What is a HIPAA Business Associate?
A HIPAA Business Associate (BA) is defined as an individual or organization that provides a service to a covered entity that requires them to create, store or disclose protected health information (PHI). HIPAA sets standards for how this type of identifiable information should be kept private and secure by all those who access it within the healthcare industry. Therefore, since BAs use PHI in the course of their work just as covered entities do, they too are required to comply with the many requirements of HIPAA.
Examples of Business Associates:
As mentioned above, a business associate is any person or organization that performs a service on behalf of a covered entity that involves them accessing some form of PHI along the way. BA organizations can be in the administrative, legal, financial, management, consulting industries or anywhere in between.
Here are a few specific examples of BAs:
- Medical Billing Companies
- Law Offices
- Accounting Firms
- Shredding Services
- IT Vendors
- Health Insurance Companies
- Medical Transcription Services
Compliance Extended to Business Associates
In 2013, the HIPAA Omnibus Rule was passed which changed the standards for what HIPAA Business Associate compliance looks like. The rule re-defined what a BA is but also expanded the responsibilities of compliance from the Privacy and Security rules to BAs rather than just covered entities (CEs). This means that if you provide any form of business service on behalf of a healthcare provider, then you are directly liable for any breaches that occur on your end. It is important that BAs are held to the same compliance standards as there are lots more business associates than covered entities and PHI must be protected by every last one.
Business Associate Subcontractors
Just as a business associate is someone who provides a service for a covered entity, a business associate subcontractor is a person or organization that performs a similar service on behalf of a BA. Organizations can be both BAs and business associate subcontractors depending on who they are providing services for in that instance. Many of the examples of BAs are the same type of organizations that serve as subcontractors in other situations. Examples of business associate subcontractors include accountants, attorneys, email encryption providers, file sharing vendors, shredding companies, etc.
Business Associate Agreements (BAAs)
A business associate agreement is an agreement between a BA and a CE that lays out each party’s responsibilities and obligations when it comes to securing PHI. HIPAA states that covered entities should only work with BAs once this written arrangement has been signed so that there is an assurance that the PHI will be protected. When the HIPAA Omnibus Rule extended the requirements onto business associates, it also meant that the OCR could audit BAs for noncompliance which can have costly consequences.
There are a few of the things that Business Associates are agreeing to do by signing BAAs with the covered entities that they work with. First, they are guaranteeing that they will only use or disclose protected health information in the permitted ways that the covered entity has laid out. To ensure this they will put appropriate safeguards into place to prevent unauthorized usage. Beyond that, they are agreeing to be HIPAA compliant in all aspects and to sign business associate agreements with any subcontractors that they may in turn work with.
One of the main challenges with business associate HIPAA compliance is that oftentimes organizations are not entirely aware that they are considered BAs by the law. Covered entities have always been conscious of their need to follow the compliance requirements of HIPAA but business associates have not always been as aware. Now that business associates are held liable for breaches, it is important that BAs take all the necessary steps to guarantee HIPAA compliance. Although this may seem overwhelming or burdensome to business associates, obtaining HIPAA compliance tells covered entities and patients that you can be trusted to protect their information carefully.