United States: Providers Must Enter Into BA Agreements With Vendors Who Transmit, Maintain, Use Or Have Access To PHI

The Stage 2 Meaningful Use requirements make clear that the federal government is continuing its push to require healthcare providers to use information technology. The requirements also make clear, however, that patient privacy and security has not been sidelined.

With this emphasis on making information available to patients online, providers must remember the need to enter into business associate agreements with vendors who transmit, maintain, use or have access to protected health information. The recent action against Phoenix Cardiac Surgery, P.C. by the Office of Civil Rights (OCR) is instructive on this front. In that case, Phoenix used a publicly accessible, Internet-based calendar to post patient appointment dates and an Internet-based email account to e-mail PHI to workforce members' personal Internet based e-mail accounts. In both instances, OCR faulted Phoenix for not entering into business associate agreements with the providers of these services. Phoenix agreed to pay HHS $100,000 and enter into a 1-year corrective action plan.

In general, providers should enter into business associate agreements with vendors who "touch" PHI in any manner. This would generally include hosting providers, computer repair services and even copy machine repair services. The only exception to this requirement to enter into business associate agreements is for vendors who are conduits, with the US Postal Service serving as the typical example. Based on the HHS definition of "conduit," and the OCR's interpretation (as explained by Leon Rodriguez, Director of OCR, at a recent presentation) of that term, that exception is very narrow and is not likely to apply to, for example, a hosting vendor that provides managed cloud servers. As David Holtzman noted at the Health Care Compliance Association's 16th Annual Compliance Institute in April 2012, "If you use a cloud service, it should be your business associate. If they refuse to sign a business associate agreement, don't use the cloud service."

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.