Sharing Health Info With Vendors? Consider Them BAs

Posted on 22 Sep, 2015 |comments_icon 1|By Chris Boucher

Some vendors might balk, but it’s the rule.

Medical practices often have to do business with outside vendors. Many of these outside vendors are bound to follow business associate (BA) guidelines under the Health Insurance Portability and Accountability Act (HIPAA).

To avoid any confusion or angst during your vendor negotiations, be sure to know if, and when, a vendor is a BA.

Transmitting Health Info Translates Into BA Status

Any vendor that gets anywhere close to your patient’s health information is a potential BA to HIPAA.

Expert input: The vendor is a HIPAA BA if it receives, maintains, stores, accesses, or transmits health-related information in the course of providing services, according to a June 9 blog posting by partner attorney Laurie Cohen for the law firm Nixon Peabody LLP.
The feds might also consider a vendor a BA if the health-related information is protected health information (PHI), as defined by HIPAA, and if that PHI originates from a covered entity (CE).

BAs Must Follow Specific Protocol

Though it’s rare, some vendors might initially object to being categorized as a BA, because any BA must play by some pretty stringent rules. According to Cohen, at a minimum, a HIPAA BA must:

  • develop HIPAA privacy, security, and breach notification policies;
  • perform a security risk assessment;
  • provide HIPAA education to its workforce; and
  • prepare a BAA to use with its own subcontractors who receive, maintain, store, access, or transmit PHI in the course of providing services.

Any BAs that you work with must understand the requirements and their responsibilities under HIPAA. This is especially important as the HHS Office for Civil Rights (OCR) rolls out its audit process later this year, which is also expected to target CEs as well as their BAs, Cohen warned.


Chris Boucher

Chris Boucher has nearly 10 years of experience writing various newsletters and other products for The Coding Institute. His blog will cover several areas of coding and compliance, including CPT® coding, modifiers, HIPAA compliance and ICD-10 coding.

More from this author

View More

One thought on “Sharing Health Info With Vendors? Consider Them BAs

Leave a Reply

Your email address will not be published. Required fields are marked *

Newsletter Signup