Decision Tree: When is a Business Associate Agreement (BAA) Required?



Similar documents
Notice of Privacy Practices

Northwest Cardiology Associates 400 W. Northwest Hwy Barrington, IL Fax HIPAA Notice of Privacy Practices ( Notice )

NOTICE OF PRIVACY PRACTICES

Policy & Procedure AUTUMN RIDGE RESIDENTIAL CARE. March, 2013

NOTICE OF PRIVACY PRACTICES

HIPAA Omnibus Notice of Privacy Practices Effective Date: March 03, 2012 Revised on: July 1, 2015

NOTICE OF PRIVACY PRACTICES

NOTICE OF PRIVACY PRACTICES FOR KU MEDICAL CENTER

PRIVACY PRACTICES OUR PRIVACY OBLIGATIONS

The Health and Benefit Trust Fund of the International Union of Operating Engineers Local Union No A-94B, AFL-CIO. Notice of Privacy Practices

HIPAA Privacy Policy & Notice of Privacy Practices

Notice of Privacy Practices

Salt Lake Community College Employee Health Care Benefits Plan Notice of Privacy Practices

PRIVACY NOTICE. In certain situations, we may also disclose patient information to another provider or health plan for their health care operations.

NOTICE OF PRIVACY PRACTICES

Coastal Radiology Associates

NOTICE OF PRIVACY PRACTICES

NORTHSTAR DERMATOLOGY, PA NOTICE OF PRIVACY PRACTICES

Effective Date of This Notice: September 1, 2013

Dr. Adam Apfelblat 5140 Highland Road Waterford Phone: (248) Fax: (248)

HIPAA Notice of Privacy Practices

Pulmonary Associates of Richmond, Inc. Notice of Privacy Practices Page 1 of 6

Genworth Life Insurance Company Genworth Life Insurance Company of New York NOTICE OF PRIVACY PRACTICES

PRIVACY HIPAA NOTICE OF PRACTICE

Connecticut Pipe Trades Health Fund Privacy Notice Restatement

Northport Health Services of Florida, LLC d/b/a Ocala Health and Rehabilitation Center 1201 Southeast 24 th Road Ocala, FL

SDC-League Health Fund

Effective Date: March 23, 2016

HIPAA NOTICE OF PRIVACY PRACTICES

River Valley Therapy & Sports Medicine, Inc. Notice of Privacy Practices

NOTICE OF PRIVACY PRACTICES

Kiran Mishra, Ph.D. Licensed Clinical Psychologist. Sugar Land, TX (832) TEXAS NOTICE FORM

Harris County - Texas HIPAA Notice of Privacy Practices

Indiana Healthcare Physician Services Privacy Standards Notice of Health Information Practices

EAST ALABAMA HEALTH CARE AUTHORITY d/b/a EAST ALABAMA MEDICAL CENTER EAST ALABAMA MEDICAL CENTER SKILLED NURSING FACILITY EMERGENCY MEDICAL SERVICES

Privacy Notice Document (HIPAA)

Schindler Elevator Corporation

JOINT NOTICE OF PRIVACY PRACTICES Cumberland County Hospital System d/b/a Cape Fear Valley Health System

NOTICE OF PRIVACY PRACTICES FOR THE NORTH CENTRAL NURSING CLINICS

Use or Disclosure of PHI

HIGHMARK BLUE CROSS BLUE SHIELD DELAWARE NOTICE OF PRIVACY PRACTICES PART I NOTICE OF PRIVACY PRACTICES (HIPAA)

Notice of Privacy Practices

HIPAA PRIVACY NOTICE PLEASE REVIEW IT CAREFULLY

CAROLINA DENTAL Notice of Privacy Practices

VALPARAISO UNIVERSITY NOTICE OF PRIVACY PRACTICES. Health, Dental and Vision Benefits Health Care Reimbursement Account

NOTICE OF PRIVACY PRACTICES (NPP)

Connecticut Carpenters Health Fund Privacy Notice

Notice of Privacy Practices

HIPAA NOTICE TO PATIENTS

Mohammad Djafari Pediatric Kennedy Parkway. Cortland, New York Notice of Privacy Practices

American Guild of Musical Artists ( AGMA ) Health Fund Privacy Notice. Plan A and Plan B

NOTICE OF PRIVACY PRACTICES DILEY RIDGE MEDICAL CENTER

NOTICE OF PRIVACY PRACTICES FOR ORTHOPAEDIC SURGERY & REHAB. ASSOCIATES, P.C.

REPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES PLEASE REVIEW IT CAREFULLY.

