Is a Business Associate Agreement Necessary?
Imagine you recently hired a cleaning company who comes in after business hours. While doing their duties in your facility the cleaning company may come across protected health information (PHI). Is a business associate agreement necessary?
First off, a business associate is not considered a part of the covered entity's workforce. A business associate is a person or entity who performs functions or activities that create, receive, maintain or transmit PHI on behalf of, or provide services to, a covered entity.
A business associate is:
- A person that offers a personal health record to one or more individuals on behalf of a covered entity.
- A Health Information Organization, E-Prescribing Gateway, or other person that provides data transmission with respect to PHI to a covered entity and requires access on a routine basis to such PHI.
- A subcontractor that creates, receives, maintains, or transmits PHI on behalf of the business associate.
A business associate agreement is needed if:
- A person or entity creates, receives, maintains, or transmits PHI for a function or activity regulated by HIPAA, such as: claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities, billing, benefit management, and practice management.
- A person or entity who provides legal, accounting, consulting, management, administrative, accreditation or financial services where services involve disclosure of PHI to the person or entity.
- A person or entity who will be able to access PHI on a routines basis, and/or there is a possibility that the PHI in the person or entity's custody or control could be compromised. For example, a document shredding company.
According to HHS, janitorial services that clean offices or facilities of a covered entity are generally not business associates. Therefore, a business associate agreement would not be necessary. However, If a janitorial service is hired to do work for a covered entity where disclosure of protected health information is not limited in nature (such as routine handling of records or shredding of documents containing protected health information), it likely would be a business associate.
If you have additional questions about business associates, business associate agreements, or need further assistance, please do not hesitate to contact one of our professional consultants.