If you work with health care organizations, find out how you can tell if you are a Business Associate and need to be HIPAA compliant.
Health and Human Services (HHS) defines a Business Associate as “a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.”
Essentially, a Business Associate is a person or entity that creates, receives, maintains, or transmits protected health information (PHI) on behalf of the Covered Entity. Some specific functions or activities might include claims processing or administration, utilization review, quality assurance, billing, legal consultation, information technology support, cloud computing services, and document destruction.
Additionally, if your organization is contracted with a covered entity, but you don’t handle protected health information, they may still ask that you be HIPAA compliant to help them protect the information they have. While they can’t legally require you to be HIPAA compliant, they can always end the contract and find another organization to work with who is HIPAA compliant.
Business Associate Agreements
If you are a Business Associate, you will need to sign a Business Associate Agreement (BAA) with your Covered Entity. The Agreement will outline how you can use protected health information (PHI), how you will need to protect it, and what to do in the event of a Breach. The BAA will also have provisions for when it should end, and what will happen to the PHI you hold if the contract ends. Finally, there will usually be a stipulation for ending the contract if there is a breach that you fail to bring to your Covered Entity, or if you fail to uphold your end of the agreement.
Sign up today with HIPAAgps to help your organization become HIPAA compliant.