In order to provide the best possible care for patients, healthcare providers often need business partners to provide support services. When do these service providers become business associates as defined by HIPAA, and what are their duties and responsibilities in the role of business associate?
How HIPAA Affects the Role of Business Associates – The Basics
The purpose of HIPAA’s rules and regulations is to ensure the privacy of patients’ protected health information (PHI). The law requires organizations to create access controls and take appropriate security measures to accomplish this. Under HIPAA, organizations generally fall into one of two categories:
Covered Entities – HIPAA regulation defines a covered entity as healthcare providers, health plans, and healthcare clearinghouses involved in the electronic transmission of protected health information (ePHI). This transmission can take place for payment, treatment, operations, billing, or insurance coverage.
Covered entities can include organizations, institutions, or persons. A general guideline is that covered entities are a primary source for PHI through their activities (medical treatment, insurance coverage, etc.).
Business Associates – Any organization that performs services for a covered entity or another organization that requires the transmission of electronic PHI (ePHI) is considered to be a business associate. Business associates will never create PHI. Instead, they use the information as directed by the covered entity or another business associate for the contracted purposes needed by their client.
Examples of these services include third-party claims processors, accounting firms that must access patient data to provide services to a healthcare provider, freelance medical transcriptionists, pharmacy benefits managers, cloud service providers, and document storage and destruction firms.
How HIPAA Affects the Role of Business Associates – Do I Need a Business Associate Agreement?
Things became a lot more serious for business associates with the passage of the HITECH Act in 2009 and the Omnibus Rule in 2013. The Department of Health and Human Services (HHS) increased penalties for violations designated as willful neglect.
They also applied many of the standards of the Privacy Rule and the Security Rule to business associates. With these changes came added enforcement of HIPAA provisions for business associates.
Today a business associate must have a Business Associate Agreement (BAA) signed with any covered entity or business associate prior to transferring any ePHI between the organizations. Failure to do so is a clear violation of HIPAA regulations and exposes both organizations to substantial fines and penalties.
These BAAs must clearly state the responsibilities and limitations of each party and must be reviewed regularly. Any substantive changes to the agreement must be reduced to writing in a new agreement signed by both parties.
How HIPAA Affects the Role of Business Associates – Other Instances
Because HIPAA regulations require business associates to protect the privacy of patient PHI, there are other requirements under the HIPAA Privacy Rule and HIPAA Security Rule that must be observed.
Access controls must be in place to ensure only authorized individuals can view records with PHI. Some of these may be physical measures such as locked doors, while others may involve electronic authentication measures such as passwords and access codes.
Suppose your organization employs outside workers for cleaning, pest control, or maintenance services. In that case, it is possible they could accidentally hear or see PHI during the course of their work. Because they do not take possession of PHI, a confidentiality agreement is the best solution.
You can sign a confidentiality agreement with each individual or the service provider’s legal representative. This agreement should state that information accidentally observed must not be shared with anyone, and specify potential liability for breaching the agreement.
How HIPAA Affects the Role of Business Associates – Final Thoughts
The HIPAA law was intended to ensure the privacy of each individual’s PHI and make it easier for patients to access their medical records. In the final analysis, that is the ultimate obligation that each business associate has. As they perform services for covered entities and other business associates, they must maintain the confidentiality of PHI and build a chain of compliance to protect patient PHI at every step along the way.
