The Health Insurance Portability and Accountability Act has two major purposes. It’s to provide health insurance coverage to workers who lost their jobs or have moved to another company. It also reduces healthcare costs by standardizing the electronic transmission of healthcare-related data.
The HIPAA is more known now for its robust standards for patient data privacy. Its Privacy Rule and Security Law details its standards to protect an individual’s Protected Health Information (PHI) and electronic PHI.
Business associates are required to be HIPAA compliant. However, many people are confused as to what standards and rules of the HIPAA cover business associates. Companies working in the healthcare industry have to provide HIPAA training for business associates to ensure their employees understand and follow compliance rules.
Training might not cover all the details or situations a business associate encounters. This article will answer some frequently asked questions regarding it.
What Information is Covered in HIPAA?
HIPAA Privacy Rule safeguards all the patient’s identifiable health information. It covers data in any form, from paper to oral and digital. PHI also includes, but is not limited to, the following:
● Patient’s name, age, birth date, address, government-mandated numbers (ex. social security), or biometric identifiers
● Patient’s past, current, and future mental or physical health condition
● Any care or treatment is given to the patient
● Payment information that can identify the patient
● Any information that can be reasonably used to identify the patient
What is the Purpose of a Business Associate with Regards to HIPAA?
A business associate (BA) is a person or company that could receive access to a patient’s PHI to do a specific task. Covered entities like hospitals and doctors often use BA to do a job on their behalf.
One example is a hospital hiring an IT consultant to streamline its administrative system. Accounting firms, law firms, and software providers can be business associates.
A covered entity has to enter into a Business Associate Agreement (BAA) with each business associate they hire. The contract defines how the BA will use and disclose PHI and ensures compliancy.
Does a Health Provider Need a BAA to Work With Another Provider?
A doctor doesn’t need a BAA to disclose a patient’s medical condition to another doctor. They also don’t need to get the patient’s authorization. For one, any health provider is a covered entity. A BAA is only for a third-party company.
However, there are strict rules on disclosing a patient’s information. The doctor can only discuss a patient with a fellow health provider during treatment consultations. They should also be in a private setting with a low risk of being overheard.
Is an Employment Agency Providing Assistants a Business Associate?
Yes, an employment agency can be considered a business associate. But the agency must be performing a service on behalf of a health organization or covered entity. For example, the employment agency will send an administrator who will handle the front desk and other administrative work. The temporary worker will be given access to PHI and be under the direct control of the hospital, clinic, or doctor.
What Should a Business Associate Do If It Uncovers a Security Breach?
A business associate is required by the HIPAA Breach Notification Rule to report the breach to the covered identity. It should inform the covered entity without delay or not later than 60 days after discovering the breach.
The business associate must also provide the covered entity with as much information as possible. They must give the following details:
● Identity of each person whose PHI was compromised (or whom the business associate believes might be exposed)
● Other information the covered entity must include in their notification
The covered entity is responsible for notifying the affected party and the US Department of Health and Human Services (HHS) of the breach.
What Happens to PHI When the BAA Ends?
If possible, the business associate must return or destroy the PHI at the end of their BAA. The company is not allowed to keep any copy of the PHI. But if it’s not feasible to destroy or return records, the business associate must continue safeguarding the PHI as required by the BAA.
The business associate must not use or transmit the PHI for any purpose. The only instance they can use the PHI is for the reasons that made the destruction or return of the PHI impossible.
Complying with the HIPAA is critical for business associates. Failure to do so results in severe penalties. Undergoing HIPAA training for business associates can help the company perform to the expected standards.
