How Do I Know – Am I A Healthcare Business Associate?
These days’ doctors and dentists, known as Covered Entities (CE), outsource their business activities to service providers.
Health & Human Services (HHS) defines a “Business Associate” (BA) is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information (PHI) on behalf of, or provides services to, a CE.
A member of the CE’s workforce is not a BA; however, if paid by 1099 they are a BA! A covered healthcare provider, health plan, or healthcare clearinghouse can be a BA of another CE.
Examples of BA services include (not a complete list of services):
- • Legal
- • Marketing
- • Actuarial
- • Accounting
- • Consulting
- • Data Aggregation
- • Management
- • Administrative
- • Accreditation
- • Managed Service Providers
- • Information Technology Contractors
- • Financial
Examples of BA functions and activities include (not a complete list of functions and activities):
- • Claims Processing, and/or Administration
- • Data Analysis, Processing, and/or Administration
- • Utilization Review
- • Quality Assurance
- • Billing, Coding, Transcription
- • Benefit Management
- • Practice Management and/or Repricing
Examples of BA’s (not a complete list of examples):
- • A third party administrator that assists a health plan with claims processing.
- • A marketing consultant and/or agency collecting even minimal contact information; such as Name, Address, and Email the top 3 of the 18 types of PHI identifiers.
- • A CPA firm whose accounting services to a health care provider involves access to PHI.
- • An attorney whose legal services to a health plan involve access to PHI.
- • A consultant that performs utilization reviews for a hospital.
- • A healthcare clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a CE and forwards the processed transaction to a payer.
- • An independent medical transcriptionist that provides transcription services to a physician.
- • A pharmacy benefits manager that manages a health plan’s pharmacist network.
What Should You Do FIRST!!
Before CE’s request a BA to create, receives, maintain, store, and/or transmit PHI they are required to:
- Identify each of their BA’s
- Confirm there is a current signed Business Associate Agreement (BAA) for each BA
The BAA must limit the BA’s access to PHI allowing only what is necessary to carry out their activities defined by the CE.
BA’s Hire Subcontractors
It is not uncommon that BA’s outsource their work to subcontractors. BA must obtain a signed BAA from each subcontractor before exchanging PHI.
Subcontractors are entities that a BA delegates a function, activity, or service, other than as a member of the BAs workforce.
There is no limit to the number of subcontractors that may be liable, because a subcontractor might delegate functions to other subcontractors, creating a chain of BA entities.
Why Does This Matter?
Simple, because BAs can be and have been held directly liable and subject to civil and, in some cases, criminal penalties for making uses and/or disclosures of PHI that were not authorized.
I am just scratching the surface of what what activities make them BAs.
Remember: Keeping your PHI secured and maintaining HIPAA compliance is YOUR responsibility!
Covered Entities and their Business Associates need to understand patients are entrusting YOU with their most private and intimate details, they expect it to remain secure.
Besides, it is YOUR practice, YOUR patients, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks?
That’s right, I am hosting a free webinar on Wednesday, February 20, 2019 @ 1p E/10a P
Don’t forget to register – Hope To See You There!!
Episode 69: Know The Rules! Business Associates Were Invited to the HIPAA Party! | HIPAA alli Episode 69: Know The Rules! Business Associates Were Invited to the HIPAA Party!
[…] Business Associates (BAs) were invited to the HIPAA party in February 2013, when the Final Omnibus Rule was introduced and finalized in September 2013. Even after two decades, HIPAA compliance still remains a challenge for many Covered Entities (CEs) and their BAs alike. […]
Offshoring Protected Health Information ... | HIPAA alli
[…] Had their PHI compromised through a third-party vendor (a.k.a. Business Associate). […]
Ep. 73: Know The Rules! Business Associate Agreement Management | HIPAA alli
[…] know Covered Entities (CEs) are required to obtain a Business Associate Agreement (BAA) with each Business Associate (BA) before handing off ANY protected health information (PHI) to a third party vendor. […]
Ep. 74: Know The Rules! Where Do I Go From Here? | HIPAA alli
[…] and signed BAAs need to be in place BEFORE any protected health information (PHI) is exchanged with Business Associates (BAs) to comply with […]