Can accounting firms be business associates?

Accounting firms can be considered business associates if they handle protected health information (PHI) as part of their services to healthcare providers.

How can accounting firms be business associates?

At first glance, accounting firms might seem far removed from the healthcare industry. However, many healthcare providers rely on accounting firms for vital tasks, some of which involve handling PHI. For example, accounting firms may assist healthcare providers with:

• Billing and claims processing: Accounting firms often manage billing and claims submission for healthcare services. This process requires access to sensitive patient information, including personal and financial data, which may qualify as PHI under HIPAA.
• Auditing: Healthcare organizations are subject to regular audits to ensure compliance with federal and state regulations. Accounting firms that audit these organizations may have access to PHI as part of their work.
• Tax and financial consulting: Accounting firms that offer tax or financial consulting to healthcare providers may also come into contact with patient data as part of their client management processes.

Given that many of these services involve accessing or handling sensitive data, accounting firms may qualify as business associates under HIPAA if they are working with PHI.

The role of a business associate agreement (BAA)

A PricewaterhouseCoopers study concluded that around 55% of data breaches reported since September 2009 involve business associates. “The biggest challenge is identifying all of an organization’s business associates. It’s not unusual for a hospital or system to identify around 250 business associates in its initial assessments. However, after a more complete analysis, the actual number may be 750 or more business associates,” writes the AHA Trustee Services. 

If an accounting firm is classified as a business associate, it must sign a business associate agreement (BAA) with the healthcare provider. This agreement outlines the firm's responsibilities in safeguarding PHI and ensuring that any data handling meets HIPAA’s privacy and security standards.

The BAA also specifies what happens in the event of a breach or non-compliance, including the obligation to notify the healthcare provider and take corrective action. Without a signed BAA, a healthcare provider is not allowed to share PHI with an accounting firm, as this could result in HIPAA violations and potential penalties.

When are accounting firms NOT business associates?

Not all accounting firms working with healthcare providers would be considered business associates. For instance, if an accounting firm provides services unrelated to PHI, such as preparing tax returns for a healthcare provider or offering general financial advice without any involvement in healthcare-related billing or financial operations, they may not meet the criteria for a business associate under HIPAA.

See also: HIPAA Compliant Email: The Definitive Guide

FAQS

What is a business associate under HIPAA?

A business associate is a person or entity that performs functions or activities involving the use or disclosure of protected health information (PHI) on behalf of a covered entity, such as a healthcare provider, insurer, or healthcare clearinghouse.

What steps should an accounting firm take to remain HIPAA compliant?

An accounting firm that qualifies as a business associate should:

• Sign a BAA with healthcare clients.
• Implement strong data security policies to protect PHI.
• Train employees on HIPAA compliance and PHI handling.
• Have a breach notification plan in case of unauthorized PHI access or disclosure.

Related: How to ensure business associates are HIPAA compliant