A professional practice is responsible for protecting the protected health information (“PHI”) of its patients under both the Health Insurance Portability and Accountability Act (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act (“HITECH”). In the ordinary course of business, a professional practice may utilize non-employee consultants in a variety of functions wherein such consultant may use, create or disclose the practice’s PHI. Some examples are as follows: a third party administrator that assists with claims processing, a CPA firm whose accounting services to a health care provider involve access to PHI, a consultant that performs utilization reviews for a hospital, a health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer or an independent medical transcriptionist that provides transcription services to a physician. It is imperative in these scenarios that the practice has a signed business associate agreement in place between the practice and the consultant whereby the practice obtains assurances that the consultant will protect the PHI in the same manner as required by the practice itself.
A business associate agreement outlines the requirements of the business associate under both HIPAA and HITECH in an effort to protect a practice from steep HIPAA and HITECH penalties. Amongst other requirements, a business associate agreement must: describe the permitted and required uses of PHI by the business associate; provide that the business associate will not use or further disclose the PHI other than as permitted or required by the contract or as required by law; and require the business associate to use appropriate safeguards to prevent a use or disclosure of the PHI other than as provided for by the contract.
While there are certain exceptions to the business associate agreement requirement discussed herein, these agreements are generally required when patient PHI is handled by an outside party. Professional practices should contact legal counsel when these situations arise to ensure the appropriate documentation is in place.