A Business Associate is any person or firm, which performs services for or on behalf of a covered entity. By entering into this agreement with a healthcare provider the BA is accepting responsibility for any damages resulting from a breach of PHI. A covered entity (healthcare provider) itself can be considered a business associate, if working with another CE. A Business Associate must also comply if working with another BA, even if not working directly with the CE (BA subcontractors also must comply with HIPAA security and privacy laws).
The contract / agreement needs to include guidelines to what are the uses of PHI called for and no other use will take place; outline safeguards; require compliance with applicable laws; all phi accounted for (either returned or disposed safely); terms for if compliance not maintained
HIPAA laws apply only if they are working with PHI – individually identifiable health info (either directly stated or could reasonably be used to ID the patient) from the CE or other BA. The BA can face the same civil and criminal penalties as that of CE’s.
In general the agreement states:
– Information is only to be used for the purpose instructed by the covered entity
– Proper safeguards must be in place
– Help the covered entity comply with the Privacy rule
– As with the CE, business associates must document any change in policies
^ “Business associate functions and activities include: claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing. Business associate services are: legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial.”