According to the Health Insurance Portability and Accountability Act (HIPAA), two groups are primarily responsible for maintaining HIPAA compliance. Covered entities are the most readily assumed, but another, known as business associates, also interact with electronic health records (EHR) and protected health information (PHI). These organizations must be contracted via a HIPAA business associate agreement and are held to stringent standards of confidentiality and professionalism.
What is a HIPAA Business Associate?
The most significant difference between covered entities and business associates is their activities. Specifically, HIPAA business associates don’t have to provide care or directly work with patients at all. Instead, they’re responsible for processing, storing, and maintaining sensitive patient data and PHI.
These data categories fall under HIPAA. Therefore, these organizations must establish HIPAA business associate agreements stipulating compliant EHR and PHI handling as a contractual obligation to which their services adhere. It ensures protection for both the organization and patients.
Establishing a business associate agreement requires answering:
- What is the HIPAA Privacy Rule?
- How does it apply to business associates?
- How can you create a business associate agreement that serves your customers without jeopardizing data security or integrity?
Understanding the HIPAA Privacy Rule
The HIPAA Privacy Rule states that all covered entities receive reasonable assurances from all business associates regarding the appropriate usage and proper storage of PHI. This is the purpose of the HIPAA business agreement. Nonetheless, confusion often arises when distinguishing covered entities from business associates.
However, regardless of the involved party’s categorization, HIPAA regards any improper use or disclosure of PHI or electronic PHI (ePHI) as a data breach and compliance violation.
Download Our Complete Guide to Navigating Healthcare Compliance Whitepaper
Covered Entities and Business Associates
The HIPAA Privacy Rule applies to all covered entities by default. According to the U.S. Department of Health & Human Services (HHS), covered entities include:
- Health plans – Both individual and group plans are included in this category. It includes HMOs (health maintenance organizations), Medicare, Medicaid, and Medicare+Choice. Plans sponsored by employers, churches, or government entities are also included.
- Healthcare providers – This is a broad, catch-all category meant to include as many different organizations as possible within the healthcare sector. Per HIPAA guidelines, any healthcare provider that uses electronic means to transmit or receive PHI is considered a covered entity.
- Healthcare clearinghouses – Because they regularly receive and transmit EHR and PHI, healthcare clearinghouses are also considered covered entities.
While this comprises any healthcare professional who comes into contact with a patient, they’re not the only ones who work with EHR or PHI. In cases when a third-party business associate is used, a HIPAA business associate agreement is required.
How Does the HIPAA Privacy Rule Apply to Business Associates?
Business associates generally comprise independent partner and service-delivery organizations responsible for processing, analyzing, or storing PHI. When they’re enlisted by a health plan, healthcare provider, or healthcare clearinghouse to interact with data, HIPAA business associates are bound by all HIPAA standards. This regulatory adherence is legally represented by the business associate agreement with the covered entity.
Do You Need a HIPAA Business Associate Agreement?
Any covered entity that enlists the services of a third-party business associate must obtain a signed HIPAA business associate agreement from them.
Duties commonly performed by business associates include:
- General data entry and recordkeeping
- Claims processing and verification
- Billing, collections, and accounting
- Data analysis and aggregation
- Medical device manufacturing
- Legal representation and consultation
Any organization or individual performing these duties on behalf of a covered entity is considered a business associate, must have business associate agreements documented, and is bound by all HIPAA standards.
What to Include in Your Business Associate Agreement
Most HIPAA business associate agreements are standard legal documents. Therefore, contract creation begins with establishing crucial terms used throughout the agreement and is followed directly by a list of standard HIPAA business associate requirements.
Business associate agreements then declare the scope of PHI interaction and permitted usage. This section is often modified, as it dictates exactly what a business associate can or cannot do with the data.
The contract concludes with exact terms, including the day, month, and year that the agreement goes into effect. Data retention stipulations must be established if the agreement is set to conclude at a specific date. Any remaining or miscellaneous information is included at the bottom of the contract–any regulatory references, amendments, or unique interpretations of the HIPAA standards.
A generic HIPAA business associate agreement will suffice in most scenarios, and HHS provides a sample contract for public use. However, it’s important to note that this contract still requires customization, specifically when declaring permitted PHI usage and describing the agreement’s exact terms or dates.
Maintaining HIPAA Compliance With a Business Associate
Although they generally don’t have direct contact with patients, business associates are still critical to the healthcare industry. If you need assistance with preparing your HIPAA business associate agreement—particularly the scope of your processes and IT environment that interact with PHI—RSI Security provides HIPAA compliance and cybersecurity expertise.
If you have questions about achieving and maintaining HIPAA compliance, contact RSI Security today.
