The HIPAA Privacy Rule created, for the first time, a set of national standards for the safeguard of certain health information. It was issued by the U.S. Department of Health and Human Services (“HHS”) and its enforcement is handled by the Office for Civil Rights (“OCR”), which is a department within HHS.
The HIPAA Privacy Rule applies to Covered Entities
Health plans, health care clearinghouses, and certain health care providers that conduct health care transactions electronically are deemed covered entities. In a nutshell, the Rule requires suitable safeguards to be in place to protect the privacy of personal health information. It also sets limits and conditions on its uses and disclosures. In addition, the Rule gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.
The focus of this post however, involves the fact that most covered entities do not handle all of their health care activities and functions by themselves. Instead, they often use third parties for help. Just like a majority of organizations in the U.S., covered entities outsource some of their business functions. What is important to note is that if these third parties handle protected health information (PHI) on behalf of the covered entity, they are considered a Business Associate. In other words, a Business Associate is an entity that performs certain activities that involve the use or disclosure of protected health information on behalf of a covered entity. It should be noted that an employee of the covered entity’s workforce is not considered a business associate.
HIPAA Privacy Rule for Business Associates
The HIPAA Privacy Rule allows covered entities to disclose PHI to a Business Associate (BA) if they receive assurances that the BA will use the information only in the scope of which it was engaged by the covered entity. The BA must protect the information from misuse and unauthorized access. In other words, a primary goal of a Business Associate is to help covered entities comply with the HIPAA Privacy Rule.
Examples of Business Associates
An example of a Business Associate is an entity that provides data transmission services with respect to protected health information to a covered entity and that requires access on a recurring basis to such protected health information. In other words, Paubox is a prime example of a Business Associate for a covered entity. Paubox was in fact built around both HIPAA compliance and customer demand and feedback from covered entities. Another important example of a Business Associate involves the use of subcontractors. Any subcontractor of a Business Associate that creates, receives, maintains, or transmits protected health information on behalf of the BA is itself also a Business Associate.
This post succinctly outlined what the HIPAA Privacy Rule is and who maintains and enforces it. We noted who it protects and those that must adhere to it. We then discussed the concept of a Business Associate and why they are important to the covered entities they serve. We also explored several examples of Business Associates and how Paubox was built based on customer feedback. Next we'll be covering the Business Associate Agreement which is a written agreement, required by law, between a covered entity and a Business Associate.