The modern healthcare system is a massive and complex machine. A critical cog in this machinery is the patient’s protected health information (PHI) or personal health information. It is the complete medical history of patients, right down to the smallest laboratory results. It also carries their details, like insurance numbers and demographic information.
It’s easy to see how important it is to protect PHI. The Health Insurance Portability and Accountability Act (HIPAA) is the main legislation that manages the access, use, and disclosure of PHI in the USA.
Keeping PHI secure is a challenge since patient information can be found in many places. It’s why HIPAA requires Covered Entities and Business Associates to protect this sensitive information zealously. The latter is also required to undergo regular HIPAA training for business associates.
There’s a lot of focus and pressure on business associates to become HIPAA compliant because the healthcare industry relies on them extensively. They handle key parts of the business, like storage, software, and billing.
Are you working to move your company into this rarified field? Then it’s in your best interest to understand what it means to be a business associate. This article will help you on your way.
What is a Business Associate?
According to the HIPAA, a business associate is a person or organization that does work for a covered entity. The work could entail revealing or using PHI. In simpler terms, your company is considered a business associate if you might access PHI during the job.
Here are some examples of companies that can be considered business associates if they work with covered entities:
- Collections or claims processing companies
- Answering services
- IT Consultant or contractor
- Software vendors given access to PHI
- Medical transcriptionists
- Translators
- Companies developing medical equipment that uses PHI
- Third-party administrators
- Patient safety organizations and accreditation companies
Accounting firms, auditors, finance companies, and law firms can also be considered business associates depending on the data they can access as part of their tasks.
Companies based in another country can also become business associates if they receive, transmit, or manage information that pertains to or identifies a patient in the United States.
What is a Business Associate Agreement?
As the healthcare industry grew and digitalization became the norm, the office for Civil Rights (OCR) realized there must be stricter rules for business associates. Think of the OCR as the HIPAA’s enforcer.
The OCR decided to make these entities compliant and ensure the protection of sensitive data. One was to do this via a Business Associate Agreement (BAA).
The HIPAA now requires all covered entities and their business associates to sign a BAA. This contract outlines the responsibilities and duties of a covered entity and its business associates as they pertain to PHI security.
The Business Associate Agreement between the two parties must have the following details:
- Type of access the business associate will have and how it will secure PHI: The business associate will agree to enforce the technical, physical, and administrative precautions to protect PHI as stated in the HIPAA. The business associate must give their covered entity partner copies of their HIPAA compliance policies and procedures when requested. Failure to do will cause issues.
- Proof that employees undergo regular HIPAA training for business associates. The business associate’s entire workforce should undergo and complete HIPAA training. It will help employees understand the importance of protecting PHI and the responsibilities that come with it. The HIPAA requires that business associates provide proof that their workers have completed the relevant training.
- Steps to take in a data breach: The BAA agreement must specify that the business associate contacts the covered entity immediately if they have a data breach. The contract states notice of any data issues is relayed within 15 days of discovering a security faux pas.
- Show subcontractor compliance: Any subcontractors a business associate use are required to also be HIPAA compliant.
- Termination of BAA: The covered entity is allowed to end its contract with the business associate if they’re found to have violated contract terms.
- Return or Destruction of PHI: it should also be stated that the business associate will return or destroy any personal health information they’ve received from the covered entity.
Business associates are only a part of the healthcare machine. Being a business associate is a challenging and ultimately rewarding endeavor. Learning what the job is about and how critical PHI security is is essential if you want to do well in the industry.