Some vendors might balk, but it’s the rule.
Medical practices often have to do business with outside vendors. Many of these outside vendors are bound to follow business associate (BA) guidelines under the Health Insurance Portability and Accountability Act (HIPAA).
To avoid any confusion or angst during your vendor negotiations, be sure to know if, and when, a vendor is a BA.
Any vendor that gets anywhere close to your patient’s health information is a potential BA to HIPAA.
Expert input: The vendor is a HIPAA BA if it receives, maintains, stores, accesses, or transmits health-related information in the course of providing services, according to a June 9 blog posting by partner attorney Laurie Cohen for the law firm Nixon Peabody LLP.
The feds might also consider a vendor a BA if the health-related information is protected health information (PHI), as defined by HIPAA, and if that PHI originates from a covered entity (CE).
Though it’s rare, some vendors might initially object to being categorized as a BA, because any BA must play by some pretty stringent rules. According to Cohen, at a minimum, a HIPAA BA must:
Any BAs that you work with must understand the requirements and their responsibilities under HIPAA. This is especially important as the HHS Office for Civil Rights (OCR) rolls out its audit process later this year, which is also expected to target CEs as well as their BAs, Cohen warned.