My partner Elizabeth Litten and I were interviewed by Marla Durben Hirsch for her recent article in Medical Practice Compliance Alert entitled “Evaluate Relationships Before Signing Business Associate Agreements.” While the full text can be found in the February 3, 2014 issue of Medical Practice Compliance Alert, the following considerations are based upon points discussed in the article. (Elizabeth has written several earlier entries on this blog related to the topic of the article, including those that may be found here and here.)
Often a relationship that a physician (or another professional such as a lawyer or other vendor) has with a covered entity (“CE”), including a hospital, regarding individual health information (“IHI”) may not rise to the level of a business associate (“BA”) under HIPAA which would necessitate a signed business associate agreement (“BAA”). Signing a BAA when it is not required could result in the unnecessary giving up of certain rights and the avoidable creation of some HIPAA compliance issues in the future for both parties to the BAA.
Some CEs may assume that other persons including physicians are, as a matter of course, their BAs when they are sharing IHI and may pressure them to sign BAAs without understanding that a physician’s ability to access, use or disclose his or her patient’s IHI does not automatically make such a physician a BA, and many times he or she is not. Physicians require information on their patients for treatment, payment and healthcare operations as CEs and as allowed and contemplated by HIPAA. Just because two CEs are sharing IHI does not make one a BA of the other.
Signing a BAA could, depending on its language, require a purported BA (the “Purported BA”) to succumb to obligations under HIPAA and tie the hands of the Purported BA, thereby potentially impeding its right to use the IHI appropriately for its own purposes. One should not assume the need for a BAA without sufficiently assessing why the PHI is being shared. For example, if a physician is sharing the use of a hospital’s servers and accessing its electronic health records system for common patient information, a data use and access agreement between the parties may be the appropriate document, as a BAA may not be necessary. In that regard an underlying agreement may describe why the physician needs the IHI of the other CE’s patients and clarify whether a BA relationship exists. Moreover, in some cases, even an existing CE/BA relationship with a BAA in place that was appropriate when signed could evolve over time, causing a need for the BAA to be updated or even terminated.
Finally, in the event that a party, which may be under pressure by a counterparty to sign a BAA when such party believes that it may not be necessary, should point out that signing the BAA could put both parties at additional compliance risk by acknowledging a BA relationship under HIPAA and the regulatory aspects flowing therefrom when such relationship does not in fact exist.