In this lesson, we're going to dig into business associates – who they are, what their requirements are, and also include some examples of common business associates. At the end of the lesson, we'll take a more in-depth look into the business associate agreement.
A business associate is any company or individual with access to PHI or ePHI in support of a covered entity's business. Business associates are required to have the same policies and procedures when it comes to accessing and protecting PHI as covered entities.
Just like covered entities, business associates are required to protect personal health information at all times. They're also required to notify their covered entity of any potential or active data breaches. And in a bigger picture sort of way, business associates must help protect their covered entities at all times.
Pro Tip: Business associates are required to immediately notify their covered entity when a breach of unsecured PHI is discovered. Waiting will only compound the problem and is a breach of HIPAA law.
Business associates can include the following:
- IT service companies
- Cloud service providers
- Laboratories
- Lawyers
- Consultants
- Benefits managers
- Claims processing firms
- Data transmission service providers
- Technology companies
- Suppliers and manufacturers with access to PHI
You may recall the corresponding video for this lesson involving an uncomfortable exchange with Tom the IT guy. Office manager Mary left a medical file laying on the counter and Tom unknowingly wandered over to have a look.
This one incident is actually responsible for two violations – 1) not securing PHI and 2) looking at PHI when you do not have permissible access. Unfortunately for Tom, he doesn't know he's not supposed to look … until he already has looked.
Moral of the story: Don't leave medical files laying around for others to look at.
Business Associate Agreements
Business associates must comply with all HIPAA requirements by providing written contractual agreements to their covered entities. Included in these agreements is:
- The business associate will only use the covered entities protected health information for proper purposes
- The business associate will safeguard the covered entity's PHI from misuse
- The business associate will comply with all of HIPAA's security requirements and will ensure that all administrative, physical, and technical safeguards are followed to keep the covered entity's PHI safe
If a business associate violates any part of the HIPAA rules and regulations or is in violation of the business associate agreement with the covered entity, the business associate will be held accountable for both types of penalties.
In instances where a business associate uses a subcontractor, also known as a downstream supplier, that subcontractor is required by HIPAA to have a contractual agreement with their business associate.
Subcontractors are essentially held to the same HIPAA requirements when it comes to accessing and using protected health information. And like business associates, they are also accountable for any and all penalties when there is a breach of that contract.
A Word About the HIPAA Business Associate Agreement
A HIPAA business associate agreement is a contract between a HIPAA covered entity and a vendor used by that covered entity. As you already know, a HIPAA-covered entity is typically a healthcare provider, health plan, or healthcare clearinghouse that conducts transactions electronically. A vendor of a HIPAA covered entity that needs to be provided with protected health information in order to perform duties on behalf of the covered entity is called a business associate (BA) under HIPAA.
A vendor is also classed as a business associate if, as part of the services provided, ePHI passes through their systems. A signed HIPAA business associate agreement must be obtained by the covered entity before allowing a business associate to come into contact with PHI or ePHI.
Since the passing of the HITECH Act and its incorporation into HIPAA in 2013 via the HIPAA Omnibus Final Rule, subcontractors used by business associates are also required to comply with HIPAA. As you now know, all business associates must likewise obtain a signed HIPAA business associate agreement from its subcontractors before access is given to PHI or ePHI. And if subcontractors use vendors that require access to PHI or ePHI, they too need to enter into business associate agreements with their subcontractors.
The business associate agreement should stipulate that the business associate (or subcontractor) must implement appropriate administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of ePHI and meet the requirements of the HIPAA Security Rule.
Some of those measures may be stated in the business associate agreement or it may be left to the discretion of the business associate. The business associate agreement should also include the allowable uses and disclosures of PHI to meet the requirements of the HIPAA Privacy Rule.
In the event that PHI is accessed by individuals unauthorized to view the information, such as an internal breach or cyberattack, the business associate is required to notify the covered entity of the breach and may be required to send notifications to individuals whose PHI has been compromised. The timescale and responsibilities for notifications should be detailed in the agreement.
A business associate should also be made aware of the consequences of failing to comply with the requirements of HIPAA. Business associates can be fined directly by regulators for HIPAA violations. Both the Department of Health and Human Services' Office for Civil Rights and state attorneys general have the authority to issue financial penalties for violations of HIPAA Rules.
At the end of the next lesson, we'll cover a few more details about business associate agreements that you may want to be aware of.