Under the HIPAA Rule is okay to share information and with consultants, IT persons and others to make your office more technology suave, run more smoothly, more profitable. The HIPAA rule does not prohibit you from contracting out services to your vendors or business entities.
However, there is one catch. You must get a HIPAA Business Associate Agreement [BAA] signed. The HIPAA does not ‘typically’ cover Business Associates. The HIPAA Rule only covers medical providers, health plans and clearinghouses. But, the HIPAA tangentially reaches Business Associates by requiring medical providers, health plans, and clearinghouses to sign BAA with its services providers.
What happens if you don’t get a BAA signed? The Department of Health and Human Services [HHS] has made an example out of an entity that didn’t. On April 19, 2016, HHS published a Bulletin announcing that:
Raleigh Orthopaedic, P.A. of North Carolina [Raleigh Orthopaedic] has agreed to pay 750,000 to settle charges that it potentially violated the Health Insurance Portability and Accountability Act of 1996 [HIPAA] Privacy Rule by handing over protected health information [PHI)] for approximately 17,300 patients to a potential business partner without first executing a business associate agreement.
The headline of the Bulletin said: $750,000 settlement highlights the need for HIPAA business associate agreements
Per the Bulletin the back story goes something like this.
Raleigh Orthopaedic received a receipt of a breach report on April 30, 2013. OCR’s investigation indicated that Raleigh Orthopaedic released the x-ray films and related protected health information of 17,300 patients to an entity that promised to transfer the images to electronic media in exchange for harvesting the silver from the x-ray films. Raleigh Orthopaedic failed to execute a business associate agreement with this entity prior to turning over the x-rays [and PHI].
In addition to paying the settlement, Raleigh Orthopaedic has agreed to:
- Develop policies and procedures for identifying Business Associates and getting BAA signed prior to disclosure of patient information.
- Develop a standard Business Associate Agreement template to use.
- Develop a process for retaining BAA for 6 years after the Business Associate Relations ends.
- Only disclosing the minimum necessary patient information to Business Associates.
These things apply to all medical providers, health plans, and clearinghouses.
Business Associate Templates
Click here to Buy