Paubox blog: HIPAA compliant email made easy

What are the different arrangements under HIPAA?

Written by Kirsten Peremore | September 25, 2023

Under HIPAA, there are two primary arrangements recognized: Affiliated Covered Entity (ACE) and Organized Healthcare Arrangement (OHCA). These arrangements serve different purposes and provide a framework for healthcare organizations to simplify compliance efforts and share certain administrative responsibilities.

 

What are affiliated covered entities?

Affiliated covered entities (ACE) designation permits these legally distinct entities to function as a single covered entity under HIPAA regulations. This designation offers significant advantages, such as the ability to develop and distribute a single notice of privacy practices, adhere to a unified set of policies and procedures, appoint a single privacy official, and implement shared training programs, among other benefits. By consolidating these aspects of compliance, ACEs can achieve economies of scale and reduce administrative burden, ultimately ensuring the efficient management of protected health information (PHI) while maintaining the distinct legal identities of each participating entity.

 

What are organized healthcare arrangements?

Organized Healthcare Arrangements (OHCAs) are particularly valuable when healthcare settings are clinically integrated, but there is no common ownership or control among participating entities. In an OHCA, healthcare providers who typically treat a common set of patients can designate themselves as part of this arrangement. This allows them to share a joint notice of privacy practices and collaborate on using and disclosing protected health information (PHI) for treatment, payment, and healthcare operations. OHCAs provide economies of scale in compliance efforts, enhance patient care coordination, and ensure seamless compliance with HIPAA regulations.

 

Differentiating between ACE and OHCA

ACEs are employed when healthcare entities share common ownership or control. In this scenario, these separate entities can designate themselves as a single covered entity, streamlining administrative tasks and compliance efforts, such as developing a unified notice of privacy practices and shared policies. 

On the other hand, OHCAs are designed for healthcare providers who treat the same set of patients but do not necessarily share common ownership or control. OHCAs enable these entities to collaborate, share a joint notice of privacy practices, and simplify the handling of PHI for various purposes, promoting patient care coordination. While both ACEs and OHCAs aim to enhance compliance efficiency, ACEs are tailored for organizations under common ownership. OHCAs facilitate collaboration among clinically integrated entities.

 

When is a business associate agreement required?

A business associate agreement (BAA) is a legal document outlining the responsibilities and obligations of a covered entity - your healthcare organization - and its business associates under HIPAA regulations. And you should ask for a business associate agreement whenever PHI is involved.

Any third-party organization that performs services involving PHI on your behalf is considered a business associate. The BAA is required to ensure that the business associate complies with HIPAA rules and safeguards PHI appropriately.

See also: Business associate agreement provisions

 

The difference between an Other Arrangement and a business associate agreement

A BAA is a formal, legally binding contract between a covered entity (such as a healthcare provider) and a business associate (such as a medical billing company). Its purpose is to clearly outline the business associate's roles, responsibilities, and obligations regarding the handling, storage, and safeguarding of ePHI. 

BAAs are highly customizable and allow the parties to negotiate specific terms and security measures that align with the requirements of the HIPAA Security Rule. They provide a structured and formal framework for ensuring ePHI protection and create legally enforceable obligations on the part of the business associate. This level of customization and formality offers the covered entity greater control and specificity in how ePHI is managed by the business associate.

In contrast, an "Other Arrangement" is a broader term encompassing alternative methods for achieving HIPAA compliance, particularly when both parties are government entities. These alternatives can include Memoranda of Understanding (MOUs) or relying on existing laws and regulations that already impose requirements on the business associate. 

While MOUs can be formal agreements, "Other Arrangements" may not always involve a written contract or the same level of formality as a BAA. These alternative methods may provide less flexibility for customization. They may rely on pre-existing legal frameworks, potentially offering less control and specificity compared to a BAA.

 

HIPAA compliant email and other arrangements 

In ACEs, where common ownership exists, email security measures can be standardized and implemented across all affiliated entities. This ensures consistent encryption, access controls, audit trails, and user training practices for email communications containing PHI. In the case of OHCAs, where clinically integrated providers collaborate without common ownership, a shared email system with encryption and access control can be established. This allows for efficient and secure exchange of PHI while preserving individual entity autonomy. Both ACEs and OHCAs should also maintain audit trails to track email communication related to PHI and HIPAA compliant email communication.