When a chiropractor does business with a person or entity that requires that person or entity to have access to patient records or other protected health information (PHI), the chiropractor must have that person or entity sign a Business Associate Agreement. In other words, whenever a chiropractor does business with a contractor or vendor, a Business Associate Agreement is required when that contractor or vendor might receive protected health information.
HIPAA defines a “ business associate ” as a person or entity who performs services or activities on behalf of a “covered entity”. A business associate often creates, receives, maintains, or transmits PHI. For example, a business associate could be an attorney, accountant, coding and compliance professional, billing company, etc. A “covered entity” is the chiropractor or other health care provider. A “ covered entity ” is anyone who provides treatment, payment and operations in healthcare. “ Protected Health Information (PHI) ” is any information or data that relates to the health or condition of an individual, the provision of healthcare to an individual, or the payment for health care services that is transmitted or maintained by electronic media or any other form or medium. PHI includes a patients’ identifiable health information (e.g. name, phone number, email address, social security number, etc.), medical history, test results, insurance information, and any other information that can be used to identify the patient.
A “ Business Associate Agreement ” is a written contract that serves to describe and clarify the permissible uses and disclosures of the protected health information by the business associate. It also provides the chiropractor with assurances from its business associate that the business associate will properly safeguard the PHI it receives. HIPAA requires that these assurances must be in writing. In addition, a Business Associate Agreement sets forth each party’s responsibilities when it comes to the PHI and use of a Business Associate Agreement can also shift the liability to the business associate in the event of a data breach by the business associate.
The HHS.gov website provides information on Business Associate Agreements. Generally, the Business Associate Agreement must be in writing and it must:
(1) establish the permitted and required uses and disclosures of protected health information by the business associate;
(2) provide that the business associate will not use or disclose the information other than as permitted by the contract or as required by law;
(3) require the business associate to implement appropriate safeguards to prevent unauthorized use or disclosure of the information,
(4) require the business associate to report to the covered entity any use or disclosure of the information;
(5) require the business associate to disclose PHI as specified in its contract to satisfy requests for copies of the PHI;
(6) require the business associate to comply with requirements under the Privacy Rule;
(7) require the business associate to make available to HHS its internal practices, books, and records relating to the use and disclosure of protected health information;
(8) require the business associate to return or destroy all protected health information received from, or created or received from the covered entity;
(9) require the business associate to ensure that any subcontractors it may engage on its behalf that will have access to protected health information agree to the same restrictions and conditions that apply to the business associate with respect to such information; and
(10) authorize termination of the contract by the covered entity if the business associate violates a material term of the contract.