To be compliant with HIPAA, you must understand the Business Associate aspect of the law.Business Associates of covered entities must comply directly with the HIPAA Security and Privacy Rules, according to the Health Information Technology for Economic and Clinical Health (HITECH) Act. The Security Rule, which complements the HIPAA Privacy Rule, includes safeguards for protecting patients’ electronic protected health information (PHI), based on three components:
• Administrative: Organizations must have procedures that show how they will comply with the security rule
• Physical: Organizations must control how patients’ records are physically accessed and prevent inappropriate access
• Technical: Organizations must have a system to control computer access and monitor and protect communication that flows electronically over open networks.
Section 13401 of the HITECH Act includes the new BA requirements. The act also states that civil and criminal penalties for violations of the HIPAA and compliance audits apply directly to BAs. Covered entities must incorporate these additional requirements in their agreements with BAs, according to the new law.
A covered entity may disclose PHI to a business associate for purposes agreed to by contract.
HHS’ definition of a Business Associate:
• A business associate is a person or entity who provides certain functions, activities, or services on behalf of a covered entity involving the use and/or disclosure of PHI.
• A business associate is not a member of the health care provider’s workforce.
• A health care provider or other covered entity can also be a business associate to another covered entity.
• Covered entities who disclose PHI to providers for treatment are not business associates. An insurance company is not a business associate. They do not perform a function on behalf of a covered entity.
The provider’s office must document by means of a written contract or other written agreement the satisfactory assurances that the business associate will appropriately safeguard the information disclosed to them for their use.
Examples of a business associate are:
• A billing company
• A clearinghouse
• An answering service
• IT personnel who have access to computers containing PHI
• A document shredding company
• A collection agency
• An attorney
The contract with business associates covers a set of contractual obligations. Their function is to protect information generally and help the covered entity comply with the entity’s obligations under HIPAA.
HHS has stressed that PHI may be disclosed to a business associate only to help the providers and plans carry out their health care functions - not for independent use by the business associate.