The terms covered entity and business associate are used widely in HIPAA legislation, but do HIPAA business associates and HIPAA covered entities have in common?
HIPAA Covered Entities Defined
HIPAA covered entities are healthcare providers, health plans, and healthcare clearinghouses that electronically send health information for transactions included in HHS standards.
Types of Healthcare providers are hospitals and clinics, doctors, dentists, chiropractors, psychologists, pharmacies and nursing homes. Health plans include health insurance companies, company health plans, government programs that pay for healthcare treatment, and HMO’s. Healthcare clearinghouses include transcription service companies that change data to make it compliant and groups that process non-standard health information.
Even if an organization is a healthcare provider, health plan or healthcare clearinghouse, they are not thought of as a HIPAA covered body if they do not send any information electronically for transactions that HHS has adopted standards. In such cases, the group would not have to comply with HIPAA Rules.
Legally, the HIPAA Privacy Rule only applies to covered bodies, although since covered entities normally require the services of vendors, which may need access to PHI in order to carry out certain tasks, the HIPAA Privacy Rule permits covered entities to share PHI with those companies.
Before PHI can be sent, vendors must agree to use the PHI only for the tasks that they have been hired to perform. They must also agree not to share the PHI to other entities, and must implement safeguards to ensure the confidentiality, integrity, and availability of PHI. Covered bodie must obtain ‘satisfactory assurances,’ in writing, in the form of a contract, that HIPAA Rules will be respected.
HIPAA Business Associate Defined
A HIPAA business associate is any group, be that an individual or a company, that is given access to protected health information to carry out services for a HIPAA covered group.
Software providers, whose solutions interact with databases that hold ePHI, are considered business associates, as are cloud service providers, cloud platforms, document storage companies (physical and electronic storage), collection agencies, medical billing companies, asset and document recycling firms, answering services, attorneys, actuaries, consultants, medical device manufacturers, transcription companies, CPA firms, third party administrators, medical delivery companies and marketing agencies. Business associates of covered entities must also comply with HIPAA Rules and can be fined directly by regulators for noncompliance.
Business associates of HIPAA covered groups must complete a contract with the covered entity, termed a business associate agreement or BAA, that lists the responsibilities of the business associate and explains that the business associate is required to adhere with HIPAA Rules.
It is the responsibility of a business associate to make sure sure that if any subcontractors are used, they too agree to fall in line with HIPAA Rules and sign a BAA. Information on when a business associate agreement is not required are detailed here.
While a business associate must say that they will comply with HIPAA Rules and is responsible for ensuring the confidentiality, integrity, and availability of PHI in its possession, it is the responsibility of a covered entity to ensure that all business associates are in operating in adherence with HIPAA Rules. If a business associate fails to comply with HIPAA Rules, it is the responsibility of the covered entity to take steps to ensure noncompliance is corrected or the contract with the business associate is ended.
The HHS has developed a tool that outlines the differences between a HIPAA business associate and a HIPAA covered entity. This can be used to deduce of if you are a covered entity or a business associate and whether HIPAA Rules must be adhered with.