Skip to Main Content
Thought Leadership

Business Associates Here, There, and Everywhere: When Does Your Service Provider Really Need to Sign a HIPAA Business Associate Agreement?



April 12, 2023
Listen to the podcast

Related Industry:


Related Service:

Hospice & Palliative Care 


The HIPAA regulations require that covered entities enter into agreements with business associates who provide certain services for the covered entity involving the receipt, use, or disclosure of protected health information. In working with hospices throughout the years, we have found that many hospices have business associate agreements with nursing homes, vendors, and other providers where a business associate agreement is not required because neither party is actually a business associate of the other. In this episode, Husch Blackwell’s Meg Pekarske and Andrew Brenton discuss when a business associate agreement is and is not required, so that hospices can confidently comply with the law while focusing on what matters most: delivering high-quality end-of-life care.

Additional Resource:

Read the Transcript

This transcript was auto-generated using Adobe Premiere Pro.

00;00;05;01 - 00;01;10;22
Meg Pekarske
Hello and welcome to Hospice Insights, The Law and Beyond, where we connect you to what matters in the ever changing world of hospice and palliative care. Business Associates Here, There and Everywhere: When does your service provider really need a HIPAA business associate agreement? Andrew, thank you for joining me on this very important topic because that's the question that I feel like I've been answering as long as HIPAA has been around since like 2000. So the answer really hasn't changed, but I feel like the question still comes up all the time. And let’s walk through this about when someone really needs a business associate agreement. And I think the place to start is first, the definition of a business associate. And a Business associate is someone that is doing something on behalf of a covered entity and what they're doing involves the use or disclosure of protected health information. Do I have that right, Andrew?

00;01;11;00 - 00;01;12;13
Andrew Brenton
Yep. You have that right. Yep.

00;01;12;20 - 00;01;39;03
Meg Pekarske
So I think the first place where people stumble is, well, okay, you are doing something for we have a patient in common, and I think let’s start with a nursing home because this is the one that comes up most often. Right? We are both providing care to this patient.

00;01;39;20 - 00;01;40;03
Andrew Brenton

00;01;40;25 - 00;02;13;26
Meg Pekarske
And what I think people stumble on is while we're both providing care to this patient. So we need a business associate agreement and we have a contract. But I think importantly, the contract isn’t someone's providing services on behalf of the other. Right? And so explain that a little bit more. Walk me through why nursing homes don't typically meet the definition of a business associate or we're not the business associate of the nursing home. Can you explain that more?

00;02;14;00 - 00;02;45;21
Andrew Brenton
Yeah. So got two main reasons. First, got a tier point. If we're talking about a hospice nursing home arrangement, I mean, the parties really are contracting and the terms have to do with the services being provided to the patient as opposed to, in this case, the hospice or the facility. So the nursing home really wouldn't be doing services on behalf of the hospice so much as services directly to patients of the hospice.

00;02;45;28 - 00;03;28;21
Meg Pekarske
Yeah, and to that point, right, the contract that we have in place is more like a care coordination contract where the law says, in 418113 or whatever it is, you need to have a contract so each person knows what the other person is doing. That's care coordination. That is not you are doing something on my behalf in contrast to like, you know, a therapy provider who is actually doing something on our behalf as it is in care coordination, and we are paying them to do stuff we can well talk about. Does that meet the definition and whatnot?

00;03;28;21 - 00;04;15;20
Andrew Brenton
Well, yeah, kind of to that point. The other reason why there really wouldn't be a business associate in kind of your standard nursing home hospice arrangement has to do with treatment, in fact. So some of the HIPAA regulations actually carve out HIPAA disclosure related to the treatment of a patient as being a business associate activity. So essentially, if you are provider, you know, you're working with a another provider. And even if you are doing things on behalf of that provider, the services you're providing are on behalf of that provider. To the extent you're disclosing PHI for the treatment of patients, that also would mean that you don't have a business associate relationship.

