Certainly, care coordination is the right thing to do. It has been since Dr. Welby on TV years ago, and probably several millennia before that. (We go back as far as Dr. Welby, but do not back several millennia.)
Collaborative care, by definition, requires partners. In the US, partners and protected patient information requires a BAA. And as Health and Human Services announces that they are entering Phase II of their audit program, everyone in medicine should know what their approach to BAAs is.
First, some background and to catch some of you up, a Business Associate Agreement (BAA) is a contract of sorts that defines that anyone who is viewing, handling, or storing a patient's health information agrees to abide by the rules. You, as a covered entity (an individual, practice, hospital system vendor, etc.) working with another, must be sure that there is an agreement about the responsible handling of protected health information (PHI.)
So who is the policeman (and judge, and jury)? The Office of Civil Rights. Yes, OCR is the same office that ushered in Title VI of the Civil Rights Act of 1964, the American with Disabilities Act, and The Age Discrimination Act among other notable civil rights.
They publish a “Wall of Shame” which lists breaches of 500 or more individuals. As of May 11, 2106 there are 1548 citations. You will note, dear individual provider readers, that there are many individual and small group providers. Claiming that as a medical provider that “I can text and talk and email because I have the patient's best interests at heart” can not be expected to be defensible any longer. With the citations come fines -- and in some cases, a spot on the wall of shame.
For the focused topic of this post, the BAA, there are two notable recent cases. North Memorial Health Care of Minnesota will pay a $1.5 million settlement after failing to make a Business Associate Agreement with a contractor. Also, The Raleigh Orthopedic Clinic of North Carolina agreed to a $750,000 settlement related to the “need for HIPAA business associate agreements." The breach was that they sold x-ray films to a company to transfer the images to electronic media before reclaiming the silver in the film. Good management of assets. Good environmental responsibility, but no business associate agreement.
In practice, as the lawyers like to say: “If it wasn’t documented, it wasn’t done.” In practice, as the OCR would like to say: “If there isn’t a BAA, there isn’t an excuse.”
For more on how to stay HIPAA compliant while doing healthcare collaboration, download our free guide to hybrid store-and-forward telemedicine: