Business associates are vendors to a covered entity that creates, receives, maintains, or transmits protected health information (PHI) while performing their functions that involve PHI. Business associates may include, but not limited to these careers:
- Lawyers
- Accounting or consulting firms
- Cloud service providers
- File sharing vendors
- Shredding service providers
- Translator service providers
- Consultants hired to conduct internal audits, perform coding reviews, etc.
- Information technology vendors
According to HHS, a covered entity can only disclose PHI to an entity to help carry out their healthcare operations, but not for the business associate’s independent use or purpose. For example, a business associate or a subcontractor cannot use the covered entity’s PHI for its own email communications.
Business Associate Agreements (BAA) are contracts that specify the responsibilities of each party as it pertains to PHI. Under the federal law HIPAA, covered entities are required to execute business associate agreements (BAA) with their business associates. The law requires that covered entities only work with organizations that can assure complete protection of PHI. There should be a written arrangement of these assurances between a covered entity and a business associate.
Similarly, business associates are also required to execute a similar type of agreement, commonly known as Business Associate Subcontractor Agreement (BASs) with their subcontractors.
It is not just covered entities that can be audited for HIPAA compliance by HHS, but business associates and subcontractors as well. Given that all three groups are responsible for protecting PHI, it is very important to have a Business Associate Agreement (BAA) at all three levels in order to comply with HIPAA.
According to HHS, the following information must be included in a Business Associate/Subcontractor Agreement:
- Description of the permitted use and disclosure of PHI by the entity
- Assurance that the entity will not use or further disclose PHI in any way other than as permitted or required by the law or contract
- A written statement as required by the law that the entity will use appropriate safeguards to prevent unauthorized use of PHI
Once the covered entities, business associates, and business associate subcontractors identify their relationship with each other, it is crucial to ensure that the third-party entity will protect any PHI they receive. A signed agreement documents that the entity is responsible for handling PHI safely as required by HIPAA.
Source:
