Business Associate Management

Under HIPAA, a Covered Entity (CE) is a health care provider, a health plan, or a health care clearinghouse.  A “business associate” (BA) is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information (PHI) on behalf of, or provides services to, a CE. BA’s include claims processors, billing companies, technical support providers. Consultants, attorneys, and even accountants would be BA’s if they are given access to PHI. Cloud data storage providers and web-based PHI delivery services are also BA’s.

img_7

HIPAA Responsibilities of a Business Associate (BA)

Sharing of PHI between a CE and a BA is a serious matter with HIPAA ramifications. Essentially the BA has the same responsibility as the CE to safeguard PHI. There are restrictions limiting the BA’s use of the PHI. And the BA has certain obligations for notification of a breach and breach incident response.

img_14

What is a Business Associate Agreement (BAA)?

A CE’s contract or other written arrangement with its BA must contain the elements specified at 45 CFR 164.504(e). These elements address what the BA is permitted and required to do with the PHI. They also spell out what the BA must do to safeguard the PHI and what must be done in the event of a breach incurred by the BA.

tes_1

What are "satisfactory assurances"?

The HIPAA Privacy Rule requires that a CE obtain “satisfactory assurances” from its business BA that the BA will appropriately safeguard the protected health information it receives or creates on behalf of the CE. The satisfactory assurances must be in writing, whether in the form of a contract or other agreement between the CE and the BA.

img_6

What is Business Associate Management?

You must have a proper BAA and “satisfactory assurances” for each BA with whom you share PHI. Non-existent or inadequate Business Associate Agreements is one of the five most common HIPAA violations. If you don’t have a proper BAA in place with your BA’s, and the required “satisfactory assurances”, you’re not in compliance. We can help.