It goes without saying that if you have ever dealt with or thought about HIPAA, you have figured out there is a lot of jargon that goes along with it. The following article will discuss some HIPAA basics.
Under the Health Insurance Portability and Accountability Act (HIPAA), a covered entity (we covered this term here What’s Hip with HIPAA? Covered Entities ) is responsible for any breaches of privacy by its business associates. A “business associate” is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information (PHI) (we covered this term here What’s Hip with HIPAA? Protected Health Information ). Before releasing PHI to a business associate, the covered entity is required to enter into a written business associate agreement.
Under such an agreement, the business associate will agree to:
- Use the PHI only for the specified purpose.
- Protect the information from misuse.
- Disclose any breaches of privacy to the covered entity.
- Comply with the HIPAA Privacy Rule.
Like covered entities, business associates could be held liable for civil or criminal penalties for violating HIPAA requirements. If the business associate breaches the privacy requirements under the business associate agreement, it must notify the covered entity. The covered entity then needs to take steps to remedy the breach. If the breach is not fixable, then the covered entity should terminate the business associate agreement.
What is critical to remember is that a covered entity cannot share PHI with a business associate without having a valid business associate agreement in place. Business associate agreements are fairly standard agreements that closely track the HIPAA requirements.