What are HIPAA business associates? Are they held to the same healthcare privacy and security requirements as covered entities? Any individual or entity that performs functions or activities on behalf of a covered entity that requires the business associate to access PHI is considered a business associate, according to HHS. For example, your outside IT contractor that maintains the IS in your medical practice would be a business associate. Even the cloud service provider that runs your medical billing applications would be a business associate. Even the gig economy trunk slammer that your IT contractor sent over to replace your broken IT equipment would be a business associate.  Do you have a written agreement in place for each associate? Do you know what a BAA really is?

This individual or organization may also provide services to a covered entity. Examples include a consultant who does hospital utilization reviews or an attorney who has PHI access as he provides legal services to a healthcare provider.

The HIPAA Omnibus Rule known as HITECH changed how business associates are expected to maintain PHI security.

“The Privacy Rule requires that a covered entity obtain satisfactory assurances from its business associate that the business associate will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity,” HHS states on its website. “The satisfactory assurances must be in writing, whether in the form of a contract or other agreement between the covered entity and the business associate.”

Business associates can also now be held liable to similar repercussions as covered entities can under HIPAA regulations should PHI become compromised in a healthcare data breach.

A business associate contract (BAA), or business associate agreement, is a written arrangement that specifies each party’s responsibilities when it comes to PHI.

The contract must describe permitted and required PHI uses for the business associate, and also state that the business associate “will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law.”

BAA should be on everybody’s checklist

See Our HIPAA Compliance Checklist

Leave a comment