The Health Insurance Portability and Accountability Act of 1996, or HIPAA, was originally created to protect health insurance coverage after workers change companies or lose their jobs. However, the legislation is best known for its provisions that require national standards for electronic healthcare transactions.
It is the second section that includes what is known as the Privacy Rule which regulates the use and disclosure of protected health information held by what are known as covered entities. However, the act did not include provisions for what are known as a HIPAA Business Associate.
What Are HIPAA Business Associates?
Business Associates under HIPAA perform certain functions that involve the use or disclosure of protected health information either through services provided to or action taken on behalf of a covered entity. A HIPAA Business Associate may include:
• A third-party claims processor
• An accounting firm who must access patient data in order to provide services to a healthcare provider
• The attorney for a healthcare provider
• Consultants
• Healthcare clearinghouses that translate claims from non-standard formats to standard formats
• Freelance medical transcriptionists
• Pharmacy benefits managers
Under the Omnibus Rule HIPAA Business Associates must comply with HIPAA Security and Privacy mandates. With a compliance date of September 23, 2013, Business Associates are subject to audits by the Office for Civil Rights through the Department of Health and Human Services. Companies that do not meet the requirements after a HIPAA compliance audit may be held accountable for data breaches and suffer penalties.
HIPAA Business Associate Contracts
The Health Information Technology for Economic and Clinical Health Act of 2009, or HITECH) requires the covered entity to confirm that any written arrangements or contracts contain specific information to meet Business Associate compliance. The contract must include:
- A description of the permitted and required uses of health information protected as part of HIPAA compliance
- Statements that the business associate will not disclose protected information other than what is required by law
- Proper safeguards to protect the information from material breach or violation as well as steps to be taken should a data breach occur
In addition, a covered entity must have the right to terminate any agreement with a Business Associate should the data breach not be addressed. The covered entity must report any failure to address a security problem to the Department of Health and Human Services Office for Civil Rights.
HIPAA Compliance Audit
HITECH not only requires Business Associates and covered entities to include specific information regarding privacy and security in their contracts, they also require the Department of Health and Human Service to conduct HIPAA compliance audits. These audits review the following areas:
• Formal or informal policies that exist to identify risks and vulnerabilities in data security
• Formal or informal policies related to HIPAA Security Rules
• Formal or informal policies related to audit logs, access reports ad security incident reports
• Whether security measures are sufficient to reduce risks and vulnerabilities
• Assignment of a HIPAA Security Official and that job responsibilities for that position are clearly defined
• Whether the level of authorization of workforce members is well-established
• Formal documentation that identifies levels of access to information systems that house electronic medical information
• Knowledge, skills and abilities of staff to fulfill the roles they are assigned
• Policies and procedures designed to grant access to electronic medical information and the steps for terminating access
• Policies and procedures are consistent with HIPAA Security Rules
• Training process that addresses HIPAA policies
HIPAA Business Associate Compliance
One issue with the regulation requiring HIPAA Business Associate compliance is that many of those who fall under the regulation may not have known they were considered Business Associates. In addition, covered entities had several years to bring their records into compliance, while Business Associates were not given that luxury. Therefore, in order to meet Business Associate compliance, those companies must determine which business relationship include HIPAA compliance organizations and then conduct a HIPAA compliance assessment. Once the assessment identifies regulatory obligations, current compliance, and gaps related to the HIPAA-HITECH regulations, the company can develop a plan to meet the requirements of the statute. One item that is necessary as part of compliance is the creation of an Incident Response Plan in order to mitigate the risks of potential data breaches.
With the new regulations in place, companies who fall under HIPAA Business Associate Compliance must take steps to be sure that their policies and procedures meet legislative requirements as they could be subject to a HIPAA compliance audit. Although this puts a burden on the companies identified as a HIPAA Business Associates, it will provide better protection for patients and for the business itself in the long run.