Am I Designated as a HIPAA Business Associate?

by ih-coc admin

by Jay Hodes, President - Colington Consulting

I consult regularly with individuals and organizations involved in some aspect of the healthcare sector that are asking this question.

Let’s start with the definition of a Business Associate (BA). According to the U.S. Department of Health and Human Services (HHS), a BA “is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity (healthcare provider and health plans). The Privacy Rule lists some of the functions or activities, as well as the particular services, that make a person or entity a business associate, if the activity or service involves the use or disclosure of protected health information. The types of functions or activities that may make a person or entity a business associate include payment or health care operations activities, as well as other functions or activities regulated by the Administrative Simplification Rules.”

HHS further identifies business associate functions and activities to include “claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing. Business associate services are: legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial.”

An easy way to figure out if you or your company is a BA is by asking this question: “Is there a need to create, store, receive, or transmit any electronic or paper protected health information for a healthcare provider or plan”? It does not matter how much or how little. If you answered “yes,” you are most likely considered a HIPAA Business Associate.

So, what does that mean? Individuals, organizations, and agencies that meet the definition of a BA must comply with the HIPAA Security Rule and applicable parts of the HIPAA Privacy Rule. To meet regulatory requirements, a BA must have a comprehensive HIPAA compliance program in place, regardless of size.

As a BA, you will be required to sign a Business Associate Agreement (BAA). A BAA is a contract or other written arrangement between the Covered Entity and you or your organization. All BAAs must contain specific elements, including: describing the permitted and required uses of protected health information (PHI) by the BA; ensuring that the BA will not use or further disclose the PHI beyond what is permitted or required by the contract or as required by law; and requiring the BA to use appropriate safeguards to prevent the use or disclosure of PHI.

Most BAAs now include indemnification clauses, which will obligate the BA to pay the Covered Entity (CE) for any loss or damages that has been or might be incurred as a result of a breach. If you are a BA, carefully read this clause and make sure you are aware of what your possible financial responsibilities may be. Should you heed the clause, it is worth trying to negotiate with the CE for more favorable terms. Remember, the PHI/ePHI you need to access to provide your services belongs to the Covered Entity’s patients and can result in little to no wiggle room with the clause, but it is worth a try.

Should the BA discover a breach of PHI/ePHI has occurred, it has a requirement to notify the Covered Entity of the breach. Often, the time period to notify the CE is almost immediate or within 24–48 hours. The BA should be aware that a breach may cause the CE to terminate its contract for services.

If you are an individual or organization providing services as a BA in the healthcare sector that needs access to PHI, this is the reality of HIPAA compliance.