Vendor Management
Determining Who is a Business Associate
How to determine who is a business associate:
Definition of Business Associate: A Business Associate is a person or entity to which CAO discloses protected health information so that the person/entity can carry out, assist with the performance of, or perform a function or activity for CAO.
Protected Health Information (PHI): A patient's or participant's (in the case of research) health information that identifies the person or can be used to identify the person.
Business Associate Test
- Is CAO disclosing PHI?
- Does the recipient of the PHI provide a service to, for, or on behalf of CAO?
If the answer to both of the above questions is "yes", you may have a relationship that requires a business associate agreement.
Not Business Associates
- CAO’s Workforce: Employees, faculty, residents, students
- Health care workers and Providers providing treatment
- Labs
- Individuals or companies with very limited and incidental exposure to health information, such as telephone company, electrician, etc.
- Companies that act as a conduit for PHI, such as the postal service, UPS, private couriers, etc.
Potential Business Associates
- Lawyers
- External auditors or accountants
- Professional translator services
- Answering services
- Consultants hired to conduct audits, perform coding reviews, etc.
- Accreditation agencies
- Shredding and/or documentation storage companies
- Data processing firms or software companies that may be exposed to or use PHI.
- Medical transcription services, even if you contract with an individual rather than a company.
- Medical equipment service companies handling equipment that holds PHI.
- E-prescribing Gateways
- Health information organizations
Purpose of Business Associate Agreements
Any person or company that is a Business Associate will be required to sign a contract with special language mandated by the privacy rules. Business Associate agreements will assist CAO in protecting our patients' health information when it is released to someone outside our organization.