by Chris Woolstenhulme, QCC, CMCS, CPC, CMRS
August 29th, 2014
The associates in the provider’s world and healthcare society are filled with loads of potential business associates and endless Individual identifiable health information.
We have had so many questions about business associates I thought I would go to the source and put together some information from HHS.gov, otherwise known as U.S. Department of Health & Human Services. Maybe I can clear up a few common questions and give you some other resources to do your own research if you would like.
First of all … what is PHI or Individually Identifiable Health Information (HHI)? Basically; it is any information used to identify an individual patient as well as information created or received that has anything to do with a patient. Including demographics as well as past present or future health condition. Specifically; anything that can be used to reasonably identify an individual or treatment.
Why do I need a contract with my Business Associates?
The reason behind the Privacy rule is to obtain assurances from your business associates that they will safeguard the protected health insurance information. This is now required in writing in the form of a contract, called Business Associate Agreement. To learn more about this InstaCode (Instacode.com) has written a book called “Complete and Easy HIPAA COMPLIANCE” the third edition is the most recent. To order your book go to https://instacode.com/node. Your Business Associate Contracts must contain the elements specified at 45 CFR 164.504(e), such as describing the permitted and required uses of PHI by the associate, and that they will not use or disclose the PHI for anything other than as required by law. Also, if there is a breech the covered entity must make the appropriate steps to cure the breech or end the violation it must be made clear how the issue will be resolved.
Who is a covered entity?
The HIPPA Privacy Rule only applies to covered entities – Health Plans, Health Care Clearinghouses and certain health care providers.
Examples and Potential Business Associates:
(This is not a complete list – Examples only)
- A third party administrators
- Anyone assisting a health plan with claims processing.
- A CPA firm whose accounting services to a health care provider involve access to protected health information.
- An attorney whose legal services to a health plan involve access to protected health information.
- A consultant that performs utilization reviews for a hospital.
- A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer.
- An independent medical transcriptionist that provides transcription services to a physician.
- A pharmacy benefits manager that manages a health plan’s pharmacist network.
- External auditors or accountants
- Professional translator services
- Answering services
- Consultants hired to conduct audits, perform coding reviews, etc.
- Accreditation agencies
- Shredding and/or documentation storage companies
- Data processing firms or software companies that may be exposed to or use PHI.
- Medical transcription services, even if you contract with an individual rather than a company.
- Medical equipment service companies handling equipment that holds PHI.
- E-prescribing Gateways
- Health information organizations
Who is not a business associate?
(This is not a complete list – Examples only)
An External researcher
- Another healthcare provider
- Banking and financial institutions or consumer conducted transactions
- Collections agency
- Janitorial or electrician
- US Postal Service
FAQ’s from HHS.gov
Q. Is a physician or other provider considered to be a business associate of a health plan or other payer?
A. Generally, providers are not business associates of payers.
Q. Is a software vendor a business associate of a covered entity?
A. YES; if your software vendor has access to the PHI, however you may chose to treat the covered entity as an employee, rather than a business associate. http://www.hhs.gov/ocr/privacy/hipaa/faq/business_associates/256.html
Q. Instead of entering into a contract, can business associates self-certify or be certified by a third party as compliant with the HIPAA Privacy Rule?
A. No. A covered entity is required to enter into a contract or other written arrangement with a business associate that meets the requirements at http://www.hhs.gov/ocr/privacy/hipaa/faq/business_associates/237.html
Q. Do physicians with hospital privileges have to enter into business associate contracts with the hospital?
A. No. https://www.hhs.gov/hipaa/for-professionals/faq/248/do-hospital-medical-staffs-have-to-enter-into-contracts/index.html
Q. Are accreditation organizations business associates of the covered entities they accredit?
Q. Is a health insurance issuer or HMO who provides health insurance or health coverage to a group health plan a business associate of the group health plan?
Q. When is a health care provider a business associate of another health care provider?
Q. Is a business associate contract required for a covered entity to disclose protected health information to a researcher?
For more information on Exceptions to the Business Associate Standard andother situations in which a business associate contract is NOT required check out these resources: