Business Associates HIPAA Compliance

What Is a “Business Associate?”

A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of or provides services to, a covered entity. A member of the covered entity’s workforce is not a business associate. A covered health care provider, health plan, or health care clearinghouse can be a business associate of another covered entity. The Privacy Rule lists some of the functions or activities, as well as the particular services, that make a person or entity a business associate if the activity or service involves the use or disclosure of protected health information. The types of functions or activities that may make a person or entity a business associate include payment or health care operations activities, as well as other functions or activities regulated by the Administrative Simplification Rules.
Business associate functions and activities include claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and re-pricing. Business associate services are: legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial. See the definition of “business associate” at 45 CFR 160.103.

Examples of Business Associates.

  • A third-party administrator that assists a health plan with claims processing.
  • A CPA firm whose accounting services to a health care provider involves access to protected health information.
  • An attorney whose legal services to a health plan involve access to protected health information.
  • A consultant that performs utilization reviews for a hospital.
  • A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer.
  • An independent medical transcriptionist that provides transcription services to a physician.
  • A pharmacy benefits manager that manages a health plan’s pharmacist network.

Business Associates should be aware that the federal American Recovery and Reinvestment Act (ARRA), commonly known as the federal stimulus package, require all business associates to comply with the security and privacy requirements of the Health Insurance Portability and Accountability Act (HIPAA). Typical business associates include medical billing and information technology. As of February 17, 2010, all business associates will become subject to criminal and civil liability for not complying with HIPAA.

If a covered entity shared protected health information (PHI) with a business associate, the two parties would enter into a business associate agreement. The agreement would contractually require the business associate to protect the PHI. However, the only liability the business associate faced for a violation was a contractual liability to the covered entity, rather than sanctions by the federal government.

Now, however, business associates face federal monetary fines and even criminal liability if their use of PHI violates HIPAA. The new law also requires the Department of Health and Human Services to begin conducting audits of covered entities and business associates to ensure HIPAA compliance. Therefore, if you are a business associate, you will want to make sure you are fully in compliance before the law goes into effect.

HIPAA law was revised in 2009 to apply directly to Business Associates, and the penalties for violations are severe. Penalties for Business Associates for violations of HIPAA can be as high as $1.5 Million per year and can include prison time for the most serious criminal offenses.

We offer two different packages for business associates to help them achieve compliance.

Business Associate Compliance Tool (Less than 50 Employees)

Business Associate Compliance Tool (More than 50 Employees)

We also offer HIPAA Certification for Business Associates and products used by the healthcare industry. Many covered entities are requested proof of your product being HIPAA compliant or your company achieving HIPAA compliance before entering into business with them. Our certification will help you in proving your compliance status.

For details on how to achieve HIPAA compliance seal for your company, services, and products, feel free to contact us at Bob@training-hipaa.net or call (515) 865-4591.