (this is a standard component of a “gap analysis” and should have been done at the outset of your HIPAA implementation process). Consider every means by which PHI comes into your service–directly from patients, from transferring facilities, from nontransporting first response services, etc. Map internal uses such as billing and QI. Then consider every means by which PHI leaves your organization–turned over to a receiving facility, to a transporting agency, to a state-mandated QI program. Consider whether the entities you get PHI from and the entities you give PHI to are performing a function for your agency or assisting your agency in performing a function.

Next, use your accounting software to put together a comprehensive list of every outside vendor you have paid over the previous two years. Consider each vendor to determine whether you are required to disclose PHI for the vendor to do his or her job. If your relationship with the vendors is ongoing or recurring, you need to put them on the short list for getting a BA agreement in place.

From these two activities, you will quickly identify your list of business associates.

The next step is to get contracts in place with these entities. For that, you will need a model or template contract and a lawyer. (Yes, it is necessary.) The Office of Civil Rights published a “sample” BA agreement along with the final privacy rule, and that could be a good place to start. You can obtain the BA agreement freely from the OCR Web site.2 Also, various consulting services offer models at no charge.3 Most business associates will ask for changes in the model and in many cases that will be possible, although some provisions come directly from the privacy rule and cannot be changed.

Major medical vendors and service providers may themselves provide you with a BA template that you might choose to use. Do not assume the vendor’s form is drafted favorably to your agency and do not believe that you “must” accept the vendor’s form. Most of all, if you do not understand any portion of the vendor’s form agreement, get help from someone who does.

Business associate agreements should be reviewed by legal counsel before you sign them. Vendor business associates often seek indemnifications that are not required by HIPAA and which may not be covered under your agency’s insurance policies. In addition, as a covered entity, you need to ensure that your business associate will be responsive to your questions and will cooperate fully with you on issues that affect your HIPAA compliance. A bad business associate agreement may actually be worse than no business associate agreement.

Set up a system for managing the contracts. If your business associates require agreements of a defined period, the contract must be renewed in a timely fashion. If a “perpetual” agreement is used, it should be revisited periodically to make sure it still complies with the rules and other applicable state law. Do NOT rely on your memory, or your lawyer, to remind you of these things. Create a system that will put the contract back in front of a person with authority at a specified time (i.e., the term of the contract or two years, whichever is shorter).

Is My Fire/EMS Service a Business Associate of Other CEs?
Maybe. We want to say again that being a covered entity does NOT mean you don’t need a BA agreement with a covered entity if what you are doing with or for them requires it. So, other health care providers you interact with can be your business associates (and vice versa) even though you are both covered entities.

For example, if your service participates with other agencies in a joint QI committee, each agency may be a business associate of the others.4 If your agency conducts billing services for a neighboring squad, you are that squad’s business associate whether or not you are a covered entity in your own right.

At the same time, you are NOT a business associate of another provider if you are both using or disclosing PHI for your own treatment purposes. A first responder agency is usually not the business associate of a transporting ambulance when the first responders are collecting PHI for their own treatment purposes.

The business associate requirements are a critical and confusing area and are widely misunderstood by many fire/EMS services. This is the principal reason we recommend engaging legal counsel familiar with HIPAA guide your agency’s compliance.

Identifying Business Associates in the Notice of Privacy Practices
The privacy rule does not require you to identify business associates by name in your notice of privacy practices (NPP). The rule does require you to state that information may be disclosed with any additional consent or authorization to third parties as part of treatment, payment, or healthcare operations. There may be good reasons to specifically name a BA. A group of providers acting as an organized healthcare arrangement are (in some cases) required to hold out their arrangement to the public,5 and the NPP can be one way of doing that.

Get More Information
The OCR Web site has a handy searchable Q&A section with a specific subcategory for business associate issues.6 Familiarizing yourself with common misconceptions (such as that the plumber is a business associate) can help you avoid them (the plumber is not a business associate). It’s not possible to know too much about the OCR’s view on HIPAA issues, so always check there first before consulting other reputable sources.

“Certified” Bas
Some independent accreditation organizations have begun to offer business associate “accreditation” or “certification.” Your fire/EMS service may require such an accreditation as a condition of being a business associate. Practically speaking, however, such accreditations change nothing about the business associate relationship and do nothing toward satisfying any particular regulatory requirement. “Certified” BAs must be treated like every other BA in terms of performance and oversight. Do not be misled into thinking that certified BAs do not require BA agreements or that certified BAs do not require the same level of oversight you would have over any other BA.

The Reluctant (or Defiant) BA
Some fire/EMS services report that one or more of their identified business associates simply refuse to sign a BA agreement. This is one time that assistance from legal counsel is critical. Although vendors may not always take department officers seriously, a professional opinion can go a long way toward convincing a reluctant BA that having an agreement is necessary. Also, having your lawyer make a friendly call to the BA’s lawyer can often get things moving in the right direction.

If the BA remains defiant, your service will need to weigh the potential risks of noncompliance against the value of continuing the relationship. The BA’s attitude may indicate an unwillingness to accept regulatory requirements–and that may not be the kind of entity you want to be responsible for your patient’s sensitive information.

3 See, for example, http://www.hipaadvisory.com/action/privacy/NCHICABAA.doc. We are not endorsing or recommending this particular model; we are simply offering it as an example of what you can find on the Web. There are scores of others. Any business associate agreement, no matter what model you begin with, should be reviewed by a lawyer well-versed in HIPAA before it is signed.
4 If large numbers of providers are involved, it may be more expedient to treat it as an organized healthcare arrangement (OHCA).
5 See the definition of “organized health care arrangement” at 45 C.F.R. 164.501.
6 See http://www.hhs.gov/ocr/hipaa/ Look under “Educational Materials” and follow the link for “Your Frequently Asked Questions on Privacy. Select the “Business Associates” subcategory and then click “Search” for a comprehensive list of OCR snippets on BAs. As of this writing, there are 27.

Past HIPAA Focus Articles
Last-minute HIPAA: Still clueless about CE’s and NPP’s? Here’s what to do.
HIPAA Focus: Notice of Privacy Practices
HIPAA Focus: Billing and Reimbursement
HIPAA Focus: Training
HIPAA Focus: Quality Improvement
HIPAA Focus: Handling Records Requests
HIPAA Focus: Complaints

Mike McEvoy, Ph.D., RN, CCRN, REMT-P, is the EMS coordinator for Saratoga County, New York. A former forensic psychologist, he now works in the Cardiac Surgical ICU at Albany Medical Center and teaches at Albany Medical College in New York. He is a paramedic for Clifton Park-Halfmoon Ambulance Corps and medical advisor for the West Crescent (NY) Fire Department. He presently serves as a member of the New York State EMS Council and the State Emergency Medical Advisory Council and is the EMS director on the Board of the New York State Association of Fire Chiefs.

Paul Gillan, JD, EMT-B, is a senior associate attorney with the regional law firm Iseman, Cunningham, Riester & Hyde, LLP, in Albany, New York, and is admitted to practice law in New York, Maryland, and Vermont. An active EMT, he devotes a substantial portion of his practice to representation of fire and EMS services, EMS councils, and individual EMTs.

No posts to display