00;04;15;29 - 00;05;58;14
Meg Pekarske
To recap, you're out of the mix. Because you're not providing a service on my behalf, right? A business associate is someone that's doing something on behalf. Entwined with that is we're sharing information for treatment purposes so that maybe brings in the therapy, provide or because all you're doing is treatment. I think where you know, when you come up with the example of, well, then who's left right? Because most of these people I'm working with or I'm sharing PHI with them for purposes of treatment. So then we get into, so there's a requirement and in the law that talks about you need to have someone review your medications or something, right? Or sometimes people use pharmacy consultants to do that. And so that pharmacy consultant if they're doing something that's not about treatment, right, but about a compliance related thing. So a treatment provider is doing something right when they're dispensing drugs. That pharmacy isn't a consultant to you, right? They're just another treatment provider. You're paying them. But if they start helping with compliance related things that are not at an individual treatment level, they could then be a business associate because they are doing something on our behalf. So they tick that box and we don't have the exception of well, but it's for, you know, a treatment here, it's no, it's actually about our compliance or if we were engaging them for quality improvement and and whatnot. But what are some other ones that do fall in the bucket of business associate?

00;05;58;28 - 00;06;46;06
Andrew Brenton
We could look at, you know, what we do. So we we have contracts with our clients. You know, we provide services on providers baths. And in doing that we do sometimes need access to PHI. So, you know, legal services involving the use of PHI, those would require a business associate agreement because kind of to your point, that's more similar to that arrangement you're talking about where, you know, the other party is a provider. But if you look closely at what you know what's going on, that provider is providing services on behalf of the covered entity and it's not fair treatment. So that that'd be similar to like legal services or accounting services, any sort of professional service where...

00;06;46;16 - 00;06;55;14
Meg Pekarske
A clinical consultant coming in, like I do my annual outside consultant comes in and they need a benefits associate agreement...

00;06;56;03 - 00;06;57;10
Andrew Brenton
Absolutely. Yeah.

00;06;57;22 - 00;08;08;25
Meg Pekarske
So one could say, why are we having this conversation? What's the harm if I signed a business associate agreement, who cares? So because we oftentimes nursing homes will ask us to sign a business associate agreement, people sort of like it's not worth the struggle or obviously the reason why we're doing this podcast is we're not even answering the question: Are we a business associates? So the first step is, are we actually a business associate? I think answer is no, we're not, because we're not providing services on behalf of someone or if the services are being provided purely treatment, someone could say, well, who cares? I'm a covered entity. I already have all these responsibilities. What's the harm in signing and saying I'm a business associate? And I think it is pretty significant and so it is worth some energy, I think pushing back and not just signing things that that come out in front of you. But why don't you explain why it is important to push back on this and not just willy-nilly sign things?

00;08;09;08 - 00;09;29;28
Andrew Brenton
As a general matter? Yep. I don't think you want to agree, you know, to take on contractual obligations that that you're not required to take under law, or at least if you do that, to kind of know what you're getting into. But essentially, if you're asked to be a business associate with a covered entity and you're not actually a business associate, you could it be you could be agreeing to, I think, things that that you might not otherwise agree to, You know, business associates, they have breach notification duties. They have duties related to kind of accounting for permissible uses of PHI. There could be, you know, additional insurance or indemnification and obligations relating to the use of PHI business associates generally have to make their their books and their records available to the covered entity. So these are all kind of significant, I think organizational requirements. And if if that the underlying premise is sort of flawed and that these aren't actually required and they kind of then become sort of just general business terms to negotiate, I think you're you're in a much better position than and then just sort of, kind of flying blind. And that's sort of taking it for granted that, oh yeah, because I'm a provider, I need to have a business associate agreement.

00;09;30;06 - 00;09;39;16
Meg Pekarske
So I think that whole stop and pause evaluate, one, is someone actually providing services on someone's behalf here?

