If you provide professional services for a health care organization and have access to protected health information (PHI), you have probably heard the phrase “business associate” as it relates to HIPAA compliance. This can be a confusing area of compliance and security, but if you are in fact considered a business associate, you must be up-to-date on the facts in order to protect yourself and your organization legally. Here are the main key points to keep in mind:
Who Is Considered a Business Associate?
A business associate is a person or entity who receives or has access to protected health information (PHI) in the course of performing business services for a hospital, clinic, or other health care organization covered by HIPAA, also known as a “Covered Entity.” Here are some common examples of business associates, keeping in mind that to qualify any of these roles must disclose, receive, or have access to PHI as part of their job:
- A third party claims processor
- An attorney or other legal professional who has access to patient records, data, or other protected information
- An IT professional or company with access to PHI
- An accountant for a Covered Entity
- A business, tax, or compliance auditor for a Covered Entity
- An independent medical transcriptionist or transcription company
- Professional medical translation companies or individuals
- Document management, storage, or shredding companies
- An external answering service or virtual assistant company
This is not an exhaustive list, but should give you a good idea of who may be considered a business associate in a HIPAA-related context.
What Are Some Exceptions?
Not everyone who has access to PHI is automatically considered a business associate. Employees (not contractors or outside professionals) of a Covered Entity are not considered business associates, but rather medical staff who have to follow their own HIPAA guidelines. Other examples of exceptions include workers such as janitors or repair techs who do not have access to PHI, even if they perform work for a Covered Entity. If you would like more clarification on whether or not you or your company are considered business associates, the federal government’s Department of Health and Human Service’s website is a great place to start.
Make Sure You Have Business Associate Agreements on File
All Protected Entities using the services of business associates are required to have contracts known as Business Associate Agreements on file. These contracts are designed to ensure the protection of patient information as well as HIPAA compliance.
The contract should include specific wording explaining what is considered proper use of PHI as well as an acknowledgement that as a business associate you will not use or disclose PHI outside of the bounds of what is necessary for your work or the permissions given to you in the contract. Most Business Associate Agreements will also stipulate that as a business associate you use specific safeguards to ensure the protection of private health information, data, and records.
The details and verbiage of your Business Associate Agreement will vary depending on your unique situation, the nature of the Covered Entity you are working with, and their legal department’s requirements and preferences. It is important to read any legal contract carefully and ask questions before signing it, as once signed you are legally bound to abide by the contract until it is terminated. If you find the Business Associate Agreement confusingly worded or unclear, or feel that it places an unreasonable or impractical burden on you or your company, it is a great idea to consult with your own business attorney. They can determine if the contract makes sense, is fair, and in your best interest before you sign it, and may be able to help negotiate changes if necessary.
You Must Follow the “Minimum Necessary” Requirement
As a HIPAA business associate, your main duty is to follow the “minimum necessary” requirement. This HIPAA requirement states that you must limit the PHI you access, transmit, or otherwise interact with to only the “minimum necessary” and no more. This standard must be followed by all business associates in order to maintain compliance. In essence, the minimum necessary guideline means that if your job requires you to know or have access to a certain amount of private health information, you avoid having accessing to any additional PHI.
The minimum necessary guideline is important, but can also be a bit vague. To help illustrate how it works in practice, consider this example: Let’s say that you are an attorney looking into claims that a hospital has over-billed their patients. In order to do your job, you need access to billing records for a subgroup of patients, but do not need access to these patients’ complete medical records. Knowing what they were seeing the doctor for or their medical history would not be relevant or necessary in order for you to do your job. If you accessed these records anyway, you would most likely be considered in violation of the minimum necessary guideline.
The minimum necessary PHI that you need access to in order to do your job will of course depend on your unique role and situation. This should be clarified and included as part of your Business Associate Agreement.
Do you still have questions about your role as a business associate? Let us know in the comments! And for more information about how we can help manage your IT and security risk mitigation needs, contact us anytime.