Covered Entities & Business Associates
With
business associates and business associate agreements (BAAs) coming under
increased scrutiny in the latest round of HIPAA audits, some covered entities
are wondering how to identify which vendors are considered business associates,
and therefore require a BAA, and which vendors are not.
According
to the Privacy Rule, a business associate is a person or entity that performs
certain functions or activities that involve the use or disclosure of protected
health information (PHI) on behalf of, or provides services to, a covered
entity (CE).
Business
associate functions and activities include the following:
●
Claims
processing or administration;
●
Data
analysis;
●
Processing
or administration;
●
Utilization
review;
●
Quality
assurance;
●
Billing;
●
Benefit
management;
●
Practice
management; and
●
Repricing;
Additionally,
any entity that provides any of the following services involving the disclosure
of PHI by a CE, is a business associate:
●
Legal;
●
Actuarial;
●
Accounting;
●
Consulting;
●
Data
aggregation;
●
Management;
●
Administrative;
●
Accreditation;
or
●
Financial.
In
addition, the Omnibus Rule includes a new definition of a business associate. A
business associate is also defined as an individual or organization that
creates, receives, maintains, or transmits PHI on behalf of a CE. In addition,
four new categories were added to the definition:
●
Health
Information Exchanges;
●
E-prescribing
gateways;
●
Data
transmission services; and
●
Entities
that offer a personal health record to individuals on behalf of a CE.
The
following is a list of sample business associates a CE may have. A BAA would
need to be initiated for all of these vendors. Examples include
●
IT
companies that support health care providers;
●
Electronic
Health Record (EHR) system providers;
●
Data
centers, online backup companies, cloud service providers, even if they do not
access data;
●
Shredding
companies;
●
Insurance
agents;
●
A
CPA firm whose accounting services to a health care provider involve access to
PHI;
●
An
attorney whose legal services to a health plan or provider involve access to
PHI;
●
Any
person or entity providing services to a business associate that requires
access to PHI; and
●
Data
centers, online backup companies, cloud service providers, providing services
to a business associate, even if they do not access data.
The
Privacy rule also outlines situations where it is not necessary to enter into a
BAA. Some examples of when a BAA is not required are the following:
●
When
a health care provider discloses PHI to a health plan for payment purposes, or
when the health care provider simply accepts a discounted rate to participate
in the health plan’s network.
●
With
persons or organizations (e.g., janitorial service or electrician) whose
functions or services do not involve the use or disclosure of PHI, and where
any access to PHI by such persons would be incidental, if at all.
●
Among
CEs who participate in an organized health care arrangement (OHCA) to make
disclosures that relate to the joint health care activities of the OHCA.
●
Where
a group health plan purchases insurance from a health insurance issuer or HMO.
●
Where
one CE purchases a health plan product or other insurance, for example,
reinsurance, from an insurer.
●
With
a person or organization that acts merely as a conduit for PHI, for example,
the US Postal Service, certain private couriers, and their electronic
equivalents.
●
To
disclose PHI to a researcher for research purposes, either with patient
authorization, pursuant to a waiver, or as a limited data set.
●
When
a financial institution processes consumer-conducted financial transactions by
debit, credit, or other payment card, clears checks, initiates or processes
electronic funds transfers, or conducts any other activity that directly
facilitates or affects the transfer of funds for payment for health care or
health plan premiums.
Also
included are the following exceptions to the business associate standard. In
these situations, a CE is not required to have a BAA or other written agreement
in place before PHI may be disclosed to the person or entity.
●
Disclosures
by a covered entity to a health care provider for treatment of the individual;
●
Disclosures
to a health plan sponsor, such as an employer, by a group health plan, or by
the health insurance issuer or HMO that provides the health insurance benefits
or coverage for the group health plan, provided that the group health plan’s
documents have been amended to limit the disclosures or one of the exceptions
at 45 CFR 164.504(f) have been met;
●
The
collection and sharing of PHI by a health plan that is a public benefits
program, such as Medicare, and an agency other than the agency administering
the health plan, such as the Social Security Administration, that collects PHI
to determine eligibility or enrollment, or determines eligibility or
enrollment, for the government program, where the joint activities are
authorized by law; and
●
Patient
safety organizations.
No comments:
Post a Comment