In March 2017, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) confirmed that a dentist does not need to sign a business associate agreement with a dental lab when the dentist shares with the lab protected health information for purposes of treating patients. The OCR guidance, which was provided in an e-mail to the American Dental Association, confirms that a dental lab qualifies as “health care provider” under HIPAA when it provides treatment services. As a general rule, HIPAA does not require a health care provider to have a business associate agreement with another health care provider with which it shares protected health information for purposes of treating patients.
It should be noted, however, that in some situations that do not involve treatment of individual patients, a dental lab may qualify as a business associate under HIPAA. In those situations, a business associate agreement would be required.
If you have any questions about whether a particular business relationship requires a business associate agreement, please contact a member of the BrownWinick Health Law Practice Group.