Attending the National HIPAA Summit always brings up questions, even on the most basic topics/categories of the HIPAA Rule; one being Business Associates. HHS defines Business Associates in their Fact Sheet on Direct Liability of Business Associates under HIPAA. “A Business Associate is a person or entity that performs certain functions or activities that involve the use or disclosure of Protected Health Information (PHI) on behalf of, or provides services to, a Covered Entity. See the definition of “Business Associate” at 45 CFR 160.103.
Examples of Business Associates:
- A third party administrator that assists a health plan with claims processing.
- A CPA firm whose accounting services to a health care provider involve access to PHI.
- An attorney whose legal services to a health plan involve access to PHI.
- A consultant that performs utilization reviews for a hospital.
- A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer.
- An independent medical transcriptionist that provides transcription services to a physician.
- A pharmacy benefits manager that manages a health plan’s pharmacist network.
This is not an exhaustive list and many times there may be “grey areas” when considering whether a third party assisting the organization is actually a Business Associate. Always ask this question: does the person or entity create, receive, maintain or transmit PHI in the course of performing services on behalf of the Covered Entity? If you feel this is the case secure a Business Associate Agreement with this person or entity.
HIPAA compliance isn’t a one-time checklist. It’s ongoing, programmatic in nature, and requires demonstrated reasonable diligence to stay in good standing with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Anatomy IT can provide you peace of mind with our expert HIPAA compliance services. To learn more, contact us here.