­

Who Must Comply

Covered Entities and Business Associates must comply with HIPAA Standards when it comes to protecting a patient’s health information. Any person, business or agency who does both of the following is considered a “Covered Entity”:

  • Furnishes, bills or receives payment for health care in the normal course of business, and
  • Transmits (sends) any covered transactions electronically

Additionally, any person, business or agency who creates, receives, maintains, or transmits Protected Health Information on behalf of a Covered Entity (CE) is also obligated to protect PHI in accordance with HIPAA Rules.

Covered Entities and Business Associates

The HIPAA and HITECH Privacy Rules require a “Covered Entity” (CE) and a “Business Associate” (BA) including “subcontractors” to follow the same standards for protecting patient information. As such, the Omnibus Rule makes it clear that all entities are required to comply with all HIPAA rules and regulations when it comes to protecting PHI. This significant change places the burden of protecting PHI on all organizations involved.

Business associates must now carefully monitor their subcontractors as this responsibility to protect PHI “cascades down” to more and more previously unaffected organizations.

Under the Omnibus Rule, the definitions for BAs and “workforce” have changed along with their requirements and standards. A BA is anyone who creates, receives, maintains, or transmits protected health information on behalf of a covered entity on a routine basis. Workforce includes the employees, volunteers, trainees, and other persons whose conduct, in the performance of work for either a covered entity (CE) or a business associate (BA), is under the direct control of the CE or BA.

One covered entity can be the business associate of another covered entity. The HIPAA Privacy Rule requires that each covered entity protect PHI when it is in the hands of business associates, and do so by contract. In the business associate contract, a covered entity must impose specified written safeguards for the individually identifiable health information used or disclosed by its business associates or their subcontractors.

Some examples of business associates or subcontractors would be:

  • Patient Safety Organizations (PSO) who perform quality analyses and other activities on behalf of a covered entity.
  • Health Information Organizations, e-prescribing gateways, or any person that provides data transmission services
  • Data storage company with access to protected health information (whether digital or hard copy)
  • Cloud computing companies
  • Personal health record vendors
  • Billing services and collection agencies
  • Computer repair technicians or businesses.

All-in-One HIPAA Compliance
and Risk Management Solution

VIEW MEMBERSHIP BENEFITS & PRICING

Why HIPAA Compliance Training is Important

HIPAA Training|

Why HIPAA Compliance Training is Important HIPAA Compliance is an ongoing process and one of the most important aspects of it is making sure that your staff members participate in compliance training and awareness [...]

HIPAA Rules: Back to the Basics

HIPAA Privacy|

HIPAA Rules: Back to the Basics The Health Insurance Portability and Accountability Act (HIPAA) is a complex piece of legislation that has undergone many additions and revisions since it was signed into law in [...]

HIPAA Privacy Rule: Reviewing the Fundamentals

HIPAA Compliance Requirements, HIPAA Privacy, Notice of Privacy Practices|

HIPPA Privacy Rule: Reviewing the Fundamentals Almost 20 years ago, the Health Insurance Portability and Accountability Act was signed into law to provide for the continuity of individuals’ health insurance coverage and to increase [...]