HIPAA’s regulations refer to two parties: a covered entity and a business associate. These groups are required to achieve PHI compliance. Specifically, this means these groups are liable for protecting the confidentiality, integrity, and availability of personal health information.
Understanding the definitions of “covered entity” and “business associate” can help ensure you’re putting the right protocols and protections in place to stay in line with HIPAA’s Privacy Rule requirements.
The penalties for violating HIPAA can be quite steep. As a result, it’s worth taking the time to learn if your business is a covered entity or business associate and whether your partners may also fall under these categories.
Covered entities under HIPAA
A covered entity is defined as:
- Health plans,
- Health care clearinghouses, and
- Health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.
What are some examples of covered entities under HIPAA? Here’s a handy table from the Department of Health and Human Services to help you better understand what each of these categories means.
A Health Care ProviderA Health PlanA Health Care ClearinghouseThis category includes:
...but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard.This includes:
-Health insurance companies
-Government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans health care programsThis includes entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.
Likewise, researchers are considered covered entities if they are also health care providers that transmit ePHI. Typically, this means that physicians who conduct clinical studies must comply with the Privacy Rule.
As you can see, most individuals who work in a healthcare-related profession are subject to HIPAA rules. But, even those who work in adjacent industries may be liable too — as “business associates”.
What are HIPAA business associates?
The HHS defines a business associate as “a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.”
Essentially, any business partner of a covered entity that requires access to PHI is considered a business associate. Remember, the definition of PHI is extensive and involves 18 identifiers — many of which don’t have to do with health information. PHI can simply be a patient’s name, social security number, address, or date of birth. As a result, the definition of a business associate applies to a wide range of companies.
Business associates may offer legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for a covered entity. As long as PHI is shared with that organization, it is liable under HIPAA’s Privacy Rule.
Here are some examples of business associates from HHS:
- A third party administrator that assists a health plan with claims processing.
- A CPA firm whose accounting services to a health care provider involve access to protected health information.
- An attorney whose legal services to a health plan involve access to protected health information.
- A consultant that performs utilization reviews for a hospital.
- A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer.
- An independent medical transcriptionist that provides transcription services to a physician.
- A pharmacy benefits manager that manages a health plan’s pharmacist network
Business associates don’t have the same level of responsibility as covered entities under HIPAA, but they are responsible for creating systems that set up safeguards for PHI prior to entering an agreement with covered entities. Here’s what HIPAA requires of business associate contracts with covered entities.
HIPAA rules for business associate contracts
Before a PHI can be shared with a business associate, that organization must enter into a HIPAA-compliant agreement with the covered entity. HIPAA is prescriptive into what this agreement includes under 45 CFR 164.504(e).
This contract must clearly outline the permitted and required uses of PHI that the business associate is allowed to undertake. The business associate must agree not to disclose PHI outside of the parameters set forth by the contract, as well as agree to take measures to safeguard the use or disclosure of PHI.
“Where a covered entity knows of a material breach or violation by the business associate of the contract or agreement, the covered entity is required to take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, to terminate the contract or arrangement,” wrote HHS.
It’s important to note that SaaS companies are considered business associates if the covered entity intends to use the software to share PHI. As a result, if you are a covered entity that uses a tool like Slack, DocuSign, or Microsoft Teams in the course of everyday work, you may need to escalate security protocols on those platforms to ensure they are HIPAA compliant.
Learn how Nightfall can help achieve HIPAA compliance by setting up a demo at the link below.