FAQ on HIPAA Business Associates

Below are eight frequently asked questions about HIPAA business associates followed by responses straight from the ADA legal team. Answers include information on what the law requires, best practices, suggested reading and links to more information.

1. “Business Associates” will have access to my EHR. What is a business associate for purposes of HIPAA?

A business associate is a person or a company who needs access to your patients’ protected health information (PHI) in order to do a task on behalf of your practice. For example, business associates might be lawyers, accountants, consultants, insurance companies, clearinghouses, billing services or computer support services. You need to review your business practices to identify your business associates and make sure you have entered into an appropriate “business associate agreement” with each one.

2. Do I need a business associate agreement with another health care provider?

HIPAA does not require a covered dental practice to have a business associate agreement before disclosing PHI to another health care provider for treatment purposes. However, if the health care provider is performing a function on behalf of your practice that involves PHI, and not treatment of an individual, a business associate agreement is required. A covered entity can be a business associate of another covered entity.

3. Do I need a business associate agreement with my associate dentist?

An associate dentist in a dental group or partnership is generally not a business associate of that dental group or partnership. Rather, an associate dentist is likely to qualify as a “workforce member” of the dental practice. As such, he or she is subject to the practice’s HIPAA policies and procedures, must receive training, etc. HIPAA defines a workforce member to include any person whose conduct is under the direct control of the covered entity, whether or not they are paid by the covered entity. Employees, volunteers and trainees are all examples of workforce members.

Even if an associate dentist does not qualify as a workforce member, a business associate agreement is not required to disclose information to him or her for treatment purposes. HIPAA permits you to disclose PHI to another health care provider for treatment related purposes — that is, when the other health care provider requires that information to advance a patient’s care.

4. Do I need a business associate agreement with my dental laboratory?

Dental laboratories are considered health care providers. No business associate agreement is necessary to share PHI with a lab concerning treatment of an individual.

5. How can I be sure that my business associates are not mining the health information I share with them? You may not be aware that a business associate is improperly using or disclosing PHI. It is important to do your due diligence when selecting business associates and to negotiate the terms of the business associate agreement. (Many of the terms of a business associate agreement are required by HIPAA, but others, such as indemnification and insurance provisions, can be negotiated by the parties.) Under the HITECH Act, business associates are now subject to the same civil and criminal penalties as covered entities for HIPAA violations and they must comply with many HIPAA requirements. It would be prudent, when selecting a business associate, to ask about their HIPAA compliance policies and procedures and how your PHI will be safeguarded.

If you become aware that a business associate has misused PHI, you must take corrective action immediately. If such action is not successful, you must terminate the relationship if feasible. Talk with your lawyer about terminating the underlying agreement with the business associate. Document the occurrence and the steps that you took.

In general, a covered entity dentist is not liable for a business associate’s failure to comply with HIPAA Privacy, Security and Breach Notification standards as long as the covered entity dentist either: a) did not know and could not have reasonably known; or b) discovered the business associate’s HIPAA violation and took action to correct the situation, terminate the relationship, as appropriate. However, a covered entity can be liable for a business associate’s HIPAA violation if the business associate is deemed an agent of the covered entity, and the business associate was acting within the scope of the agency.

6. Is an employment agency that provides temporary hygienists or assistants considered a business associate? An employment agency is a business associate if it performs a service on behalf of a covered entity dental practice and has access to the dental practice’s PHI. In addition, a temporary employee such as a hygienist or assistant is a member of the dental practice’s workforce if his or her work is under the direct control of the dental practice, whether the temporary employee is paid by the dental practice or by the employment agency. The dental practice must train all workforce members, including temps and volunteers, to comply with its HIPAA policies and procedures, and must apply appropriate sanctions against workforce members who do not comply.

7. What if a business associate discovers a breach?

The HIPAA Breach Notification Rule requires a business associate that discovers a breach of unsecured PHI in any format (electronic, hard copy or oral) to notify the covered entity of the breach without unreasonable delay and in no case later than 60 days after discovering the breach. It is the responsibility of the covered entity to notify the individual(s), the U.S. Department of Health & Human Services (HHS), and in some cases, the media. The business associate must provide the covered entity with the following information, to the extent possible: a) the identification of each individual whose unsecured PHI has been breached (or is reasonably believed by the business associate to have been breached); and b) any other available information that the covered entity must include in the notification to the individual(s). If a business associate is deemed an agent, the covered entity may be deemed to have discovered a breach on the date that the breach was discovered by the business associate.

8. What happens to the PHI when a business associate relationship ends?

At the termination of a business associate agreement, the business associate must, if feasible, return or destroy the PHI and retain no copies. If this is not feasible, the business associate must extend the protections of the business associate agreement to the PHI and must not use or disclosure the PHI for any purpose except the purposes that make return or destruction infeasible.

The ADA Complete HIPAA Compliance Kit can provide more information. The kit is available through the ADA Storeor 1.800.947.4746.

The Office for Civil Rights provides information about HIPAA at http://www.hhs.gov/ocr/privacy/hipaa/individuals.

Additional information can be found at the ADA's HIPAA page.