Most County Boards know that 3rd party providers – for example, group homes, ICFs, Day Service providers – are not HIPAA Business Associates. The changes in the 2013 HIPAA Omnibus rule has made it clear that other “health care providers” are not HIPAA Business Associates — so a HIPAA Business Associate agreement is neither required nor appropriate. Health care providers who are HIPAA Covered Entities are already fully subject to the HIPAA regulations and must keep information confidential.
But not all “health care providers” are HIPAA covered entities. To become a covered entity, the individual or agency must transmit electronic health claims to a 3rd party payer. Many County Boards retain independent health care providers – for example physical therapists, occupational therapists and speech therapists – whose only “job” is working for the Board. They don’t submit electronic health claims – they get a check and a 1099 form.
Many Boards make the mistake of using a HIPAA Business Associate Agreement (BAA) in these situations. A BAA isn’t appropriate because these individuals don’t meet the definition of Business Associate – which can be seen if you carefully read the definition of Business Associate.
So these workers are neither employees, HIPAA Covered Entities or HIPAA Business Associates. By IRS regulations, they are not subject to the agency’s policies and procedures. These individuals do not have any HIPAA obligations of their own. And a HIPAA Business Associate contract is not appropriate either. The appropriate solution in these cases is a confidentiality agreement which includes much of the language in a HIPAA BAA, but omits certain language which is not appropriate.
Eagle has drafted a model agreement available for download. This agreement is also included in the latest edition of Eagle’s Confidentiality and Computer Security Policies for Ohio County Boards of Developmental Disability (2018 Edition.) Of course, always review any legal matters or contracts with your County Prosecutor for final approval.