HIPAA Series #7: The Role of Business Associates Under HIPAA

UPDATED: September 24, 2024
Business Associates

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal legislation that lays down the role of each entity involved in protecting the security and privacy of patient data. In particular, HIPAA’s rules apply to healthcare providers, HMOs, and healthcare plans, known as covered entities.

Now comes an important question: How does their responsibility change when these covered entities interact with other entities like the IT support team of specialized companies? This is where HIPAA introduces the concept of a business associate.

In this article, we will look into who is a business associate and its role in HIPAA.

Read the Full HIPAA Series

Our HIPAA Series covers 10 important topics related to HIPAA rules, regulations, and compliance. If you missed one of the posts in the series, navigate to them here:

  1. HIPAA Series #1: Compliance for Healthcare Providers – What You Need to Know
  2. HIPAA Series #2: What is Protected Health Information (PHI) Under HIPAA?
  3. HIPAA Series #3: An Overview of HIPAA’s Privacy and Security Rules
  4. HIPAA Series #4: Ensuring Privacy and Security in Virtual Care
  5. HIPAA Series #5: Steps for Reporting and Mitigating Breaches Under HIPAA
  6. HIPAA Series #6: Building a Culture of Compliance
  7. HIPAA Series #7: The Role of Business Associates Under HIPAA
  8. HIPAA Series #8: The Importance of HIPAA Audits
  9. HIPAA Series #9: HIPAA and Cybersecurity
  10. HIPAA Series #10: HIPAA and Data Sharing

Who is a Business Associate?

The HIPAA legislation applies only to the covered entities, and they are responsible for safeguarding patient data, also known as Protected Health Information (PHI). However, since covered entities do not carry out all the business functions, they are likely to outsource some tasks to experts. Depending on what tasks or business functions are outsourced, the business associates may have access to the PHI.

For this reason, HIPAA defines a business associate as an entity or individual who performs certain functions on behalf of the covered entity and involves the disclosure of PHI.

Business associates include those who perform the following functions:

  • Legal
  • Actuarial
  • Accounting
  • IT operations (including HIPAA compliance software providers or HIPAA-compliant email providers)
  • Consulting
  • Data aggregation
  • Management
  • Administrative
  • Accreditation
  • Finances
  • Claims processing or administration
  • Data analysis, processing, or administration
  • Utilization review
  • Quality assurance
  • Billing
  • Benefit management
  • Practice management
  • Repricing

Note that business associates can also be those who do not fall into any of the above categories. The rule of thumb is that they must access or handle PHI on behalf of the covered entity. A business entity can also be another covered entity.

Business Associate Contracts

The signing of a business associate contract is key to establishing the relationship between a covered entity and a business associate. This contract defines an entity as the business associate of a covered entity.

It must contain the following:

  • A detailed description of how the business associate must use the PHI.
  • Explicitly mentions that the associate will not use the PHI for other reasons and will not disclose it further to unauthorized entities.
  • Mandate the business associate to implement the required safeguards to protect the PHI.

A business associate must abide by the above rules, and they can be legally liable in case of violations.

Here are some things covered entities can do when they identify a violation in the contract:

  • When the covered entity knows of a breach by the business associate, it must take steps to mitigate it.
  • If the business associate violated the agreed terms, the covered entity must end the violation, or even terminate the contract if required.
  • If the covered entity cannot terminate the contract, it must inform the Department of Health and Human Services (HHS) Office for Civil Rights (OCR).

Exceptions to the Business Associate Contract

Some scenarios don’t require a contract between a covered entity and a business associate. They are:

  • When a covered entity discloses patient information to a healthcare provider for treating a patient. The hospital, physician, or laboratory doesn’t require a contract with the covered entity.
  • Disclosures made to a health plan sponsor like an employer, HMO, or health plan issuer.
  • When the health plan is a public benefits program like Medicare.
  • Disclosures made to a health plan provider for payments or for offering a discount.
  • With persons or organizations that don’t use PHI for their jobs, like janitors and electricians.
  • With entities who participate in an Organized Healthcare Arrangement (OHCA), and who make disclosures to facilitate the joint activities of the OHCA.
  • When a group health plan purchases insurance from an issuer or HMO.
  • If an entity buys reinsurance from an insurer.
  • When an entity wants to disclose information for research purposes or with explicit authorization from the patient.
  • When an entity directly transfers funds to pay for healthcare or health insurance premiums.

In the above situations, the business contract is not required, and hence, there is no business associate relationship with the covered entity.

Responsibilities of the Business Associates

Business associates have the following responsibilities under HIPAA:

  • Use PHI only for permitted purposes.
  • Employ appropriate safeguards to protect PHI.
  • Report any breaches to the covered entity.
  • The subcontractors employed by the business associates abide by the terms and conditions.
  • Make the PHI available to covered entities to enable the latter to perform their obligations.
  • Amend PHI records based on the existing agreement or as instructed by the covered entity.
  • Maintain documentation to prove compliance.
  • Abide by any other clause mentioned in the business agreement.

Failure to perform the above responsibilities can be reasonable grounds for the covered entity to terminate the contracts. It can also open up legal proceedings and fines under HIPAA, where applicable.

Final Words

HIPAA explicitly defines the business associate as an entity having a business associate agreement with a covered entity. Accordingly, the business associate has certain responsibilities and must abide by the terms of the contract. We hope the above information helps you understand the roles and responsibilities of each entity.

Lavanya Rathnam

Lavanya Rathnam is an experienced technology, finance, and compliance writer. She combines her keen understanding of regulatory frameworks and industry best practices with exemplary writing skills to communicate complex concepts of Governance, Risk, and Compliance (GRC) in clear and accessible language. Lavanya specializes in creating informative and engaging content that educates and empowers readers to make informed decisions. She also works with different companies in the Web 3.0, blockchain, fintech, and EV industries to assess their products’ compliance with evolving regulations and standards.

Posted in ArticlesTagged

Leave a Reply

Your email address will not be published. Required fields are marked *