What is a HIPAA Business Associate?Under HIPAA there are two types of entities responsible for safeguarding protected health information: Covered Entities and Business Associates. Most Covered Entities are those organizations that have direct contact with patients, such as doctors, clinics, and hospitals or their information, such as insurance companies. Even though business associates don’t see patients, they may maintain or have access to their healthcare data. Show
The size and complexities of modern healthcare mean that protected health information (PHI) can be found in more places than just a hospital or a doctor’s office; this data can be found in plenty of businesses: Physical copies of medical records may be maintained offsite in storage, data can be sent to and from locations either via mail or electronically, financial information can be used by third-party billing companies, or patient information can be stored on a cloud-based server maintained by a third party. A business associate is an organization, or individual, that performs work or activities on behalf of a covered entity that may involve the use or disclosure of protected health information. In other words, if a third party organization could potentially access some PHI in the normal course of their delegated work, they are a business associate. There are far more business associates than there are covered entities in the healthcare space, as the entire industry relies on outsourcing critical parts of their business services such as billing, storage, software, and collections to outside vendors. Even individual subcontractors and vendors of designated business associates that may create, receive, maintain, or send PHI on behalf of its parent organization are also considered a business associate and must be compliant with HIPAA as the Omnibus Rule expanded the scope of HIPAA in 2013. Who can be a business associate?HIPAA defines businesses associates as a person or entity that provides services to a covered entity that involves the disclosure of PHI. Businesses that would be considered business associates when working with covered entities are:
Some businesses may be considered business associates or not depending upon the information that they access as part of their service agreement:
Even organizations located outside the United States can be considered business associates if any of the information they receive, transmit, or maintain can be potentially used to identify a patient in the US. Business Associate AgreementHIPAA requires that a covered entity, and it’s business partners that will come into contact with PHI as part of their services, sign a business associate agreement (BAA), which is a contract between a covered entity and an organization or individual that will outline the duties and responsibilities of that organization as it relates to the protection of any protected health
information that is shared between the two parties. All Business Associate Agreements must detail the following items:
There are many examples of business associate agreements online, but it is important to take care before using such templates as they may have been designed for a different relationship. Each BAA should be customized for the unique nature of the relationship between the Covered Entity and the respective covered entity. HIPAA Compliance for Business AssociatesAccountable is designed to simplify and streamline the process of HIPAA Compliance for covered entities and business associates. Our solution comes ready with multiple templates that are easily customizable for all types of service agreements and will allow the BA to adopt the correct policies and procedures to safeguard the PHI under their care, as well as provide them a framework to become compliant with the HIPAA law. Try it for free. Which of the following is a business associate under HIPAA?Business associate services are: legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial.
What is a business associate agreement?A business associate agreement establishes a legally-binding relationship between HIPAA-covered entities and business associates to ensure complete protection of PHI. This type of agreement is necessary if business associates can potentially access PHI during their work.
Which of the following would be business associates?Examples of Business Associates are lawyers, accountants, IT contractors, billing companies, cloud storage services, email encryption services, web hosts, etc.
Can a business associate use PHI for its own purposes?PHI in the hands of the business associate is still protected. The general rule remains that a business associate may not use the PHI for its own purposes without the patient's authorization.
|