What is a HIPAA Business Associate?
Under HIPAA there are two types of entities responsible for safeguarding PHI: Covered Entities and Business Associates. Most Covered Entities are those organizations that have direct contact with patients, such as doctors, clinics, and hospitals or their information, such as insurance companies. Even though business associates don’t see patients, they may maintain or have access to their healthcare data.
The size and complexities of modern healthcare mean that protected health information (PHI) can be found in more places than just a hospital or a doctor’s office; this data can be found in plenty of businesses: Physical copies of medical records may be maintained offsite in storage, data can be sent to and from locations either via mail or electronically, financial information can be used by third-party billing companies, or patient information can be stored on a cloud-based server maintained by a third party.
A business associate is an organization, or individual, that performs work or activities on behalf of a covered entity that may involve the use or disclosure of protected health information. In other words, if a third party organization could potentially access some PHI in the normal course of their delegated work, they are a business associate.
There are far more business associates than there are covered entities in the healthcare space, as the entire industry relies on outsourcing critical parts of their business services such as billing, storage, software, and collections to outside vendors. Even individual subcontractors and vendors of designated business associates that may create, receive, maintain, or send PHI on behalf of its parent organization are also considered a business associate and must be compliant with HIPAA as the Omnibus Rule expanded the scope of HIPAA in 2013.
Who can be a business associate?
HIPAA defines businesses associates as a person or entity that provides services to a covered entity that involves the disclosure of PHI. Businesses that would be considered business associates when working with covered entities are:
- Software companies with access to PHI
- Companies in claims processing or collections
- Third-party administrators
- Answering services
- Pharmacy benefit managers
- Patient safety or accreditation organizations
- Medical transcription companies
- Accreditation companies
- Data processing firms or software companies that may be exposed to PHI
- Medical equipment services companies that handle equipment containing PHI
- Professional translators
Some businesses may be considered business associates or not depending upon the information that they access as part of their service agreement:
- Accounting firms
- Law firms
- Financial firms
Even offshore organizations can be considered business associates if any of the information they receive, transmit, or maintain can be potentially used to identify a patient in the US.
Business Associate Agreement
HIPAA requires that a covered entity, and it’s business partners that will come into contact with PHI as part of their services, sign a business associate agreement (BAA), which is a contract between a covered entity and an organization or individual that will outline the duties and responsibilities of that organization as it relates to the protection of any protected health information that is shared between the two parties. All Business Associate Agreements must detail the following items:
- Determine what PHI the Business Associate will access and how it will safeguard PHI: The business associate will agree to implement administrative, technical, and physical safeguards outlined in the HIPAA security rule to protect PHI. They should be able to give the covered entity copies of their HIPAA policies and procedures if requested. If they cannot, this should be a red flag.
- Require and Log Employee HIPAA Training:All employees of the business associate should undertake and complete HIPAA training so they may understand their responsibilities when it comes to protecting PHI. The Business associate should be able to show proof that their employees have completed this training.
- Procedures in the event of a Data Breach: Should your BA allow or suffer a breach of PHI, they should contact you immediately without delay. Your agreement should specify that the notice of the breach be given within 15 days of the discovery of the breach. As HIPAA allows you 60 days upon discovery of a breach to notify HHS as well as the patients of the breach of their day, this 15-day window will allow you plenty of time.
- Necessity Subcontractor Compliance: The BA must require their own subcontractors who will access, transmit, or otherwise come into contact with PHI to meet the same HIPAA requirements as they do.
- Termination of the Agreement: Allows the Covered Entity to terminate the agreement if the BA is found to be in violation of the terms of the contract.
- Destruction or Return of PHI: When you conclude your services with the business associate, they must agree to return or destroy any PHI that they have received from the covered entity they are working with. This also includes any and all Subcontractors they work with.
There are many examples of business associate agreements online, but it is important to take care before using such templates as they may have been designed for a different relationship. Each BAA should be customized for the unique nature of the relationship between the Covered Entity and the respective covered entity.
HIPAA Compliance for Business Associates
Accountable is designed to simplify and streamline the process of HIPAA Compliance for covered entities and business associates. Our solution comes ready with multiple templates that are easily customizable for all types of service agreements and will allow the BA to adopt the correct policies and procedures to safeguard the PHI under their care, as well as provide them a framework to become compliant with the HIPAA law.
Try it for free.