Institute:Office of National Coordinator (ONC) Workforce Training Curriculum
Component:The Culture of Health Care
Unit:Privacy, Confidentiality, and Security
Lecture:HIPAA Privacy Rule
Slide content:Business Associates Business associate (BA) Does work on behalf of a covered entity using or disclosing PHI Anyone who comes in contact with and uses PHI Must sign agreement with covered entity Is directly accountable to HHS for compliance and subject to breach notification rules Includes all subcontractors to business associates 15
Slide notes:HIPAA defines business associates and sets rules for their interactions with covered entities. These have been strengthened or updated since the original rule. A business associate is [quote] a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or in providing services to, a covered entity. [end quote] Business associates are directly accountable to HHS for compliance and are subject to breach notification rules. Covered entities must have signed agreements with all of their business associates. Examples of a providers business associates include billing companies, vendors, software vendors, personal health record vendors, health information exchange organizations, e-prescribing gateways, and other persons or entities that provide data transmission services with respect to PHI to a covered entity and that require access on a routine basis to such PHI. Also included is any subcontractor that creates, receives, maintains, or transmits PHI on behalf of the business associate, such as those involved in claims processing and administration, data analysis, utilization review, quality assurance, patient safety activities, and benefits management. In the original HIPAA legislation, covered entities were only required to obtain what was called satisfactory assurances of privacy protections from business associates. Business associates are now required to meet the same rules that covered entities must meet. For example, each business associate must sign an agreement with the covered entity, stating that it will adhere to all of the HIPAA privacy rules. When business associates undergo a breach of information, the associated subcontractors are also subject to the same HIPAA breach notification rules that may include investigation and remediation. 15