Role of Business Associates

In order to provide the best possible care for patients, healthcare providers often need business partners to provide support services. When do these service providers become business associates as defined by HIPAA, and what are their duties and responsibilities in the role of business associate?

How HIPAA Affects the Role of Business Associates – The Basics

The purpose of HIPAA’s rules and regulations is to ensure the privacy of patients’ protected health information (PHI). The law requires organizations to create access controls and take appropriate security measures to accomplish this. Under HIPAA, organizations generally fall into one of two categories:

Covered Entities – HIPAA regulation defines a covered entity as healthcare providers, health plans, and healthcare clearinghouses involved in the electronic transmission of protected health information (ePHI). This transmission can take place for payment, treatment, operations, billing, or insurance coverage. 

Covered entities can include organizations, institutions, or persons. A general guideline is that covered entities are a primary source for PHI through their activities (medical treatment, insurance coverage, etc.).

Business Associates – Any organization that performs services for a covered entity or another organization that requires the transmission of electronic PHI (ePHI) is considered to be a business associate. Business associates will never create PHI. Instead, they use the information as directed by the covered entity or another business associate for the contracted purposes needed by their client. 

Examples of these services include third-party claims processors, accounting firms that must access patient data to provide services to a healthcare provider, freelance medical transcriptionists, pharmacy benefits managers, cloud service providers, and document storage and destruction firms.

Let’s Simplify Compliance

Do you need help with HIPAA? Compliancy Group can help!

Learn More!
HIPAA Seal of Compliance

How HIPAA Affects the Role of Business Associates – Do I Need a Business Associate Agreement?

Things became a lot more serious for business associates with the passage of the HITECH Act in 2009 and the Omnibus Rule in 2013. The Department of Health and Human Services (HHS) increased penalties for violations designated as willful neglect. 

They also applied many of the standards of the Privacy Rule and the Security Rule to business associates. With these changes came added enforcement of HIPAA provisions for business associates.

Today a business associate must have a Business Associate Agreement (BAA) signed with any covered entity or business associate prior to transferring any ePHI between the organizations. Failure to do so is a clear violation of HIPAA regulations and exposes both organizations to substantial fines and penalties.

These BAAs must clearly state the responsibilities and limitations of each party and must be reviewed regularly. Any substantive changes to the agreement must be reduced to writing in a new agreement signed by both parties.

How HIPAA Affects the Role of Business Associates – Other Instances

Because HIPAA regulations require business associates to protect the privacy of patient PHI, there are other requirements under the HIPAA Privacy Rule and HIPAA Security Rule that must be observed. 

Access controls must be in place to ensure only authorized individuals can view records with PHI. Some of these may be physical measures such as locked doors, while others may involve electronic authentication measures such as passwords and access codes.

Suppose your organization employs outside workers for cleaning, pest control, or maintenance services. In that case, it is possible they could accidentally hear or see PHI during the course of their work. Because they do not take possession of PHI, a confidentiality agreement is the best solution. 

You can sign a confidentiality agreement with each individual or the service providerR