There are six observations a HIPAA business associate needs to know because it’s not only healthcare providers (covered entities) that are subject to the guidelines of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Any vendor, also known as a business associate that renders services to providers involving protected health information (PHI), must comply as well.
A business associate is held to the same privacy and security standards as healthcare providers and other covered entities. Consequently, they are subject to the same penalties for violations.
Which HIPAA Business Associate must follow HIPAA regulations?
The HIPAA Privacy Rule states that covered entities and their business associates must follow HIPAA rules. Covered entities include healthcare providers, healthcare insurance companies, health plan providers, and healthcare clearinghouses.
Business associates, simply put, are vendors or subcontractors that provide services to covered entities. In addition, they have access to patients’ protected health information (PHI). They include any entity that must handle, process, transmit, or interact with patient data from the covered entity.
Some examples of business associates include:
- Medical billing companies.
- Shredding services.
- Answering services.
- Medical transcriptionists.
- Accounting firms.
- Translation services.
- IT vendors.
What is a HIPAA business associate agreement? (BAA)
Business associates are required to sign a business associate agreement (BAA) with the covered entity they work with. The BAA is a legal document that outlines exactly how business associates must handle PHI, including hard and electronic copies. Both parties should sign this agreement before the business associate can begin working with a covered entity.
There are a few critical details that must be included in a BAA.
- First, the business associate must guarantee they will only disclose PHI in a manner that is permitted by the covered entity or HIPAA regulations. The business associate is responsible for putting into place safeguards that do not allow the unauthorized use of PHI.
- Secondly, the business associate must agree to comply with HIPAA regulations. Also, they must require their own subcontractors who have access to PHI to sign a BAA with them.
Note: even if you did not sign a BAA ( business associate agreement) with a covered entity, you are still a business associate if you are handling, processing, or otherwise coming into contact with PHI.
Who do the subcontractors of business associates sign their agreements with?
Confusion sometimes arises regarding subcontractors that work directly for a covered entity’s business associate. In 2013, HIPAA was updated with the HIPAA HITECH Omnibus Rule. This new rule complicated things for subcontractors. Now, subcontractors of vendors that provide services to providers are identified as business associates as well. This means they must protect the privacy of PHI they handle themselves.
Subcontractors are typically hosting providers or software developers. Additionally, they have access to PHI through the business associate rather than directly from the covered entity. The question then arises: Who does the subcontractor sign a BAA with?
- The covered entity is required to have business associate agreements with all of its vendors.
- These vendors are, in turn, required to sign subcontractor agreements with their subcontractors that have access to PHI.
Each entity that comes in contact with PHI is required to protect it and disclose breach notifications when required. Also, it’s important to note that a subcontractor is still required to be HIPAA-compliant, even in the following circumstances:
- They don’t store data, but it’s transmitted within their system.
- They encrypt all data. This is certainly required, but HIPAA expands beyond merely data encryption, and those requirements should be outlined in their BAA as well.
- They are not covered under their vendor’s BAA with the covered entity. Each subcontractor needs its signed agreement with the vendor.
Is a HIPAA risk assessment necessary for business associates?
Yes, just as covered entities need to conduct regular risk assessments for HIPAA compliance, their business associates must do the same. Every organization that comes into contact with PHI, not just medical providers, must conduct a thorough risk analysis according to the HIPAA Security Rule.
The Office for Civil Rights (OCR) issues fines for non-compliance. In 2019, the Department of Health and Human Services (HHS) updated its information on the financial penalties that can be incurred by business associates. Beyond financial penalties from the government, covered entities can sue business associates if the business associate breaches any part of their business agreement.
What about cloud service providers?
As advanced technologies in data management continue to emerge, cloud service providers (CSP) are becoming more widespread as vendors in the healthcare industry. In 2016, HHS released updated information on cloud computing for business associates.
HHS explains that covered entities and business associates must enter into HIPAA business associate agreements with their cloud service providers. Even if a CSP stores encrypted data and does not have the encryption key, they are required to maintain HIPAA compliance.
Is your organization HIPAA compliant?
HIPAA regulations can seem overwhelming, but ignorance is not an excuse to the OCR or HHS. If your organization is a HIPAA covered entity, business associate, or subcontractor, you will need to ensure you are fully compliant.
Remember, HIPAA compliance is not a one-time process but an ongoing commitment to follow all regulations. This includes remaining current on updates as well as training employees on privacy and security information procedures.