2 min read

Do physicians with hospital privileges need BAAs?

Do physicians with hospital privileges need BAAs?

No, physicians with hospital privileges do not need to enter business associate agreements (BAAs) with the hospital. These physicians are participating in an organized health care arrangement (OHCA) with the hospital, allowing them to share protected health information (PHI) for joint healthcare activities without a BAA. Under HIPAA, the OHCA treats these providers and the hospital as a single entity for patient care and operations.

 

HIPAA and business associate agreements (BAAs)

The BAA is a contract required between a covered entity (e.g., a hospital) and a business associate who handles PHI on behalf of the covered entity, like a billing company or IT vendor. The BAA outlines security requirements and expectations for safeguarding patient information and ensuring business associates comply with the HIPAA Privacy and Security Rules.

Typically, BAAs are required for any third party providing services to a covered entity that involves access to PHI. Examples include cloud storage providers, accounting firms, and consultants. However, these agreements are generally unnecessary between providers directly involved in patient care within the same facility. 

 

What is an organized health care arrangement (OHCA)?

Under HIPAA, an OHCA allows multiple covered entities, such as a hospital and its affiliated providers, to work together on patient care without needing BAAs. An OHCA enables these entities to use and disclose PHI for joint healthcare activities, such as care coordination, quality improvement, and operations. Since the OHCA framework applies to healthcare providers working collaboratively, it treats the hospital and its affiliated physicians as a single unit for HIPAA purposes.

Related: What are the different arrangements under HIPAA?

 

Why physicians with hospital privileges don’t need a BAA

Since physicians with hospital privileges are considered part of the hospital’s OHCA, they don’t function as external business associates. The HHS clarifies, "The hospital and such physicians participate in what the HIPAA Privacy Rule defines as an organized health care arrangement (OHCA). Thus, they may use and disclose protected health information for the joint health care activities of the OHCA without entering into a business associate agreement."

 

What this means for hospitals and physicians

Hospitals don’t need to approach every privileged physician with a BAA. Likewise, physicians working within the hospital can focus on their patients without navigating additional compliance agreements. However, all participants in the OHCA are still responsible for HIPAA compliance and protecting patient information as required by the Privacy and Security Rules.

 

When a BAA might be required for physicians

There are instances, however, where a BAA could be necessary if a physician provides services to a hospital outside their role as a treating physician. 

For example, if a physician is contracted with the hospital to handle billing or consulting services unrelated to their direct patient care duties, they would be acting as a business associate. In these cases, a BAA may be required because the physician would be considered an external service provider.

Similarly, if a physician establishes a separate practice that provides services to the hospital, they may need a BAA. However, when performing standard medical duties as part of the hospital’s OHCA, no additional agreements are required.

 

FAQs

What’s the primary benefit of an OHCA for hospitals and physicians?

The OHCA facilitates HIPAA compliance by allowing hospitals and physicians to share PHI without additional BAAs, simplifying collaboration and reducing administrative burdens.

 

Do physicians need a BAA if they only occasionally work at the hospital?

No, as long as the physician’s work falls under the hospital’s OHCA and involves direct patient care, no BAA is needed, regardless of frequency.

 

Can a physician refuse to be part of an OHCA and request a BAA instead?

Participation in an OHCA is typically an established part of the hospital’s compliance structure, so separate BAAs for patient care activities are not permitted.