HIPAA for Business Associates

A business associate (BA) is a person or organization that works with or for a covered entity and may use or disclose protected health information (PHI) during those operations. To ensure PHI protection and general compliance with the Health Insurance Portability and Accountability Act (HIPAA), HIPAA-covered organizations must have a business associate agreement (BAA) in effect with each of their partners. This post will answer your questions about HIPAA for business associates (BAs). 

Simply put, if a third-party organization has access to PHI in the typical course of their assigned tasks, they are a business associate (BA). 

The U.S. Department of Health & Human Services (HHS) lists the following BA tasks and responsibilities: 

• Processing or managing claims
• Processing or managing data analysis
• Reviewing utilization
• Ensuring quality
• Billing
• Managing benefits 
• Managing practices
• Repricing 

BA services include but are not limited to legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, and financial.

As mentioned earlier, a business associate (BA) is defined by the HHS as a person or entity that works for or offers services to a covered entity and performs specific tasks or activities that include using or disclosing protected health information (PHI).

Even though BAs don't interact with patients, they may still manage or access patient medical records. 

Like covered entities, BAs must comply with HIPAA to avoid severe penalties. BAs are required to: 

• Develop and comply with valid BAAs. To comply with HIPAA, covered entities are required to sign a BAA with their BA before sharing any PHI with them for privacy and security reasons.
• Establish legal subcontractor agreements. The BA must require that their subcontractors adhere to HIPAA regulations if they access, transfer, or otherwise encounter PHI.
• Comply with privacy rules. Many of the policies and protections that the Privacy Rule requires for covered entities to establish, such as those that regulate how PHI is used and disclosed and how individuals have rights concerning their PHI, will generally also need to be implemented by BAs.
• Perform a HIPAA Security Rule risk analysis. BAs must perform and document a HIPAA risk assessment of their computer and other information systems to detect potential security risks and take necessary action. 
• Execute Security Rule safeguards. The Security Rules specify administrative, physical, and technical safeguards that BAs must implement.
• Implement written Security Rule policies. BAs must establish and maintain the written procedures required by the Security Rule. 
• Act immediately to a violation or breach. If a BA permits or experiences a PHI breach, they should notify the covered entity immediately.
• Enforce HIPAA training for employees. BA employees should participate in and complete HIPAA training to fully comprehend their obligations concerning protecting PHI. 
• Keep required documentation. BAs are required to preserve documents required by the Security Rule for six years following the document’s last effective date. 
• Destroy or return PHI. The BA must agree to return or destroy any PHI they received from the covered entity they are working with once their services are finished. This also includes subcontractors. 
• Examine other federal or state privacy laws. If a state or other federal law has stricter regulations than HIPAA, BAs should abide by that law.

If certain requirements are met, PHI can typically be shared directly from one BA to another BA of the same covered entity without using the covered entity as a conduit or intermediary. The conditions to be met can depend on factors such as: 

• Whether the covered entity directed the BA to make the disclosure
• Whether the BA contract authorized the disclosure
• The purpose of the disclosure

Like covered entities, BAs may be held accountable for PHI exposure. By signing a BAA, BAs are required to follow HIPAA regulations or risk paying penalties for HIPAA noncompliance. 

According to the HHS, if an unsecured PHI breach occurs at or by a BA, the BA must notify the covered entity immediately upon the discovery. HIPAA allows a 60-day window upon discovery to notify the covered entity of a breach. To the extent practicable, the BA should disclose to the covered entity the identification of each person affected by the breach and such additional Information as may be required by the Covered Entity in its notice to the individuals affected by the breach. 

A HIPAA business associate agreement (BAA) is a contract between a covered entity and an organization or individual outlining the duties and responsibilities of that organization as it relates to the protection of any PHI shared between the two parties. HIPAA requires a BAA for covered entities and their BAs with access to PHI as part of their services. 

For more information on HIPAA Business Associates, visit the U.S. Department of Health & Human Services (HHS) website. 

The HIPAA Privacy Rule requires covered entities to enter into written contracts or other arrangements with business associates to protect the privacy of protected health information; however, covered entities are not required to monitor or oversee how their business associates carry out privacy safeguards.

If patient information is compromised, the healthcare industry will ultimately shoulder the burden. As a result, a third-party IT security vendor should have the knowledge and experience to meet the highest HIPAA compliance criteria.

To successfully complete the course and earn Continuing Education Units (CEUs), you must:

• Complete the required time within the course curriculum before the course is considered finished.
• Validate your identity at designated checkpoints throughout the course.*
• Pass all quizzes and the final exam with a minimum score of 70% within three attempts or fewer before a certificate of completion can be issued and CEUs can be awarded.**

*How is identity validated during the course?

360training verifies each learner’s identity through periodic validation questions during the learning event. At the beginning of the course, learners are prompted to answer a series of personal validation questions. These responses are securely saved in the Learning Management System (LMS).

• What is your childhood nickname?
• What is the name of your favorite childhood friend?
• What is your oldest cousin’s first name?

Throughout the course, the LMS will prompt learners to answer these validation questions at preset intervals (e.g., every ten minutes).

• If a learner answers correctly, they are allowed to continue.
• Incorrect responses may result in the learning event being temporarily locked.

This process ensures the individual completing the course is the same person who enrolled.

**How are CEUs calculated?

Upon successful completion of the course requirements, CEUs will be awarded according to the following standard:

• 10 hours of education = 1.0 CEUs
• 30 hours of education = 3.0 CEUs
• 5 hours of education = 0.5 CEUs

Important: Partial credit or adjusted CEUs are not awarded. Learners must fully meet all course requirements, including identity validation, time-in-course, and passing scores, to receive CEUs.