Business Associates and HIPAA Compliance
Besides the healthcare providers who handle patient’s health information, other organizations must also comply with HIPAA. These organizations are known as Business Associates and are direct vendors to covered entities like hospitals, health plans, or any other medical entities.
Who Are Business Associates?
Business associates (BA) are organizations or individuals who act on behalf of or provide services to covered entities - for example, hospitals or dental firms. But that the catch is that in order to function, these businesses require access to protected health information (PHI).
HIPAA sets the standards for how protected health information (PHI) must be kept private and secure by anyone within the healthcare industry who has access to it. Therefore, business associates are also required to comply with the many requirements of HIPAA, as they use PHI in their course of their work, just like other covered entities.
Examples of Business Associates
These organizations can be anywhere in between the financial, management, administrative, legal, consulting, or even IT service providers.
Here are a few examples of HIPAA Business Associates:
- Medical Billing Companies
- Law Offices
- Accounting Firms
- Shredding Services
- IT Vendors
- Health Insurance Companies
- Medical Transcription Services
- Translator service providers
- Cloud service providers
Responsibilities Extended To Business Associates
Compliance responsibilities extended to business associates when the HIPAA Omnibus Rule was passed in 2013. Not only the rule re-defined what business associates are, but it also extended the responsibilities of compliance from both the Privacy and Security Rules to business associates rather than just covered entities.
This means that if any organization or individual provides any form or service to a covered entity that requires them to have access to PHI, then they will be directly responsible for any HIPAA breach that occurs on their end. In fact, there are more business associates than there are covered entities and PHI must be safeguarded by every one of them.
Business Associate Subcontractors
Just like how business associates provide services to covered entities, there are other organizations also that provide services to these business associates or perform similar tasks on behalf of the BA. These organizations are called business associates subcontractors. Depending on who the service is being provided, an organization can either be a business associate or a business associate subcontractor. Many of the examples of business associates provided above are similar organizations that provide services as a subcontractor in other situations. For example, accountants, attorneys, email encryption providers, file sharing vendors, shredding companies, etc. can all be classified as business associate subcontractors as well.
Business Associate Agreements (BAA)
If you are working with a business associate, or you’re a BA and working with a subcontractor, then you must create a Business Associate Agreement (BAA) with the party you’re with. A business associate agreement (BAA) is a written agreement formed between the vendor and the covered entity where each party’s responsibilities and obligations are laid out when it comes to handling PHI. As per HIPAA’s guidelines, a covered entity should only work with an organization when there is a business associate agreement signed in place so that there is an assurance that PHI will be protected.
Seek Help For Compliance
Many times organizations are not aware that they are considered as a Business associate per law and could risk facing fines up to thousands or millions of dollars. Covered entities who share PHI with any other vendor must conduct due diligence and inform the other party of their roles and responsibilities when it comes to handling PHI. For those who do not much about HIPAA compliance, seeking help might be a good idea. Many organizations, covered entities and business associates alike, also use HIPAA compliance management tools to streamline their compliance efforts, such as employee training, contract management, risk assessments, policy and procedure management, etc. You should also be checking out your state laws since each state has different privacy requirements with regards to the use and disclosure of patient’s health information.
Author Bio: Riyan N. Alam is a digital marketing analyst at CloudApper, a supplier of mobile ERP solutions, including HIPAA compliance software, facility management software, and many more. Combining his passion for reading books, he writes about subjects valuable to people and their daily lives. Riyan loves traveling and trading in his free time.