During our mock HIPAA audit process, we always verify Business Associate Agreements (BAAs) for our clients who are either Covered Entities (CEs) or Business Associates (BAs). In the process of deciding which BAAs are required, we are often asked about what agreement needs to be in place between two CEs who are working together.
For instance, one physician may refer a patient to a specialist physician. The first physician may send over medical records to the specialist. My clients want to know if a BAA is required between these two physicians.
At first glance, it seems as though a BAA might be required. Let’s look at the law itself:
(1) Except as provided in paragraph (4) of this definition, business associate means, with respect to a covered entity, a person who:
- (i) On behalf of such covered entity or of an organized health care arrangement (as defined in this section) in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or arrangement, creates, receives, maintains, or transmits protected health information for a function or activity regulated by this subchapter, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities listed at 42 CFR 3.20, billing, benefit management, practice management, and repricing; or
- (ii) Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation (as defined in § 164.501 of this subchapter), management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of protected health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.
(2) A covered entity may be a business associate of another covered entity.
(3)Business associate includes:
- (i) A Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires access on a routine basis to such protected health information.
- (ii) A person that offers a personal health record to one or more individuals on behalf of a covered entity.
- (iii) A subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.
(4)Business associate does not include:
- (i) A health care provider, with respect to disclosures by a covered entity to the health care provider concerning the treatment of the individual.
- (ii) A plan sponsor, with respect to disclosures by a group health plan (or by a health insurance issuer or HMO with respect to a group health plan) to the plan sponsor, to the extent that the requirements of § 164.504(f) of this subchapter apply and are met.
- (iii) A government agency, with respect to determining eligibility for, or enrollment in, a government health plan that provides public benefits and is administered by another government agency, or collecting protected health information for such purposes, to the extent such activities are authorized by law.
- (iv) A covered entity participating in an organized health care arrangement that performs a function or activity as described by paragraph (1)(i) of this definition for or on behalf of such organized health care arrangement, or that provides a service as described in paragraph (1)(ii) of this definition to or for such organized health care arrangement by virtue of such activities or services.
The answer, it turns out, is that two CEs both treating the same patient do not need a BAA to share Protected Health Information (PHI).
- A hospital is not required to have a business associate contract with the specialist to whom it refers a patient and transmits the patient’s medical chart for treatment purposes.
- A physician is not required to have a business associate contract with a laboratory as a condition of disclosing PHI for the treatment of an individual.
- A hospital laboratory is not required to have a business associate contract to disclose PHI to a reference laboratory for treatment of the individual.
Alternatively, there could be a situation where two Covered Entities want to work together and share PHI for patients that aren’t being treated by both CEs. In that case, a Covered Entity can also be classified as a Business Associate requiring a Business Associate Agreement between the two organizations.
It is unusual for a Covered Entity to be a BA of another Covered Entity, but it does happen. For instance, two research hospitals might be working together on a research project. They may share PHI in the course of their research. If both CEs aren’t treating the patient, depending on other circumstances, the two hospitals may need a BAA on file
If your situation doesn’t involve caring for the same patient, double check the law and see if you need a Business Associate Agreement.
If you fall into the majority by only sharing PHI with other CEs who are also treating your patient, you should not need a formal agreement drawn up and signed.