What do you do if you have signed a Business Associate Agreement (BAA) with a covered entity, but are getting protected health information (PHI) from the covered entity in conjunction with health care treatment you provide to the individual? What if another covered entity provider has contracted with you to provide services to that provider’s patients? What if you are a covered entity health plan that wants to share PHI with a health care provider, such as a clinical laboratory, in conjunction with an employee wellness program? These are just a few of the situations that come up where the need for a BAA may be questionable and/or the roles of the parties to that BAA are not entirely clear.
Rather than protecting health information, the unnecessary or sloppy BAA may actually just create a HIPAA headache.
The “Springing BAA” is the term I’ll use for a situation in which the parties routinely create, receive, maintain, or transmit information that is not PHI in the course of one party’s performance of services on behalf of the other party, but the parties realize that, at some point in the future, the services may involve information that is PHI. So as to avoid having to address their HIPAA obligations by entering a BAA down the road, they enter a BAA that will apply (“spring to life”) when and if the services involve PHI.
The “Shifting BAA” is the term I’ll use for a situation in which the parties provide services on each other’s behalf that involve the creation, receipt, maintenance, or transmission of PHI from time to time throughout the services contract. This situation will involve two parties that are both covered entities, where the contracted services involve the use or disclosure of PHI on behalf of the other party. At any given time during the contract, one party might be functioning as a covered entity and the other a business associate, or vice versa. If a hospital contracts with a radiology practice to read scans performed on hospital patients, and the radiology practice contracts with the hospital to provide billing or other services in connection patients seen in the radiology practice’s private office location (i.e., to patients of the practice), for example, each party will be acting as a business associate of the other with respect to the other party’s patients and PHI.
The “Slip-Sliding BAA” is the one to watch out for. This is the BAA that shouldn’t have been entered in the first place, and turns a simple contractual arrangement into a muddy, slippery mess (thus, the HIPAA headache). I’ve written about the importance of figuring out whether a party is acting as a business associate (see here and here), but it’s worth emphasizing again. If you’re the covered entity asking a contractor to sign a BAA, make sure the BAA is creating, receiving, maintaining or transmitting PHI in connection with services it is providing on your behalf. If it’s not, the contractor’s breaches could be attributed to you. If you’re the contractor being asked to sign the BAA as a business associate, analyze the services agreement to make sure you need to create, receive, maintain or transmit PHI in order to provide services on the other party’s behalf. If PHI is required from the covered entity for the business associate to provide the required services, such an analysis may have an additional ancillary value of having the parties focus on the minimum necessary level of PHI needed.