Covered Entities and Business Associates must comply with HIPAA Standards when it comes to protecting a patient’s health information. Any person, business or agency who does both of the following is considered a “Covered Entity”:
- Furnishes, bills or receives payment for health care in the normal course of business, and
- Transmits (sends) any covered transactions electronically
Additionally, any person, business or agency who creates, receives, maintains, or transmits Protected Health Information on behalf of a Covered Entity (CE) is also obligated to protect PHI in accordance with HIPAA Rules.
Covered Entities and Business Associates
The HIPAA and HITECH Privacy Rules require a “Covered Entity” (CE) and a “Business Associate” (BA) including “subcontractors” to follow the same standards for protecting patient information. As such, the Omnibus Rule makes it clear that all entities are required to comply with all HIPAA rules and regulations when it comes to protecting PHI. This significant change places the burden of protecting PHI on all organizations involved.
Business associates must now carefully monitor their subcontractors as this responsibility to protect PHI “cascades down” to more and more previously unaffected organizations.
Under the Omnibus Rule, the definitions for BAs and “workforce” have changed along with their requirements and standards. A BA is anyone who creates, receives, maintains, or transmits protected health information on behalf of a covered entity on a routine basis. Workforce includes the employees, volunteers, trainees, and other persons whose conduct, in the performance of work for either a covered entity (CE) or a business associate (BA), is under the direct control of the CE or BA.
One covered entity can be the business associate of another covered entity. The HIPAA Privacy Rule requires that each covered entity protect PHI when it is in the hands of business associates, and do so by contract. In the business associate contract, a covered entity must impose specified written safeguards for the individually identifiable health information used or disclosed by its business associates or their subcontractors.
Some examples of business associates or subcontractors would be:
- Patient Safety Organizations (PSO) who perform quality analyses and other activities on behalf of a covered entity.
- Health Information Organizations, e-prescribing gateways, or any person that provides data transmission services
- Data storage company with access to protected health information (whether digital or hard copy)
- Cloud computing companies
- Personal health record vendors
- Billing services and collection agencies
- Computer repair technicians or businesses.