HIPAA Tip: Business Associates

As defined by HHS, a Business Associate is a person or entity that performs certain functions or activities that involve the use or disclosure of Protected Health Information (PHI) on behalf of, or provides services to, a Covered Entity.

Business Associate functions and activities include claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing. Business Associate services are legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, and financial.

Some examples of Business Associates are:

• · Third party administrator that assists a health plan
• · CPA firm whose accounting services involve access to PHI
• · Legal counsel whose services involve access to PHI
• · Accreditation organization that would access a Covered Entity’s PHI
• · Pharmacy manager that manages a health plan’s pharmacist network
• · Independent transcriptionist providing services to a Covered Entity
• · Software solutions used by a healthcare organization that would contain PHI
• · Transportation service hired by a Covered Entity for patients’ pick up or drop off

Ensure Business Associate Agreements are in place with all third parties that have access to the organization’s PHI. The Business Associate Contract must describe the permitted and required uses of PHI by the Business Associate, and that the Business Associate will not use or further disclose the PHI other than as permitted or required by the contract or as required by law.

HIPAA compliance isn’t a one-time checklist. It’s ongoing, programmatic in nature, and requires demonstrated reasonable diligence to stay in good standing with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). ANATOMY_IT. can provide you peace of mind with our expert HIPAA compliance services. To learn more, contact us here.