The government has created the concept of “business associates” to address this. A business associate is a person or entity that has access to your patients’ PHI in order to do work on your behalf that you might otherwise hire your own work force to do. Examples include billing companies, transcription services, practice management companies, financial managers, outside auditors who review your records for documentation compliance, mailing services that send bills to your patients, your software vendor, your medical records off-site storage company, even a lawyer who may review PHI in connection with a Medicare audit.
Unfortunately, the privacy rule does not include an exhaustive list of all possible business associates. One of your basic challenges will be to identify your business associates. Why does it matter? Because to comply with the privacy regulation, you must have a written contract with each business associate that basically says it will safeguard PHI to the same extent that you do as a covered entity. While a signed contract does not make you a guarantor of a business associate’s performance, one that is not HIPAA compliant can create real liability for you. It will benefit you to deal with companies and vendors who understand HIPAA and have their own privacy policies and procedures in place.
HIPAA doesn’t require you to have a business associate agreement with some providers to whom you refer for treatment, such as other physicians, a hospital, lab or pharmacy. However, if these providers also perform work-related functions for you (e.g., a hospital leases you a nurse or a typist on a part-time basis), they are considered your business associate as well as a provider to your patients. It is important to determine all the ways you use PHI, who has access to it within your practice, and to whom you disclose it outside your practice.
According to the privacy rule, you will have until April 14, 2003, to get agreements signed with new business associates and until April 14, 2004, for existing business associates.