Evaluate Relationships Before Signing Business Associate Agreements

February 3, 2014 – In The News
Medical Practice Compliance Alert

Michael Kline and Elizabeth Litten were quoted in the Medical Practice Compliance Alert article “Evaluate Relationships Before Signing Business Associate Agreements.” While the full text can be found in the February 3, 2014, Medical Practice Compliance Alert, a synopsis is noted below.

Many relationships physicians have with other entities don’t rise to the level of a business associate necessitating a signed agreement. Signing one when it’s not required could result in your giving up certain rights and creating compliance issues in the future.

Some hospitals and organizations assume that physicians are their business associates and pressure them to sign agreements without understanding that a physician’s ability to access, use or disclose a patient’s protected health information (PHI) doesn’t automatically make a physician a business associate, and many times they’re not, says Michael Kline.

“You should be getting information on patients for treatment, payment and operations [as allowed by HIPAA]. Just because you’re sharing PHI does not mean you’re a business associate,” says Elizabeth Litten.

Signing a business associate agreement could cause you to give up certain rights, including the right to use the PHI for your own purposes. “You don’t want to tie your hands that way,” says Litten.

“People assume they need a business associate agreement without assessing why they’re sharing information. You have to ask what purpose the PHI is for,” she says.

An underlying services agreement should describe why the physician needs the PHI of the other entity’s patients and clarify whether a business associate relationship exists. Not having an underlying services agreement could mean that no business associate relationship exists, says Kline.

In some cases, a business associate agreement could evolve over time, causing a need for the agreement to be updated, notes Kline.

If a physician is sharing a hospital’s servers and accessing its electronic health records (EHR) system, the need for a data use and access agreement between the parties may arise, according to Litten.

According to Kline, if you’re being pressured to sign a business associate agreement when one is not necessary, point out that signing the agreement could put both parties at additional compliance risk.