Implementing an HMIS within HIPAA

Lattimore Physical Therapy and Sports Rehabilitation Network Monroe and Livingston County Clinics NOTICE OF PRIVACY PRACTICES

ADVANCED INTEGRATIVE REHABILITATION AND PAIN CENTER David P. Sniezek, DC, MD, MBA, FAAIM NOTICE OF PRIVACY PRACTICES

Allergic Disease Associates, PC / The Asthma Center and Allergy & Asthma Research of New Jersey

Notice of Privacy Practices. Human Resources Division Employees Benefits Section

SOUTHLAKE DERMATOLOGY 1170 N. Carroll Ave. Southlake, TX Main Fax

How To Protect Your Privacy At A Clinic

UNIVERSITY PHYSICIANS OF BROOKLYN, INC. POLICY AND PROCEDURE. No: Supersedes Date: Distribution: Issued by:

This Notice describes Hill-Rom s practices regarding the use of your Protected Health Information, specifically including:

NOTICE OF PRIVACY PRACTICES effective April 14, 2003

Reproductive Medicine Associates of New Jersey, LLC

NOTICE OF PRIVACY PRACTICES. The University of North Carolina at Chapel Hill. UNC-CH School of Nursing Faculty Practice Carolina Nursing Associates

Population Health Management Program Notice of Privacy Practices

Notice of Privacy Practices

HIPAA Policy Use and Disclosure of Protected Health Information November 3, 2015

Chief Privacy Officer Christian Brothers Services 1205 Windham Parkway Romeoville, IL

PRIVACY POLICY (IN ACCORDANCE WITH HIPAA)

HIPAA Notice of Privacy Practices - Sample Notice. Disclaimer: Template Notice of Privacy Practices (45 C.F.R )

9129 Monroe Rd. Suite 100, Charlotte, NC 28270

NOTICE OF PRIVACY PRACTICES TEMPLATE. Sections highlighted in yellow are optional sections, depending on if applicable

THIS NOTICE DESCRIBES HOW HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

CHAPTER NURSE AIDE TRAINING, COMPETENCY EVALUATION, AND REGISTRY

Jerry M. Ruhl Ph.D. Clinical Psychologist (Texas #34359) 5200 Montrose Blvd. Houston, TX 77006

The Family Counseling Center of Fulton County NOTICE OF PRIVACY PRACTICES

As Required by the Privacy Regulations Created as a Result of the Health Insurance Portability and Accountability Act of 1996 (HIPAA)

How To Protect Mental Health Information In Upb

Resthave Home of Whiteside County, Illinois Resthave Nursing Home Resthave Home Assisted Living. Notice of Privacy Practices

LIFESTREAM BEHAVIORAL CENTER, INC. JOINT NOTICE OF PRIVACY PRACTICES. Effective Date: April 14, 2003

Neera Agarwal-Antal, M.D. HIPAA Policies and Procedures

APPLETREE PEDIATRICS, PA NOTICE OF PRIVACY PRACTICES

Detailed Notice of Privacy Practices Effective Date: September 20, 2013

Delaware Valley Dermatology Group, LLC 3411 Silverside Road Suite 107, Webster Building Wilmington, DE Phone: Fax:

DETAILED NOTICE OF PRIVACY AND SECURITY PRACTICES OF THE Trustees of the Stevens Institute of Technology Health & Welfare Plan

Population Health Management Program Notice of Privacy Practices from Evolent Health

CITIZENS MEDICAL ALERT SERVICE AGREEMENT

Eye Clinic of Bellevue, LTD. P.S. Privacy Policy EYE CLINIC OF BELLEVUE LTD PS NOTICE OF INFORMATION PRACTICES

NOTICE OF PRIVACY PRACTICES Allergy Treatment Center of New Jersey, P.C. Effective Date: April 14, 2003

Bradley D. Powell, PhD NOTICE OF PRIVACY PRACTICES: Effective June 1, 2004

HIPAA Privacy Procedure #12 Effective Date: April 14, 2003

HIPAA HITECH PA Physician Practices

HIPAA NOTICE OF PRIVACY PRACTICES

NOTICE OF PRIVACY PRACTICES FOR OUR PATIENTS POTOMAC PHYSICIAN ASSOCIATES, P.C.

Population Health Management Program Notice of Privacy Practices from Piedmont WellStar HealthPlans, Inc.

