New Business Associate Agreement Due by September, 2013

Many dental practices do not realize the overhaul of the HIPAA statutes regarding business associates-those companies which may have access to protected health information (PHI)-requires that new more extensive agreements have to be signed by September 23, 2013.    The new rules in effect as of March 26, 2013 mandate that entities that handle PHI like dental offices have new business associate agreements in place by then to give the associates written notice of their increased responsibilities under HIPAA to conform directly to that statue and the new 2103 HIPAA Omnibus rules.   Any company that may have access to PHI and deals with a dental practice must sign a new more detailed agreement outlining in more detailed terms the responsibilities that formerly dentists themselves were responsible for under HIPAA, as well as the more extensive new privacy rules that have to do with security and privacy of electronic health information.   With the advent of newer technology in transmission of information in many different ways and mediums among the general population as well as among health care providers, it is not surprising that the HIPAA statute, and its corresponding HITECH regulations, have expanded to meet that transformation.

So how does a dental practice identify which companies or persons are now business associates with which they must have a business associate agreement?  Donna Grindle, CHPSE, a health care security systems professional and frequent contributor to the HIPAA 411 Linked-In discussion group has presented some excellent information showing just who a dental practice should consider a business associate, and why.

A “scrubs” supplier whose delivery staff has access only to “dirty laundry” and not PHI, right?  Their access to the dental office, with keys etc. to come into the office after hours so their possibility of coming into contact with PHI should make the dentist consider whether security is present enough to not have a business associate agreement.  The same goes for the cleaning companies, especially since the recent Georgia case of a cleaning company whose temporary employees were working for them for short periods of time, just long enough for them to sneak USB’s into offices, steal identities, and then leave the company with valuable PHI and personal information in hand.  Independent contractors like heating and air conditioning repair services have similar access issues, and it’s a regular function, a BA agreement is a good idea.    Many health providers don’t realize that HIPAA covers not only PHI but any personal financial information having to do with patients.  Identity theft is big business, and HIPAA enforcement will cover that problem more frequently as the thieves become more and more imaginative.

Medical device companies are definitely BA candidates, since they might be dealing with PHI located right on the devices they sell or service.  Those companies should be well aware of their responsibilities to get BA agreements, but make sure they know the new rules by having an agreement in place.

Professionals like CPAs and Attorneys deal with PHI all the time, and do you think an attorney would admit that they aren’t obeying new federal regulations?  Don’t be so sure that they are completely aware of their legal responsibilities, regardless of the fact that their education and licenses would seemingly require that knowledge.  Collections agencies aren’t attorneys, and in spite of their legal function should be under a valid BA agreement (we all know that collections agencies don’t exactly exude professionalism in their work).

So, who doesn’t have to sign a BA agreement that handles PHI?  The part-time bookkeeper that is actually paid by the practice as an employee is not a BA, and instead falls under the staff training requirements that all practice employees must go through.  Dental laboratories are health care providers and thus are allowed to handle PHI without a BA agreement because of that status, and other non-BA businesses are insurance companies that can handle PHI for the “payment” purposes exception to restriction on flow of PHI without authorization.

Finally, the new HIPAA Omnibus rules focus on electronic health information (HITECH regulations), and so any IT related company has significant BA responsibilities not only for not using ePHI outside of HIPAA rules, but also for protecting that now all-important aspect of HIPAA law, the security of the transmission of PHI.