Business Associates Agreements- Who the Hell Needs to Sign These?

Business Associates Agreements- Who the Hell Needs to Sign These?


In 2013, HIPAA brought sweeping changes for all healthcare facilities to implement. Not only does your staff need to be trained to the new HIPAA Omnibus Rule standards, but now protecting your patient’s PHI (Protected Health Information) is much more far-reaching. Under these new HIPAA Omnibus Rules, employees, as well as vendors need to sign confidentiality agreements. Requirements for vendors will vary. It’s important to know who needs to sign these new confidentiality agreements called Business Associate Agreements. The law is tricky because it is written in two different ways and you want to be sure to cover yourself for both translations.

First, HIPAA Omnibus Rule clearly states that you must have a Business Associate Agreement signed “by any company that collects patient data from your office”. For example: collection agencies, IT technicians, confirmation services, consultants, etc.

The next translation is the tricky one: HIPAA Omnibus Rule also states “that your office is responsible to protect the handling of all patient’s PHI. (Protected Health Information).” There are 18 common Protected Health Identifiers: Name, address, phone number, email address, zip code, birthdate, social security number, credit card number, to name a few. This means that your office should distribute and seek  signatures (on Business Associate Agreements), for all vendors or subcontractors that may see or use your patient’s PHI in the course of doing business with you.

Examples would be: labs, temporary employees, and after hours services. While this area of the HIPAA law may be interpretive, it’s better to do your due diligence and have these signed documents on file rather than not.

There are some exceptions though (thank goodness, the government is giving us a break here). It’s considered the “Course of Doing Business” when you communicate with Doctor’s Offices, Insurance Companies and Pharmacies. No need to have a Business Associate Agreement signed for these day-to-day interactions. Also, Delivery Services are considered “conduits” and they are exempt. Conduits are typically bonded and insured. Examples would be: Fedex, USPS, and UPS.

So how will you tackle this project of getting a Business Associate Agreement and keeping track of them? Make sure you choose a HIPAA Solutions Company that provides ready-made forms, logs, and telephone assisted guidance to help you with this arduous task. A complete solution that includes:

  •  A new HIPAA Manual (written to the new Omnibus Rule)
  • CD-ROM (with employee training video and all of the electronic forms)
  • 30 minutes of telephone assisted guidance from a HIPAA expert

HIPAA Omnibus Rule Complete Package is a winner when undertaking this task.  HIPAA Omnibus Rule is hard enough, don’t go it alone! Now you know “who the hell has to sign these things.” Now you just have to decide who the hell gets to oversee this lovely project within your healthcare facility.


Written Jill Obrochta and Heather Whitt of Dental Enhancements