Sarasota Personal Medicine 1250 S. Tamiami Trail, Suite 202 Sarasota, FL Phone Fax

CARING HOSPICE SERVICES NOTICE OF PRIVACY PRACTICES

Accredited Home Health Care of America - Notice of Privacy Practices

Transcription:

Decision Tree: When is a Business Associate Agreement (BAA) Required? Saint Louis University, a Covered Entity under HIPAA, is required to sign Business Associate Agreements with certain organizations and individuals to whom they share Protected Health Information (PHI). Business Associates are outside organizations or individuals who perform some function or service for Saint Louis University that requires them to have access to our patients information. The HIPAA rule on Business Associates has many complicated details and exceptions, as well as a number of ambiguous definitions and interpretations. This Decision Tree guidance is provided to assist in the process of identifying when a Business Associate Agreement (BAA) is necessary. Before you use this decision tree you must make an initial decision: Is Protected Health Information (PHI) being disclosed to an outside entity? You must understand what constitutes PHI is to make this determination. Protected Health Information (PHI) can be broadly defined as meaning: Any oral or recorded information relating to past, present, or future physical or mental health of an individual, the provision of health care to the individual, or the payment for health care and that also contains information which makes it possible to identify the individual. If you decide that PHI is actually being disclosed from your site, then move on to Decision Point #1. DECISION Point # 1 Is PHI being disclosed to another healthcare provider for treatment purposes only? Frequent disclosures made to outside entities are for services or products used solely to treat a patient or group of patients. When the disclosure of PHI is to outside entities for treatment only purposes, then a Business Associate Agreement is not required. Updated 10/28/05 BAA Decision tree text (update 10-28-05).rtf 1

The following are common examples of disclosures of PHI that do not require Business Associate Agreements due to the treatment only provision. 1. Providers of direct health care services for patients such as: attending physicians, dentists, podiatrists, psychologists, hospitals, clinics, dialysis facilities, laboratories, radiology providers, pharmacy distributors, and optometrists. 2. Providers of medical or care related supplies including such as pumps and other durable medical equipment. 3. Ambulance and other medical transportation systems that request patient billing information in order to transport. SPECIAL NOTE: There are instances where health care professionals provide treatment directly to the patient on their behalf, yet also perform other services on the Facility s behalf and would be considered a Business Associate. For example, a pharmacy may not only distribute medications but may also provide pharmacy consultant services. Likewise, a medical supply company may not only supply the wound care product but may also provide wound therapy consultation. These situations highlight the importance of examining all dimensions and functions of the relationship between the outside entity and the facility before making a quick decision. You can not assume exemption simply based on job title or function. DECISION Point # 2 Is PHI being disclosed to an insurance plan for Payment Purposes? A facility may disclose PHI to an insurance plan, including private insurance, Medicaid and Medicare, for patients, in order to assure payment for those services. Neither the health plan nor the facility is considered business associates of each other since both are considered to act individually on behalf of the patient. The following examples illustrate payment for services that do not require a Business Associate Agreement. 1. Patient information sent to CMS for categorization and payment. 2. Rehabilitation progress notes sent to a managed care company to verify treatment sessions. 3. Benefit and eligibility verification on the part of the facility. SPECIAL NOTE: If documents containing PHI, such as a remittance advice or Explanation of Benefits (EOB), are given to a bank in order to consolidate payments to the facility, then a Business Associate Agreement would be required. In this situation they are performing a function on behalf of the facility and not for the individual patient. Psychotherapy notes are an exception that can not be released for payment without patient authorization. Updated 10/28/05 BAA Decision tree text (update 10-28-05).rtf 2

DECISION Point # 3 Is PHI being disclosed for official investigation or proceeding? There are a number of exemptions to the Business Associate Agreement requirement if the PHI that is disclosed is required for: Activities authorized by law, including audits; civil, administrative, or criminal investigations; inspections and licensure; disciplinary actions; civil, administrative, or criminal proceedings or actions. Appropriate governmental oversight of health care systems, government benefit programs, or government regulatory programs The following examples illustrate disclosure of PHI to oversight, regulatory and legal agencies that do not require a Business Associate Agreement. 1. Reporting of state-required reportable diseases to the Department of Public Health. Some examples of diseases that may require notification are: AIDS Malaria Anthrax Plague Botulism Rubella Diphtheria Streptococcal disease, invasive, group A Legionellosis Syphilis Malaria Tuberculosis 2. A CMS survey (e.g. the facility s annual health department survey) where PHI is reviewed by a surveyor 3. A Department of Health/DHHS/State agency visit which was prompted due to staff/visitor/patient complaint 4. Death reporting to the state 5. Law enforcement officials investigating abuse of a patient 6. OSHA reporting 7. To a social services or protective agency authorized to receive reports of abuse, neglect, or domestic violence (except child abuse); 8. For judicial or administrative proceedings where required by order of a court or in response to a subpoena or discovery request. Decide first if the oversight agency has legal authority to receive the PHI. If so, then a Business Associate agreement is not required. Updated 10/28/05 BAA Decision tree text (update 10-28-05).rtf 3