00;09;39;16 - 00;09;39;24
Andrew Brenton

00;09;40;03 - 00;09;44;06
Meg Pekarske
And if the answer is no, then, you know, stop.

00;09;44;15 - 00;09;44;23
Andrew Brenton

00;09;45;13 - 00;12;24;05
Meg Pekarske
But then even if we are, you bring up the important point about well, but is that really about treatment? Right? And that there is that exception for that and that's going to take care of lots of our relationships. Right? And then relationships that we really need to be a for are the ones that, like you said, the accountants, the lawyers, the clinical consultants. If you as a pharmacy consultant, like people that are helping you on quality compliance, those kinds of things, you need business associate agreements. And so I think people who listen to this probably have way too many business associate agreements out there. Either we've signed them or we've asked other people to sign them. So I guess if other people sign your business associate agreement, okay. But I think, you know, our focus really is as a hospice, are you signing business associate agreements like you become a business associate when you don't need to and that and your points are really well taken is why are you going to take on contractual obligations, which oftentimes, you know, when you look at these BAA agreements, they go beyond what the law requires and are really heavy handed. And now it's like you may have more obligations than you have as a covered entity. Right? Through this and like you said, insurance, indemnification, being liable for stuff, you know, maybe you want to I mean, so I think your points are really well taken that it's not just oh, I have extra paper that I maybe didn't need, this could and I think in the day of data breaches and, you know, people's EMR getting hacked and other stuff, I mean this is real that there can be breaches and like, you know, you don't want to have to, you know, deal with being a business associate under contract in a way that you weren't because making these arguments after the fact, once you've already signed an agreement like that, that becomes difficult to say, “Well, but I wasn't really your business associate under the legal definition.” But you signed something that said that you acknowledged you were. And, you know, I think it can be hard to unpack that at the end of the day. But I guess any closing notes here, Andrew? Because you deal with this issue quite often.

00;12;24;10 - 00;13;12;29
Andrew Brenton
Well, I think this is that general theme. I mean, don't assume that just because your offered this contract, that it is something that you have to sign. I know that probably strange coming from two attorneys. I mean, there's obviously a time and a place for contracts, but, you know, that doesn't mean that, you know, contracts are universally, you know, what we need to do or kind of the solution to any problem. So I think it's just kind of taking that pause, really examining the nature of the relationship, is this really something that I need a BAA for? And if so, who is like the appropriate BAA versus covered entity, and this kind of sorted through that at the outset, I think will save time and hopefully can avoid some some obligations that may not need to be agreed to.

00;13;13;13 - 00;14;32;07
Meg Pekarske
Yeah but I think well taken, and we'll include in the podcast notes links to things that are on the OCR website that get at like the definition of a business associate and the treatment exception, just so people have that at the ready. So if you do need to push back, it's not like they just need to say, “Oh, listen to this podcast.” Well, so I have this and I think it was worth a revisit because, you know, we're 20 years out from HIPAA, right? And I think that we haven't, it hasn't been top of mind like it has when things first came out. And so I think a refresher is always nice because it's like okay, let's get back to the basics about who actually is a business associate because I remember having this conversation 20 years ago and I think people got it then. But then, you know, we forget what we know and the older we get, the more we forget what we know. So I think it's a it's a good refresher for both old and new folks in compliance. So awesome. Well, thanks for the time, Andrew. And hopefully those links that we provide will be, will be helpful as long, as well as this podcast.

00;14;32;07 - 00;14;38;29
Andrew Brenton
Yeah. Thank you for having me.

00;14;38;29 - 00;14;54;09
Meg Pekarske
Well that’s it for today's episode of Hospice Insights, The Law and Beyond. Thank you for joining the conversation. To subscribe to our podcast, visit our website at or sign up wherever you get your podcasts. Till next time, may the wind be at your back.


Andrew Brenton

Senior Counsel