A Business Associate “is a person or entity that performs certain functions or activities that involve the use or disclosure of Protected Health Information (PHI) on behalf of, or provides services to, a Covered Entity.”
Not only is this a HIPAA requirement, but extremely important that Covered Entities have Business Associate Agreements (BAAs) with all of their Business Associates. These are unlike a business contract, as they need to be specific on what the Business Associate can and cannot do with the Covered Entities’ patients’ data, and what they are committed to per the provisions of the HITECH Act and the HIPAA Rules. The bottom line is to protect the privacy and security of health information and protect individuals’ rights with respect to their health information.
Set guidelines with how and when your Business Associates have access to the organization’s PHI:
· How is this being monitored? Is there unlimited access to the environment or do you have an audit trail in place to know exactly when they are in your systems?
· Is your Business Associate aware of the permission parameters for use and disclose of the organization’s PHI?
· When a Covered Entity terminates a contract with a Business Associate are all connections to the systems or environment disabled?
· Does your Business Associate understand and abide by a security incident process they have created, and know how quickly they need to contact the organization?
Offshore Business Associates are permitted under HIPAA and the law applies to them in the same way it applies to companies located within the United States.
HIPAA compliance isn’t a one-time checklist. It’s ongoing, programmatic in nature, and requires demonstrated reasonable diligence to stay in good standing with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Anatomy IT can provide you peace of mind with our expert HIPAA compliance services. To learn more, contact us here.