DECISION Point # 4 Is PHI being disclosed or accessed on behalf of the facility? The term on behalf of the facility means a function or service that is necessary for a facility but the organization chooses to outsource to another entity. These situations will require a Business Associate Agreement when the exchange of PHI is necessary for the function or service to be performed. The function or service is provided for the direct benefit of the facility and typically involves activities that support, and/or enhance the facility s ability to provide direct care to patients. Specific examples mentioned in the rule include: Claims processing & administrations Legal services Data analysis, processing, administration Actuarial services Utilization review Consulting services Quality assurance Data aggregation Billing Management Benefit management Administrative Practice management Accreditation Financial Services The following are examples of services provided on the covered entity s behalf that would require a Business Associate Agreement. 1. Agencies providing accreditation services such as JCAHO 2. Medical Directors acting in their administrative role on behalf of a facility. 3. Software vendors having access to PHI during the course of business. 4. Computer hardware service companies having access to PHI in electronic form. 5. Companies providing billing services that have access to PHI in the course of receiving electronic transactions to submit to payers for reimbursement. 6. Non-Facility Consultants such as: HIM/Medical Record, Dietary, Infection Control 7. Payers performing functions that are in addition to, and not directly related to the provision of insurance. 8. Attorneys who are representing the facility in a legal dispute. 9. Shredding services that have direct access to PHI in order to do their job. SPECIAL NOTE: In the vast majority of cases where PHI is exchanged with an outside entity on the facility s behalf, the facility is responsible to pay the entity for the service or product the outside entity provides. This is in contrast to the treatment only situation where the patient themselves or their insurer are typically financially responsible. Updated 10/28/05 BAA Decision tree text (update 10-28-05).rtf 4

DECISION Point # 5 Is the Entity that is receiving the PHI considered part of your workforce? Workforce is defined as employees, volunteers, students, trainees, and other persons whose conduct, in the performance of work, is under the direct control of the covered entity, whether or not they are paid by the covered entity. The following examples are typical instances of people who are not employed by us but are defined by HIPAA as workforce, and would not need a Business Associate Agreement. 1. A volunteer working in HIM/Medical records filing loose reports of discharged patients The volunteer s conduct is under the control of the covered entity. 2. A student performing a clinical internship at the facility - Although their internship defines the scope of their activities, while they are in the facility, the performance of these activities is supervised/overseen by a member of the CE s workforce. SPECIAL NOTE: There are some instances when a facility has the choice of whether to consider a contractor as workforce versus Business Associate. For example, temporary staffing resources in the billing office who participate in management meetings and who spend most of their time at the facility could be considered either workforce or business associate. The presumption is made that if there is not a Business Associate Agreement in place then it is assumed that the resource is part of your workforce. The decisionmaker needs to weigh the pros and cons of such a decision from an operational and legal standpoint DECISION Point # 6 Is PHI being disclosed preparatory to research purposes? The Privacy Rule permits covered entities to use and disclose PHI for research purposes with individual patient authorization and without authorization under limited circumstances, although research protocols will require Institutional Review Board (IRB) approval. During the preparatory to research process, a researcher who is an employee or member of the covered entity s workforce can use protected health information to contact prospective research subjects. The preparatory research provision would allow such a researcher to identify prospective research participants for purposes of seeking their authorization to use or disclose PHI for a research study. A covered entity could also contract a Business Associate, who may assist in contacting individuals on behalf of the entity to obtain their Authorization. In this situation a Business Associate Agreement is required. Updated 10/28/05 BAA Decision tree text (update 10-28-05).rtf 5

SPECIAL NOTE: A researcher who is not part of the covered entity may not use the preparatory to research provision to contact prospective research subjects. The outside researcher could obtain contact information through a partial waiver of individual authorization by the IRB to permit disclosure of PHI as necessary for the research to be able to contact and recruit individuals into the study. Common Business Associates The following list contains entities that are typically Business Associates by the nature of their relationship with the facility. This list does not include all possible Business Associates and assume all services are provided by persons not considered workforce. You should routinely analyze these and all future contracts according to the decision tree to assure compliance and avoid the possibility of signing Business Associate Agreements when they are not required. Attorney (external) Medical Director (external) Medical Coding Service Mental Health Consultant Medical Record Consultant Ancillary Charge System CNA Instructors Pharmacy Consultant Computer Consultant Psychiatry Consultant Contracted Billing Record Destruction Service Infection Control Consultant Transcription Services JCAHO Record Copying Service Temporary/contracted employees such as nursing or therapy may be considered either as workforce or business associate. Updated 10/28/05 BAA Decision tree text (update 10-28-05).rtf 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information