Don't have a TCI SuperCoder account yet? Become a Member >>

Psychiatry Coding & Reimbursement Alert


Safeguard PHI by Creating Contracts with Business Associates

Remember, all entities are not subject to HIPAA rules.

In your practice, one of the most important aspects is to protect confidential information about your patients. So, you will need to know how to avoid misuse of protected health information (PHI) when you need to share information with other entities.

An entity or a person that has access to medical records by your practice is a business associate (BA). These business associates are subject to the Health Insurance Portability and Accountability Act (HIPAA) when they are accessing PHI.

“A business associate is any person or entity that performs a function or activity on behalf of the practice involving the use and/or disclosure of PHI that is not a part of the practice’s staff,” says Kent Moore, senior strategist for physician payment at the American Academy of Family Physicians.

“A lot of companies and people aren’t required to comply with HIPAA, and there are many times when health information may be available to these people and companies,” says Jo-Anne Sheehan, CPC, CPC-I, CPPM, senior instructor with Certification Coaching Org., LLC, in Oceanville, N.J.

In order to help protect your patient’s PHI, you will have to create a business associate agreement (BAA) with other entities that are accessing your patient’s medical records. However, for those entities that are not required to comply with HIPAA, there is no way to legally get them to comply with HIPAA.

So, you will need to know which of the entities who have access to PHI have to comply with HIPAA and who don’t so that you can safeguard your patients’ PHI to the maximum extent.

Know Who Your BAs Are to Protect Your PHI

If an entity or a person is providing any services to your practice and may involve access to PHI, you need to get a BAA signed from them in order to help protect patient information.

Remember:  You should be aware that not all the services that are provided by your BAs involve interacting with patients directly but they still might need to access your PHI. You have to be aware of who your BAs are and the extent to which they have access to your PHI.

“Not every entity that provides one of these services is necessarily a BA,” Moore says. “For instance, to the extent that legal services provided by a regulatory attorney do not include the disclosure of PHI, the attorney is not a BA. However, the legal services of a malpractice attorney will more likely involve the disclosure of PHI and thus more likely make the malpractice attorney as a BA of the practice.”

“Some examples of individuals and companies who are considered business associates include patient safety organizations and others involved in patient safety activities,” says Moore. “Other examples include health information organizations, including health information exchanges and e-prescribing gateways, personal health record vendors, and any other individual or company involved in the transmittal and maintenance of PHI.”

The Privacy Officer in your practice should compile a list of BAs.To accomplish this, he or she can review the practice’s business files for contracts or other arrangements that are currently in place. “For example, one way to develop this list is to review your general ledger, which tells you to whom you have written checks and probably includes most of your BAs,” Moore says.

Your Privacy Officer should maintain the BA list on an ongoing basis. “Each time your practice adds or discontinues a relationship with someone or some entity, you should update the BA list,” Moore advises. Likewise, each time the scope of services provided by a BA changes, the relationship should be reexamined to confirm that the entity in question continues to serve as a BA.

Remind Your BAs That They Need to Comply With HIPAA

If you are sharing PHI with any BAs, you have to get signed contracts with these BAs so that they are bound by HIPAA rules. At the same time, you should inform your BAs to get similar signed agreements from any subcontractor who gets access to your PHI.

The BAA will not be valid unless you get it signed from your BA with whom you are sharing the PHI. So, ensure that each time you share medical record information with a BA, you have a signed BAA prior to sharing any information with them.

Know Which Entities Don’t Have to Comply With HIPAA

To protect your PHI, you will have to think of getting a signed contract from every BA. However, some entities do not have to comply with HIPAA rules. In such a case, getting a BAA will not help you much in protecting your PHI. So, you will need to know such entities and take lot of care before you share any of your protected information with them.

Sheehan offers these examples of entities that aren’t covered under HIPAA but may handle health information:

  • life and long-term insurance companies
  • workers’ compensation insurers, administrative agencies, or employers (unless they are otherwise considered covered entities)
  • agencies that deliver Social Security and welfare benefits
  • automobile insurance plans that include health benefits
  • search engines and websites that provide health or medical information and are not operated by a covered entity
  • marketers
  • gyms and fitness clubs
  • direct to consumer (DTC) genetic testing companies
  • many mobile applications (apps) used for health and fitness purposes
  • those who conduct screenings at pharmacies, shopping centers, health fairs, or other public places for blood pressure, cholesterol, spinal alignment, and other conditions
  • certain alternative medicine practitioners
  • most schools and school districts
  • researchers who obtain health data directly from health care providers
  • most law enforcement agencies
  • many state agencies, like child protective services
  • courts, where health information is material to a case.

Caveat:  When you get requests for PHI from such entities, ensure to be careful and if necessary, take legal opinions before sharing information with them.“ Handling patient information is situational, and will largely depend “on whom the provider has a BAA with,” Sheehan says. “What is considered a BA in one practice may not be considered one in another,” Moore adds.

Resources: For more information on BAs, check these links: and