HIPAA or the Health Insurance Portability and Accountability Act is a set of rules and regulations that has historically applied to Covered Entities (CEs) such as health care providers that engage in standard electronic transactions, health plans, and health care clearinghouses to help protect patient’s medical information typically known as Protected Health Information (PHI). As of the most recent changes to the HIPAA ruling, taking effect September 23, 2013 (which has already passed), the definition of a Business Associate (BA) has changed as well as the security and privacy requirements BAs must follow. As of the most recent ruling, Privacy and Security Rules apply directly to BAs. This was not the case with past iterations of the HIPAA ruling.
What is a HIPAA Business Associate?
HHS defines a BA as a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. Basically CEs can share protected health information with BAs in order for BAs to perform services. A member of the covered entity’s workforce is not considered a BA. Lastly, a covered health care provider, health plan, or health care clearinghouse can be a business associate of another CE, basically meaning a CE can be a BA of another CE.
Examples of BAs
Below are some examples of Business Associates:
- Billing companies or Billing and Coding Consultant
- Health Information Organizations
- Subcontractors that create, receive, maintain or transmit PHI on behalf of another BA
- Attorneys or Law Firms
- Computer maintenance services and companies
- Insurance brokers
- Medical equipment testing/repair services
- Pharmaceutical companies
- Software vendors
- Waste disposal services and companies
The following are not considered Business Associates:
- Health insurance plan receiving PHI from provider
- Provider treating the patient
- Government agencies (such as public health department)
- External or independent Institutional Review Boards
- Banks/financial institutions with respect to payment activities
For more detailed information on BAs please visit the HHS site.
Oh, so I Am Business Associate, Now What?
As of the most recent HIPAA ruling, BAs are on the hook and must follow the same privacy and security regulations and guidelines as CEs. From a security standpoint, a BA should assign a security officer, conduct a risk assessment and identify any gaps, and draft policies and procedures that show the security standards followed by the Organization. Organizations should also train Workforce members on relevant security and privacy policies. These steps should be done as soon as possible to prevent any monetary fines. For example, Cedars Sinai Hospital fired six workforce members for snooping in 14 patient medical records; coincidentally, this was during the time period that Kim Kardashian had her baby at the facility.
The best course of action a BA can take is to hire a reputable HIPAA consultant or firm to perform an assisted risk assessment on behalf of the Organization. The risk assessment will find any areas that the Organization is deficient in. The HIPAA expert will then put a remediation plan together and the Organization can work towards addressing all areas outlined within that plan.
Although the new HIPAA ruling can be overwhelming by taking a few simple steps you can bring your Organization into HIPAA compliance, keep any relationships with CEs that do business with your Organization as well as protect yourself from costly audits and fines.