Select Page

Most County Boards know that 3rd party providers – for example, group homes, ICFs, Day Service providers – are not HIPAA Business Associates.  The changes in the 2013 HIPAA Omnibus rule has made it clear that other “health care providers” are not HIPAA Business Associates — so a HIPAA Business Associate agreement is neither required nor appropriate.  Health care providers who are HIPAA Covered Entities are already fully subject to the HIPAA regulations and must keep information confidential.

But not all “health care providers” are HIPAA covered entities.  To become a covered entity, the individual or agency must transmit electronic health claims to a 3rd party payer.  Many County Boards retain independent health care providers – for example physical therapists, occupational therapists and speech therapists – whose only “job” is working for the Board.  They don’t submit electronic health claims – they get a check and a 1099 form.

Many Boards make the mistake of using a HIPAA Business Associate Agreement (BAA) in these situations.  A BAA isn’t appropriate because these individuals don’t meet the definition of Business Associate – which can be seen if you carefully read the definition of Business Associate.

So these workers are neither employees, HIPAA Covered Entities or HIPAA Business Associates.  By IRS regulations, they are not subject to the agency’s policies and procedures.  These individuals do not have any HIPAA obligations of their own.  And a HIPAA Business Associate contract is not appropriate either.  The appropriate solution in these cases is a confidentiality agreement which includes much of the language in a HIPAA BAA, but omits certain language which is not appropriate.

Eagle has drafted a model agreement available for download.  This agreement is also included in the latest edition of Eagle’s Confidentiality and Computer Security Policies for Ohio County Boards of Developmental Disability (2018 Edition.)  Of course, always review any legal matters or contracts with your County Prosecutor for final approval.

About Gary Pritts

President, Gary Pritts

Gary consults in the areas of physician practice management, medical information systems, HIPAA compliance, health and productivity management and general business management.  Gary serves on the board of Lakewood Hospital, one of the Cleveland Clinic Regional Hospitals, and is a founder and past president of eHealth Ohio, and is active with numerous professional organizations.  He served as product development manager for the EDI clearinghouse division of Quadax, a regional clearinghouse, and  understands provider organizations from his 6 years as President and owner of Premier Rehab, a Medicare Certified Rehab agency with two Cleveland locations.  His computer background includes 15 years in various computer and computer service organizations.  He has a B.S. in Computer Science from Purdue University and an M.B.A. from Harvard Business School.

Pin It on Pinterest