Knowing the distinction between a covered entity and a business associate is essential because the Health Insurance Portability and Accountability Act Privacy Rule (HIPAA) is administered differently between the two.
By knowing the distinction, Compliance Officers and staff can better understand the Office of Civil Rights’ (OCR) expectations of their organization under HIPAA and implement relevant procedures to remain compliant.
What is the HIPAA Privacy Rule?
The HIPAA Privacy Rule protects a person’s medical records and other personal health information and gives that patient rights to their health information.
HIPAA also applies to covered entities and business associates, in that it requires each to follow specific rules and sets restrictions and conditions on the use and disclosure of certain patient information.
What are Covered Entities?
Covered Entities (CE) are any healthcare providers that use Protected Health Information (PHI). HIPAA requires all CEs to comply with the HIPAA Security Rule to protect patient data. If a CE divulges PHI to non-CE’s organizations (i.e., billing software), they are required to secure a Business Associate Agreement (BAA) with that organization.
What are BAs, and does HIPAA Apply to them?
Business Associates (BA) are non-Covered Entities that have access to PHI. All Business Associate Agreements specifically state the organization realizes they have access to a CE’s PHI and that they will protect PHI per the HIPAA Security Rule.
The Privacy Rule and Covered Entities
Legally, the HIPAA Privacy Rule just applies to covered entities. A covered entity can be health plans, health care clearinghouses or health care providers that electronically transmit any type of health information. Examples of these are your doctor, hospital, insurance company and health insurance plan — no matter if it’s a private, employee, state or federal plan.
But it’s common for many health care providers and health plans to use the services of other individuals or a business to help carry out their health care functions. That’s where business associates come in.
The Privacy Rule and Business Associates
A business associate is an individual or entity that executes particular responsibilities that include using or disclosing protected health information in support of, or as a service to, a covered entity.
A health plan, health care clearinghouse or covered health care provider could be a business associate for another covered entity, but a member of the covered entity’s personnel is not considered a business associate.
Possible business associates are attorneys, CPA firms, independent medical transcriptionists or pharmacy benefits managers. Services provided by business associates can be accounting, billing, claims processing or data management, to name a few examples.
The Responsibility of Covered Entities
Covered entities are responsible for guaranteeing their business associates are safeguarding protected health information. The contract between a covered entity and its business associate must be HIPAA compliant. If a business associate breaches its contract, then it’s up to the covered entity to correct that breach or terminate the contract.
The Responsibility of Business Associates
In the event of a loss of PHI by a BA, a CE can be responsible for their loss of data. But how? Having a BA sign a CE’s BAA does not abscond the CE. The CE’s requirement is to have all BAs sign BAAs and verify the BA has completed a security risk assessment (SRA) per 435 CFR 164.308(a)(1) – the HIPAA Security Rule.