Navigating the Rough Waters of a Being a HIPAA Business Associate

One the most frequently asked question of organizations in the healthcare universe (anyone who manages PHI) is “Am I a HIPAA Business Associate?”  The second most frequent question, “what is a HIPAA Business Associate?”

Are We a Business Associate?

Chances are, you are a business associate. In all likelihood, when you set up your business arrangement with your client, they will have asked you to sign a business associate agreement (BAA). This clarifies your role (under HIPAA regulations) relative to your client. But in rare cases, you may have a client agreement where they neglected to have you sign a BAA.

If you’re not sure, the short answer is that if you handle patient information that can in any way identify a specific person (what HIPAA calls PHI), then you’re a business associate. As a BA, you are subject to the regulatory requirements of HIPAA and to penalties if you don’t comply. The official definition in the HIPAA Final Rule (also called the Omnibus Rule) says that a BA is any person or organization that:

  • Creates, receives, maintains, or transmits PHI on behalf of a covered entity or an Organized Health Care Arrangement (OHCA) for a regulated function or activity. These include claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities, billing, benefit management, practice management, or repricing.
  • Provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for a covered entity, if the service involves the disclosure of protected health information (PHI).

The Department of Health and Human Services (HHS) website says typical business associates of a healthcare organization might include:

  • A third party administrator that assists a health plan with claims processing
  • A CPA firm whose accounting services to a healthcare provider involve access to protected health information
  • A consultant that performs utilization reviews for a hospital
  • A healthcare clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer
  • An independent medical transcriptionist that provides transcription services to a physician
  • A pharmacy benefits manager that manages a health plan’s pharmacist network

But now the Omnibus Rule has expanded the definition of a BA to also include:

  • Those who store or otherwise maintain PHI, such as an Internet service provider (ISP) or cloud service company
  • Health Information Organizations (HIOs), e-prescribing gateways and others who provide data transmission services to a covered entity and require routine access to PHI
  • Anyone who offers a personal health record to individuals on behalf of a covered entity. (HIPAA regulations now require that individuals have access to their health records.)
  • Subcontractors of business associates if the business associate delegates to the subcontractor a function that involve the creation, receipt, maintenance, or transmission of PHI

The only people and organizations explicitly excluded from the BA designation are employees of a healthcare organization; providers such as doctors with staff privileges at an institution; labs, service providers such as telephone companies or electricians who have very limited exposure to PHI, and companies such as the postal service, shippers, or couriers who are considered “conduits” for PHI.

At this point, if your business works with any healthcare-related organization and is not one of the excluded types, you are probably a BA, and you need to know your responsibilities and risks.

Read the full article here: HIPAA Business Associate 101: A Primer

About Data Breach Watch Administrator

, , ,

No comments yet.

Leave a Reply