HIPAA Compliance for Business Associates

Are-you-a-business-associateAll Business Associates (BA) must comply with the latest HIPAA Privacy, Security, Enforcement, and Breach Notification Rules since Sept’ 2013.

One of the most challenging issues for health care organizations is ensuring business associates can be trusted with PHI (Protected Health Information). Of the 11 million people affected by report-able data breaches between September 2009 and June 2011, 6 million or 55% were affected by data breaches involving business associates, according to the federal government.  Review the list of breaches involving business associates published by HHS by checking the latest data breach report. Healthcare organizations often use the services of a variety of contractors and businesses. The HITECH act allows covered entities to disclose (minimum necessary) protected health information (PHI) to these “business associates,” if the covered entities obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the the HIPAA Privacy Rule:

  • Have you identified your key business associates handling PHI that you create, receive, maintain, or transmit?
  • Have you identified your key business associates handling PHI that you create, receive, maintain, or transmit?
  • Do you review your contract periodically with your key business associates?
  • Do you have the right to audit clause or require your business associate to follow certain minimum security controls and best practices?


Our Approach:

EHR 2.0 provides consulting services by partnering with leading law firms to assess your business associates based on several key factors:

  • Corporate size of the BA
  • Volume of data accessed by BA
  • Number of facilities serviced by BA
  • Type of services provided by BA
  • Complexity of services provided by BA
  • Location of BA
  • Previous data breaches, complaints or incidents involving BA

Our Business Associate Assessment and Monitoring services combine the above guidelines and the following guidelines chart to provide an assessment reports periodically about your key business associates:

Self Assessment BA Toolkit

  • BA Determination Chart
  • BA Risks Assessment Questionnaire
  • BA Agreement

BA Compliance Consulting

  • BA Pre-Assessment Services
  • BA Compliance Assessment Services
  • Successful BA Monitoring

Frequently Asked Questions on Business Associate Compliance Assurance

What happens when my Business Associate has some breach incident?

If there is any breach, it is the responsibility of the covered entity to work with their BA and assess the damage. Necessary steps should be taken to resolve it.

Our practice shares patient information with our referral doctors. Should we have a signed BA contract with all our referral doctors?

No. If the patient information is shared purely for treatment purpose, there is no need of BA contract between parties.

A software company that my organisation uses is a self certified HIPAA compliant facility. Should I still have a BA contract signed with them?

YES.  Since they are handling your ePHI data, it is a federal regulation to have BA contract with them.

Our practice accepts patients from both private insurance payers and government health plans. Should I have BA contract agreements with these payers and health plan providers?

No, you don’t need to have BA contract with these entities. If the patient information is shared purely for treatment purpose, there is no need of BA contract between parties.  However, if you are using any service providers for your claims and processing, you need to have BA contract signed with those entities.

Should I have BA contract with any business that I use for my organisation?

No. There are exceptions to whom you need to have BA agreement with.  Services like Janitorial or Electric doesn’t need to sign a BA contract with you.

Should I have any legal contract with my BA to protect ePHI data residing with them?

Yes.  HIPAA/HITECH regulations requires that you have a contractual agreement with your BA in order to protect the data they have  Experts at EHR 2.0 can help you with such contracts. You can reach us at info@ehr20.com.

What are the responsibilities, obligations and duties of a business associate?

  • Must comply with HIPAA Privacy,  Security and Breach  Rules
  • May not use or disclose PHI
  • Minimum necessary use
  • Civil and criminal liability directly

Can you provide examples of no business associate relationship?

If PHI is shared for treatment purposes, it's not considered as business associate relationship:
  • Physician Services
  • Nursing Services
  • Laboratory Services
  • Radiology Services
  • Physical Therapy
  • Occupational Therapy
  • Bank Services
  • Courier Services

Can you provide examples of a business associate?

  • A third party administrator that assists a health plan with claims processing.
  • A CPA firm whose accounting services to a health care provider involve access to protected health information.
  • An attorney whose legal services to a health plan involve access to protected health information.

Who is a business associate?

A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.

Does a covered entity have to have the right to audit a business associate directly?

As per the contractual agreement between CE and BA, CE’s can audit the business associates. Any breach by BA’s will affect the CE’s. However, CE’s cannot force BA’s to audit their facilities. BA’s who doesn’t cooperate for an audit is a red flag and their business relationship should be revisited.


How can we help? – Call 866-276-8309, or e-mail us at info@ehr20.com