How Do I Know – Am I A Healthcare Business Associate?
These days’ doctors and dentists, known as Covered Entities (CE), outsource their business activities to service providers.
Health & Human Services (HHS) defines a “Business Associate” (BA) is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information (PHI) on behalf of, or provides services to, a CE.
A member of the CE’s workforce is not a BA; however, if paid by 1099 they are a BA! A covered healthcare provider, health plan, or healthcare clearinghouse can be a BA of another CE.
Examples of BA services include (not a complete list of services):
- • Legal
- • Marketing
- • Actuarial
- • Accounting
- • Consulting
- • Data Aggregation
- • Management
- • Administrative
- • Accreditation
- • Managed Service Providers
- • Information Technology Contractors
- • Financial
Examples of BA functions and activities include (not a complete list of functions and activities):
- • Claims Processing, and/or Administration
- • Data Analysis, Processing, and/or Administration
- • Utilization Review
- • Quality Assurance
- • Billing, Coding, Transcription
- • Benefit Management
- • Practice Management and/or Repricing
Examples of BA’s (not a complete list of examples):
- • A third party administrator that assists a health plan with claims processing.
- • A marketing consultant and/or agency collecting even minimal contact information; such as Name, Address, and Email the top 3 of the 18 types of PHI identifiers.
- • A CPA firm whose accounting services to a health care provider involves access to PHI.
- • An attorney whose legal services to a health plan involve access to PHI.
- • A consultant that performs utilization reviews for a hospital.
- • A healthcare clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a CE and forwards the processed transaction to a payer.
- • An independent medical transcriptionist that provides transcription services to a physician.
- • A pharmacy benefits manager that manages a health plan’s pharmacist network.
What Should You Do FIRST!!
Before CE’s request a BA to create, receives, maintain, store, and/or transmit PHI they are required to:
- Identify each of their BA’s
- Confirm there is a current signed Business Associate Agreement (BAA) for each BA
The BAA must limit the BA’s access to PHI allowing only what is necessary to carry out their activities defined by the CE.
BA’s Hire Subcontractors
It is not uncommon that BA’s outsource their work to subcontractors. BA must obtain a signed BAA from each subcontractor before exchanging PHI.
Subcontractors are entities that a BA delegates a function, activity, or service, other than as a member of the BAs workforce.
There is no limit to the number of subcontractors that may be liable, because a subcontractor might delegate functions to other subcontractors, creating a chain of BA entities.
Why Does This Matter?
Simple, because BAs can be and have been held directly liable and subject to civil and, in some cases, criminal penalties for making uses and/or disclosures of PHI that were not authorized.
I am just scratching the surface of what what activities make them BAs.
Remember: Keeping your PHI secured and maintaining HIPAA compliance is YOUR responsibility!
Covered Entities and their Business Associates need to understand patients are entrusting YOU with their most private and intimate details, they expect it to remain secure.
Besides, it is YOUR practice, YOUR patients, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks?
That’s right, I am hosting a free webinar on Wednesday, February 20, 2019 @ 1p E/10a P
Don’t forget to register – Hope To See You There!!