Under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), a business associate agreement is a contract that ensures that business associates appropriately safeguard protected health information. It also serves to clarify and limit the permissible uses and disclosures of protected health information by the business associate, based on the relationship between the parties and the activities or services being performed by the associate. The associate may use or disclose protected health information only as permitted or required by its business associate contract or as required by law.
What is a business associate? A business associate is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information. A business associate also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the covered entity. A covered health care provider, health plan, or health care clearing house can be a business associate of another covered entity.
Requirements of a Business Associate Agreement
The requirements of a business associate contract are governed by 45 C.F.R. § 164.504(e). The regulations state that the contact must; (1) describe the permitted and required uses of the protected health information by the business associate, (2) provide that the business associate will not use or further disclose the protected health information other than as permitted or required by the contract or as required by the law, and (3) the business associate must use appropriate safeguards to prevent a use or disclosure of protected health information other than is provided for by the contract. Further, if a covered entity knows of a material breach or violation by the business associate of the contract or agreement, the covered entity is required to take reasonable steps to cure the breach or end the violation. If such steps are unsuccessful, then the covered entity must terminate the contract or arrangement. If termination of the contract or agreement is not feasible, a covered entity is required to report the problem to the Department of Health and Human Services Office for Civil Rights.
Why do you need one?
Since most health care providers do not carry out all of their health care activities and functions by themselves, it is sometimes necessary for covered entities to use the services of a variety of other persons and businesses. A business associate agreement allows the covered entity to carry out the functions of its business with the help of it business associates, while still protecting the privacy of its patients. The agreement ensures that the covered entity and the business associate understand the scope of the information that can be disclosed and the rights and responsibilities each have under the agreement.
The goal of the agreement is to ensure that business associate relationship is in writing and is fully understood by the parties. However, a business associate agreement is not required in every situation where protected health information is disclosed outside the covered entity.
Exceptions to the Business Associate Agreement Requirement
A business associate agreement is not required when disclosure is made from a covered entity to a healthcare provider for treatment purposes. This means, any covered health care provider (or other covered entity) may share protected health information with a health care provider for treatment of an individual patient without a business associate contract.
As discussed above, a covered entity includes a health care provider (e.g., doctors, clinics, dentists, pharmacist), a health plan (e.g., health insurance companies, HMO’s), and a health care clearing house. A health care provider means a provider of medical services, and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business. As an example, a hospital is not required to have a business associate contract with the specialist to whom it refers a patient and transmits the patient’s medical chart for treatment. A physician is also not required to have a business associate contract with a laboratory as a condition of disclosing protected health information for the treatment of an individual.
Business associate agreements are also not required in many other situations. Please note that the following is not an exhaustive list of situations where a business associate agreement is not required.
- When a health care provider discloses protected health information to a health plan for payment purposes, or when the health care provider simply accepts a discounted rate to participate in the health plan’s network. A provider that submits a claim to a health plan and a health plan that assesses and pays the claims are acting on its own behalf as a covered entity, and not as the “business associate” of the other.
- With persons or organizations whose functions or services do not involve the use or disclosure of protected health information, and where any access to protected health information by such persons would be incidental, if at all.
- With a person or organization that acts merely as a conduit for protected health information, for example, the U.S. Postal Service, certain private couriers, and their electronic equivalents.
However, even if a business associate agreement is not required, covered entities must make reasonable efforts to disclose only the “minimum necessary” to achieve the purpose for which it is being used or disclosed. Herman v. Kratche, 2006 Ohio 5938, 8th Dist. Under the HIPAA regulations, only the minimum necessary amount of information consistent with the stated purpose is to be disclosed. However, 45 C.F.R. § 164(b)(2)(i) provides that minimum necessary does not apply to disclosures to or request by a health care provider for treatment.
If you are unsure whether a business associate’s agreement is required in a given circumstance, dentists should consult with their legal advisor or a member of their state dental board to avoid a HIPAA violation. The experienced dental attorneys at Nardone Limited, in Columbus, Ohio will assist you and your practice to ensure you are taking the necessary precautions to protect your business.
Vince Nardone Discusses Employment Contracts with Ohio State Dental Students 
Navigating the 2024 Landscape: Strategies and Considerations for Dental Support Organizations (DSOs) 
Sellers of Dental Practices to DSOs need to have a Buyer’s Mentality Requiring Selectivity and a Well-Thought-Out, Decision-Making Process 
Increasing Profitability by Minimizing Disruptions within Your Dental Practice 
As a Dentist, What Are My Obligations Related to Out-of-State Patients and Potential Prescription Drug Abuse? 
