According to HIPAA, who are my Business Associates?
Providers work with many different groups and many of them have some interaction with Protected Health Information (PHI). In an effort to help us understand who qualifies as Business Associates the Department of Health & Human Services has provided some resources.
But first … what is PHI or individually identifiable health information? Basically, it is any information used to identify an individual patient as well as information created or received that has anything to do with the patient. This includes demographics as well as past, present or future health conditions. Specifically, anything that can be used to reasonably identify an individual or treatment. This includes, patient names, date-of-birth, carrier policy information, etc.
Why do I need a contract with my Business Associates?
The reason behind the Privacy rule is to obtain assurances from your Business Associates that they will safeguard the Protected Health Information. This is now required in writing in the form of a contract, called Business Associate Agreement. To learn more about this ChiroCode (ChiroCode.com) has written a book called “Complete and Easy HIPAA Compliance”. The third edition was updated last year to include provisions of the Omnibus Final rule. To order your book go to innoviHealth. Your Business Associate Contracts must contain the elements specified at 45 CFR 164.504(e), such as describing the permitted and required uses of PHI by the associate, and that they will not use or disclose the PHI for anything other than as required by law. Also, if there is a breech the covered entity must make the appropriate steps to correct it. The contract must clearly state how the issue would be resolved.
Note that Business Associate Agreements are not necessary if the arrangement is for Treatment, Payment, or healthcare Operations (TPO). More specific information defining the TPO will be made available in an upcoming article.
Who is a covered entity?
The HIPPA Privacy Rule only applies to covered entities – health plans, health care clearinghouses and certain health care providers.
Examples and potential Business Associates:
(This is not a complete list – Examples only)
- A third party administrator.
- Anyone assisting a health plan with claims processing.
- A CPA firm whose accounting services to a health care provider involve access to protected health information.
- An attorney whose legal services to a health plan or provider involve access to protected health information.
- A consultant that performs utilization reviews for a hospital.
- A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer.
- An independent medical transcriptionist that provides transcription services to a physician.
- A pharmacy benefits manager that manages a health plan’s pharmacist network.
- External auditors or accountants
- Professional translator services
- Answering services
- Consultants hired to conduct audits, perform coding reviews, etc.
- Accreditation agencies
- Shredding and/or documentation storage companies
- Data processing firms or software companies that may be exposed to or use PHI.
- Medical transcription services, even if you contract with an individual rather than a company.
- Medical equipment service companies handling equipment that holds PHI.
- E-prescribing Gateways
- Health information organizations
Who is not a business associate?
(This is not a complete list – Examples only)
An external researcher
- Another healthcare provider
- Banking and financial institutions or consumer conducted transactions
- Collections agency
- Janitorial or electrician
- US Postal Service
FAQ’s from HHS.gov
Q. Is a physician or other provider considered to be a business associate of a health plan or other payer?
A. NO http://www.hhs.gov/ocr/privacy/hipaa/faq/business_associates/253.html
Q. Is a software vendor a business associate of a covered entity?
A. YES http://www.hhs.gov/ocr/privacy/hipaa/faq/business_associates/256.html
Q. Instead of entering into a contract, can business associates self-certify or be certified by a third party as compliant with the HIPAA Privacy Rule?
A. NO 45 CFR 164.504(e).http://www.hhs.gov/ocr/privacy/hipaa/faq/business_associates/237.html
Q. Do physicians with hospital privileges have to enter into business associate contracts with the hospital?
A. NO http://www.hhs.gov/ocr/privacy/hipaa/faq/business_associates/248.html
Q. Are accreditation organizations business associates of the covered entities they accredit?
A. YES http://www.hhs.gov/ocr/privacy/hipaa/faq/business_associates/238.html
Q. Is a health insurance issuer or HMO who provides health insurance or health coverage to a group health plan a business associate of the group health plan?
A. NO http://www.hhs.gov/ocr/privacy/hipaa/faq/business_associates/254.html
Q. Does a health care provider have to have a BAA with another provider?
A. NO http://www.hhs.gov/ocr/privacy/hipaa/faq/business_associates/240.html
Q. Is a business associate contract required for a covered entity to disclose protected health information to a researcher?
A. NO http://www.hhs.gov/ocr/privacy/hipaa/faq/business_associates/239.html