HIPAA Privacy and Business Associates in a Nutshell

When most people hear about Health Insurance Portability and Accountability Act (HIPAA) and privacy of health records, they consider a physician’s duty not to disclose private medical records. Although HIPAA originally applied only to “covered entities,” which includes health plans, health care clearing houses and health care providers who transmit health information in electronic form, the privacy rules have expanded significantly in recent years and now “business associates” must also comply with the privacy requirements of HIPAA.

Who Is a “Business Associate?”

A “business associate” is a person or entity that performs functions or activities that involve the “use or disclosure of protected health information on behalf of, or provides services to, a covered entity.”

Examples of business associates include:

1. Third-party administrators who assist in claims processing for a health plan.
2. CPA firms who have access to protected health information as a result of accounting services.
3. Attorneys who have access to protected health information while providing legal services to a health plan.
4. A consultant performing a utilization review for a hospital.
5. An independent medical transcriptionist who provides transcription services for a covered entity.

Under HIPAA, a covered entity may only utilize a business associate, and provide that business associate with private health information, to help the covered entity carry out its health care functions.

Business Associate Contracts

HIPAA requires that there be a written contract with each business associate that is handling protected health information (PHI). The written contract must:

1. Establish the permitted and required uses and disclosure of PHI by the business associate.
2. Provide that the business associate will not use or further disclose the information other than is permitted by the contract or by law.
3. Require that the business associate implement appropriate safeguards to prevent unauthorized use or disclosure of PHI.
4. Require that the business associate disclose any unauthorized breach of PHI.
5. Require that the business associate complies with all provisions of the HIPAA privacy rule and the security rule.
6. Require that the business associate makes its internal policies and procedures available to the Department of Health and Human Services to ensure that it is complying with HIPAA regulations.
7. Require that the business associate return or destroy all protected health information at the conclusion of the contract.

Business associate contracts should be reviewed and renewed annually to ensure that they are in compliance with current HIPAA regulations. There should always be a valid signed contract between a covered entity and any business associate that is handling protected health information.

For more information about HIPAA privacy and business associates, contact the Goosmann Law Firm at info@goosmannlaw.com or (712) 226-4000.