> Will,
>
> If your agency has executed a valid "business associates" contract
> with the hospital in question, it is legal and advisable to leave a
> PCR with them, after all HIPAA never intended that patient care should
>  be compromised by a lack of communication.  The reality is that your
> agency should execute such an agreement with every facility they
> transport to and keep them on file.
> -BR
>

Hmm, this brings up another issue.  The clear consensus among attorneys who have addressed the issue with us, as well as folks (attorneys and others) in the mainstream HIPAA lists and groups, is that a BAA between covered entities is unnecessary if the only service the two CEs are performing is treatment.

§ 160.103 of the Privacy Rule defines a business associate as follows (with references to "organized health care arrangement" omitted for the sake of brevity and because most EMS agencies presumably are not part of an OHCA): 

"(1) Except as provided in paragraph (2) of this definition, business associate means, with respect to a covered entity, a person who:

(i) On behalf of such covered entity ..., but other than in the capacity of a member of the workforce of such covered entity ..., performs, or assists in the performance of:

(A) A function or activity involving the use or disclosure of individually identifiable health information, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing; or

(B) Any other function or activity regulated by this subchapter; or

(ii) Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation (as defined in § 164.501 of this subchapter), management, administrative, accreditation, or financial services to or for such covered entity ..., where the provision of the service involves the disclosure of individually identifiable health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person."

So it clearly states that, in order to be deemed a business associate, an entity must be performing one of these (non-treatment) services on behalf of a CE.   Multiple CEs treating the same patient are providing their service directly to the patient, and nothing (listed or otherwise) on behalf of a CE.

An example as we have applied it:  We have a volunteer EMS agency in our county that uses our billing company.  They also use us as the go-between for sending PCR data to the company, receiving EOBs and other related documents and reports from the company, customer service, collection efforts, etc.  We have a BAA with that agency where we are considered their business associate.   We don't have BAAs with other EMS agencies in the area, nor (back to the point) with the area hospitals.

Therefore, Barton, it seems clear that BAAs with receiving hospitals are not required by the Privacy Rule.  Nor do I believe (back to Will's original question) that that should be a factor in whether his agency should leave PCRs with them.  As some of us have said, their potential role in treatment seems to be justification enough.

Now, a question for the masses: If Barton and others still choose to execute them, is there any downside?

Jim