The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal legislation that lays down the role of each entity involved in protecting the security and privacy of patient data. In particular, HIPAA’s rules apply to healthcare providers, HMOs, and healthcare plans, known as covered entities.
Now comes an important question? When these covered entities interact with other entities like the IT support team of specialized companies, how does their responsibility change? This is where HIPAA introduces the concept of a business associate.
In this article, we will look into who is a business associate and its role in HIPAA.
Who is a Business Associate?
The HIPAA legislation applies only to the covered entities, and they are responsible for safeguarding patient data, also known as Protected Health Information (PHI). However, since covered entities do not carry out all the business functions, they are likely to outsource some tasks to experts. Depending on what tasks or business functions are outsourced, the business associates may have access to the PHI.
For this reason, HIPAA defines a business associate as an entity or individual who performs certain functions on behalf of the covered entity and involves the disclosure of PHI.
Business associates include those who perform the following functions:
- Legal
- Actuarial
- Accounting
- IT operations
- Consulting
- Data aggregation
- Management
- Administrative
- Accreditation
- Finances
- Claims processing or administration
- Data analysis, processing, or administration.
- Utilization review.
- Quality assurance.
- Billing
- Benefit management
- Practice management
- Repricing
Note that business associates can also be those not falling into any of the above categories. The rule of thumb is that they must access or handle PHI on behalf of the covered entity. A business entity can also be another covered entity.
Business Associate Contracts
The signing of a business associate contract is key to establishing the relationship between a covered entity and a business associate. This contract defines an entity as the business associate of a covered entity.
It must contain the following:
- A detailed description of how the business associate must use the PHI.
- Explicitly mentions that the associate will not use the PHI for other reasons and will not disclose it further to unauthorized entities.
- Mandate the business associate to implement the required safeguards to protect the PHI.
A business associate must abide by the above rules, and they can be legally liable in case of violations.
Here are some things covered entities can do when they identify a violation in the contract:
- When the covered entity knows of a breach by the business associate, it must take steps to mitigate it.
- If the business associate violated the agreed terms, the covered entity must end the violation, or even terminate the contract if required.
- If the covered entity cannot terminate the contract, it must inform the Department of Health and Human Services (HHS) Office for Civil Rights (OCR).
Exceptions to the Business Associate Contract
Some scenarios don’t require a contract between a covered entity and a business associate. They are:
- When a covered entity discloses patient information to a healthcare provider for treating a patient. The hospital, physician, or laboratory doesn’t require a contract with the covered entity.
- Disclosures made to a health plan sponsor like an employer, HMO, or health plan issuer.
- When the health plan is a public benefits program like Medicare.
- Disclosures made to a health plan provider for payments or for offering a discount.
- With persons or organizations that don’t use PHI for their jobs, like janitors and electricians.
- With entities who participate in an Organized Healthcare Arrangement (OHCA), and who make disclosures to facilitate the joint activities of the OHCA.
- When a group health plan purchases insurance from an issuer or HMO.
- If an entity buys reinsurance from an insurer.
- When an entity wants to disclose information for research purposes or with explicit authorization from the patient.
- When an entity directly transfers funds to pay for healthcare or health insurance premiums.
In the above situations, the business contract is not required, and hence, there is no business associate relationship with the covered entity.
Responsibilities of the Business Associates
Business associates have the following responsibilities under HIPAA:
- Use PHI only for permitted purposes.
- Employ appropriate safeguards to protect PHI.
- Report any breaches to the covered entity.
- The subcontractors employed by the business associates abide by the terms and conditions.
- Make the PHI available to covered entities to enable the latter to perform their obligations.
- Amend PHI records based on the existing agreement or as instructed by the covered entity.
- Maintain documentation to prove compliance.
- Abide by any other clause mentioned in the business agreement.
Failure to perform the above responsibilities can be a reasonable ground for the covered entity to terminate the contracts. It can also open up legal proceedings and fines under HIPAA, where applicable.
Final Words
HIPAA explicitly defines the business associate as an entity having a business associate agreement with a covered entity. Accordingly, the business associate has certain responsibilities and must abide by the terms of the contract. We hope the above information helps you understand the roles and responsibilities of each entity.