Blog

What is a HIPAA Business Associate?

HIPAA
July 6, 2020
Who is a business associate? Who isn’t a HIPAA associate? Our article will answer these questions and more.

What is a HIPAA Business Associate?

Under HIPAA there are two types of entities responsible for safeguarding protected health information: Covered Entities and Business Associates. Most Covered Entities are those organizations that have direct contact with patients, such as doctors, clinics, and hospitals or their information, such as insurance companies. Even though business associates don’t see patients, they may maintain or have access to their healthcare data.

The size and complexities of modern healthcare mean that protected health information (PHI) can be found in more places than just a hospital or a doctor’s office; this data can be found in plenty of businesses: Physical copies of medical records may be maintained offsite in storage, data can be sent to and from locations either via mail or electronically, financial information can be used by third-party billing companies, or patient information can be stored on a cloud-based server maintained by a third party.

A business associate is an organization, or individual, that performs work or activities on behalf of a covered entity that may involve the use or disclosure of protected health information. In other words, if a third party organization could potentially access some PHI in the normal course of their delegated work, they are a business associate.

There are far more business associates than there are covered entities in the healthcare space, as the entire industry relies on outsourcing critical parts of their business services such as billing, storage, software, and collections to outside vendors. Even individual subcontractors and vendors of designated business associates that may create, receive, maintain, or send PHI on behalf of its parent organization are also considered a business associate and must be compliant with HIPAA as the Omnibus Rule expanded the scope of HIPAA in 2013.

Who can be a business associate?

HIPAA defines businesses associates as a person or entity that provides services to a covered entity that involves the disclosure of PHI. Businesses that would be considered business associates when working with covered entities are:

  • Software companies with access to PHI
  • Companies in claims processing or collections
  • Third-party administrators
  • Answering services
  • Pharmacy benefit managers
  • Patient safety or accreditation organizations
  • Medical transcription companies
  • Accreditation companies
  • Data processing firms or software companies that may be exposed to PHI
  • Medical equipment services companies that handle equipment containing PHI
  • Lawyers
  • Accountants
  • Professional translators

Some businesses may be considered business associates or not depending upon the information that they access as part of their service agreement:

  • Accounting firms
  • Law firms
  • Financial firms
  • Auditors

Even organizations located outside the United States can be considered business associates if any of the information they receive, transmit, or maintain can be potentially used to identify a patient in the US.

Business Associate Agreement

HIPAA requires that a covered entity, and it’s business partners that will come into contact with PHI as part of their services, sign a business associate agreement (BAA), which is a contract between a covered entity and an organization or individual that will outline the duties and responsibilities of that organization as it relates to the protection of any protected health information that is shared between the two parties. All Business Associate Agreements must detail the following items:

  • Determine what PHI the Business Associate will access and how it will safeguard PHI: The business associate will agree to implement administrative, technical, and physical safeguards outlined in the HIPAA security rule to protect PHI. They should be able to give the covered entity copies of their HIPAA policies and procedures if requested. If they cannot, this should be a red flag.
  • Require and Log Employee HIPAA Training:All employees of the business associate should undertake and complete HIPAA training so they may understand their responsibilities when it comes to protecting PHI. The Business associate should be able to show proof that their employees have completed this training.
  • Procedures in the event of a Data Breach: Should your BA allow or suffer a breach of PHI, they should contact you immediately without delay. Your agreement should specify that the notice of the breach be given within 15 days of the discovery of the breach. As HIPAA allows you 60 days upon discovery of a breach to notify HHS as well as the patients of the breach of their day, this 15-day window will allow you plenty of time.
  • Necessity Subcontractor Compliance: The BA must require their own subcontractors who will access, transmit, or otherwise come into contact with PHI to meet the same HIPAA requirements as they do.
  • Termination of the Agreement: Allows the Covered Entity to terminate the agreement if the BA is found to be in violation of the terms of the contract.
  • Destruction or Return of PHI:  When you conclude your services with the business associate, they must agree to return or destroy any PHI that they have received from the covered entity they are working with. This also includes any and all Subcontractors they work with.

There are many examples of business associate agreements online, but it is important to take care before using such templates as they may have been designed for a different relationship. Each BAA should be customized for the unique nature of the relationship between the Covered Entity and the respective covered entity.

HIPAA Compliance for Business Associates

Accountable is designed to simplify and streamline the process of HIPAA Compliance for covered entities and business associates. Our solution comes ready with multiple templates that are easily customizable for all types of service agreements and will allow the BA to adopt the correct policies and procedures to safeguard the PHI under their care, as well as provide them a framework to become compliant with the HIPAA law.

Try it for free.


More from the Blog

GenixTec has achieved HIPAA Compliance with Accountable
Compliant Tools

GenixTec has achieved HIPAA Compliance with Accountable

HIPAA and Workforce Training
HIPAA

HIPAA and Workforce Training

Understanding HIPAA Certification
HIPAA

Understanding HIPAA Certification

Is Google Docs HIPAA Compliant?
Compliant Tools

Is Google Docs HIPAA Compliant?

Is Calendly HIPAA Compliant?
Compliant Tools

Is Calendly HIPAA Compliant?

Is Google Sheets HIPAA Compliant?

Is Google Sheets HIPAA Compliant?

Is iCloud HIPAA Compliant?
Compliant Tools

Is iCloud HIPAA Compliant?

President Biden Looks to Boost Cybersecurity at U.S. Ports
Data Security

President Biden Looks to Boost Cybersecurity at U.S. Ports

Get Started
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Ready to chat?

See how some of the fastest growing companies use Accountable to build trust through privacy and compliance.
Trusted by
Accountable Compliance Management Logo

We make it easy to get your own HIPAA Certification and build trust with your customers and patients.

Product
PlaybooksHow it worksProductPricingWatch DemoSeal of ComplianceGet Support
Solutions
HIPAAGDPR
Resources
BlogHIPAA TrainingHIPAA Risk AnalysisGDPR Risk Analysis
Company
AboutCareersSupportContact UsPrivacy CenterProduct Updates
Account
Sign InForgot Password

"Accountable allowed us to quickly establish Core Compliance with HIPAA as well as a firm foundation for our Security Program." - Michael H.

© 2024 Accountable HQ, Inc.
SitemapTerms of ServicePrivacy Policy