Healthcare Business Associates – Did You Know?
The HIPAA Privacy, Security, and Breach Notification Rules apply to both Covered Entities (CEs) and their Business Associates (BAs).
Healthcare providers and dentists, referred to as CEs, outsource many of their daily administrative activities to third parties and their subcontractors, referred to as BAs, to provide specific health and/or business services.
What Do BAs Do?
Healthcare Business Associates can be a person or an organization, other than an employee of a CE, that performs certain functions on behalf of, or provides certain services to, a covered entity that involve access to PHI.
A BA can also be a subcontractor responsible for creating, receiving, maintaining, or transmitting Protected Health Information (PHI) on behalf of the CE (45 CFR 160.103);
BAs provide services to CEs that include:
- Managed Service Provider
- Management Administration
- Billing, Coding, Transcription
- Marketing companies
- Utilization Review
- Information technology contractors
- Data Analysis
- Data storage or document destruction companies
- Data transmission companies or vendors who routinely access PHI
- Third Party Administrators (TPA)
- Malpractice insurers
NOTE: A CE can be a BA of another CE.
Why Should You Care?
It is YOUR responsibility as the CE to put in place a Business Associate Agreement (BAA) that holds the third party to the same standards of Privacy and Confidentiality as yourself.
Covered Entities and Business Associates need to understand your patients are entrusting YOU with their most private and intimate details, they expect it to remain secure.
Besides, it is YOUR practice, YOUR patient’s, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks?
For tips like this and more request your copy of our “HIPAA Security Rule – Know The Rules!” Newsletter Today.