To understand the definition and role of a business associate, you must first understand what a covered entity is – health plans, health care clearinghouses, and certain health care providers. These organizations deal firsthand with protected health information (PHI), and often transmit, store, and share this data, whether it be through billing, verification of eligibility for services, or any number of other activities requiring safe and secure handling of protected health information. However, these covered entities do not always handle all of these operations themselves and may leverage other organizations to handle this sensitive data. The Privacy Rule, therefore, allows for protected health information to be shared with other organizations provided:
This assurance that you will abide by these requirements and that you will be governed by HIPAA compliance regulations is established by becoming a business associate and signing a business associate contract. Even with the establishment of a business associate agreement, the use of protected health information by a business associate is heavily limited. The business associate can only use this information in the manner prescribed by the covered entity to help the covered entity to carry out its health care functions, and not for the business associate’s own purposes, except insofar as needed for the business associate to properly manage and administer itself.
This rule governs the handling of patients’ electronically-stored protected health information (ePHI) by establishing physical and technical safeguards to ensure it is secure, confidential, unaltered, and not shared without consent.
Covered entities and business associates need to carefully assess their security risks, even if they use secured electronic health record technology. To ensure they are abiding by the HIPAA Security rule, there must be administrative and physical safeguards in place, as well as technical.
The key consideration when determining if you need to sign a Business Associate Agreement for HIPAA compliance, and become a business associate, is whether personal and protected health information is accessed or handled at any point by your organization.
If we create software that handles the notification of the client for medical appointments but does not receive any personal health information in the process, for example only sending the date, location, and room number of the appointment, then no business associate relationship is necessary. However, if we created a booking application in which we checked for eligibility for services, or entered information that sent billing information to government agencies such as Medicaid, Medicare, or the VA Community Care Network, then this level of access would require us to be business associates, because health information is consulted in the booking process, or services rendered will likely be listed in order to send it to the government programs.
According to HHS.gov, “business associate functions and activities include: claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing. Business associate services are: legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial.”
Simply being employed by or associated with a covered entity does not necessarily mean you are or need to become a business associate. A janitorial service working directly for a doctor’s office or health plan provider would not need to be a business associate, unless responsible directly for the disposal of hard copies of protected health information, such as shredding or burning documents as part of waste disposal. And as part of a covered entities responsibility is to limit exposure to protected health information, this would be a highly unusual situation.
Unless the associated entity is provided access to protected health information, then there is no need for a business associate agreement.
In order for a covered entity to itself be HIPAA compliant, when it allows an organization access to PHI, it must have assurances that this organization is ready to protect the personal health information in the same manner and to the same standards as the covered entity. This includes best practices to protect PHI, employee training, and physical and data security safeguards to prevent the disclosure of protected health information. These assurances must be in writing and are termed Business Associate Agreements. Upon entering such an agreement, you become a business associate.
Subcontractors of business associates can themselves be defined as business associates if protected health information is filtered down to this organization for any purpose. Again, this is the key criteria for being defined as a business associate. If no such information is shared between the business associate and sub-contractor, no business associate agreement is necessary, and no business associate relationship needs to exist. However, if a partner relationship is deemed necessary, be aware that no matter how far down the chain, the business associate will be held liable, and liability will continue all the way up the chain to the covered entity.
If you are a business associate, you are responsible for any data breach or violation that occurs due to any negligence or misuse of protected health information originating from your organization, or any sub-contractors you have under you with business-associated agreements. If the breach occurs in an organization within a lower hierarchical status than yours, you will be held responsible, as will the covered entity above you.
As mentioned in other articles, HIPAA has teeth. Hefty fines can be leveraged against an unsuspecting organization, potentially without their knowledge, if the breach occurs far down the chain. It is important that not only do you choose business associates carefully but that it is impressed upon these associates that the same diligence is required of them.
The covered entity carries the burden of the entire chain of custody when it comes to protected health information (PHI) or electronic protected health information (ePHI). If a breach occurs, or data is lost, the penalties are shared from the source of the problem all the way up the chain. The covered entity is not only responsible for the data itself but for any organization brought into contact with personal and protected health information during the course of daily operations. HIPAA Compliance requires the covered entity to ensure that data integrity is assured, that there are physical safeguards to protect any hard copy data and that all efforts are made to secure protected health information.
It is important to be aware that HIPAA rules are often not enforced outside of US borders, and that even if a business associate agreement is signed, should an offshore business associate disclose protected health information, legal actions would likely be limited to any business associates or covered entities further up the chain of custody, within the US. In other words, the offshore entity would not be held responsible, and therefore might be less invested in the safety, proper management, and security of protected health information. It also means that the brunt of any fines and criminal penalties would be felt by the covered entity and business associates further up the chain, and still within US jurisdiction.
Flatirons Development hires only top-tier talent and stands ready to deliver innovative, intuitive, and powerful applications according to your specifications and requirements, including HIPAA compliance. We build your applications from scratch in-house, and also offer outsourcing services, filling individual gaps within your team or entire teams operating under your organization’s processes and oversight.
We are always looking for new talent and to expand our pool of available resources. Currently, we are looking for experienced front-end developers who are interested in learning more about our company and what we do. If you are interested in challenging development projects, developing new features for proprietary projects, and maintaining and improving current code, we’d love to hear from you.