2 min read

Incidental PHI exposure and business associate agreements

Incidental PHI exposure and business associate agreements

A business associate agreement (BAA) is not required for organizations or individuals, such as janitorial services, whose functions don’t involve protected health information (PHI). HIPAA permits incidental exposure, as long as it’s a by-product of their work, minimal, and cannot be reasonably prevented.

 

What is a business associate agreement (BAA)?

A BAA is a contract that outlines how business associates protect PHI when working with a covered entity, like a healthcare provider. These contracts clarify what the business associate can do with PHI and their responsibilities to protect patient information.

Read more: FAQs: Business associate agreements (BAAs)

 

When a BAA is not required: incidental access only

Not every external service provider qualifies as a business associate. According to the HHS, "A business associate contract is not required with persons or organizations whose functions, activities, or services do not involve the use or disclosure of protected health information, and where any access to protected health information by such persons would be incidental, if at all." 

For example, janitorial staff who clean a medical office may come into contact with PHI, such as seeing documents left on a desk or screen. Since the exposure is incidental and does not involve handling PHI as part of their job, HIPAA does not require a BAA with the cleaning company. In these cases, access is limited and can’t be easily prevented, making it permissible under HIPAA’s incidental use rule (45 CFR 164.502(a)(1)).

 

When a BAA is not required

  • The service does not include handling PHI as part of the job.
  • Any access to PHI is incidental and limited.
  • The service provider’s exposure to PHI cannot reasonably be prevented and is incidental to their duties.

 

When a BAA is required: routine or necessary access to PHI

A BAA is required if a service provider will access or handle PHI as part of their work with a healthcare organization. For example, an IT company managing a healthcare provider’s electronic records or a shredding service disposing of patient records requires a BAA. These organizations handle PHI in the normal course of their work, making them business associates under HIPAA.

Related: When should you ask for a business associate agreement?

 

Quick decision guide for healthcare professionals

To determine whether a BAA is needed, consider the following:

  • Is the service routinely handling or accessing PHI? If yes, a BAA is likely needed.
  • Is PHI exposure incidental only? If yes, a BAA may not be required.
  • Is the work performed on-site under direct control? If yes, consider the workforce exception.

 

FAQs

What happens if a business associate doesn’t comply with HIPAA?

If a business associate violates HIPAA, they may face fines, contract termination, and other penalties. Covered entities may also be held accountable for not securing PHI with proper agreements.

 

Can a covered entity be fined if it fails to have a BAA when required?

Yes, covered entities are subject to fines if they don’t have a BAA with vendors handling PHI, as this is considered a failure to safeguard patient information under HIPAA.

 

Is a BAA required if a vendor only has access to de-identified data?

No, a BAA is not required if the data has been de-identified according to HIPAA standards, as de-identified data is no longer considered PHI.

Read more: How to de-identify protected health information for privacy