Security Rule Requirements Part 5, Business Associates § 164.308(b)(1)

Automated HIPAA Compliance Platform

Most practices seek assistance from one or more businesses to help them with certain functions within their organization. Depending on the type of service they provide, they may be considered a “Business Associate” under the HIPAA guidelines.

So, what defines a business associate § 164.308(b)(1)?

  • Any person or entity that may encounter ePHI/PHI while providing services to the covered entity. For example, a shredding company, billing company, or an IT company. Even if the IT company is not responsible for the data transmission or storage of ePHI, they are still considered a business associate under the definition by the Office for Civil Rights (OCR). This is because they may have access to computers or software to assist the provider when issues arise, or when updates are needed.
  • Software providers such as EHR/ EMRs, and practice management are also BAs. Custom software providers may also be included if they maintain the system and are required to provide updates. The exception to this would be if a custom software were developed and turned over to the practice for their use and then maintained by the IT vendor. The IT vendor would be the BA.
  • Clearinghouses are covered entities, and business associates of a covered entity since they facilitate the processing of health information from a nonstandard format into standard format, or from standard format into nonstandard format.
  • Some practices with multiple partners may use revenue from patients to determine each provider’s share. If they use a third party like a CPA, then the CPA may be considered a BA.
  • If an attorney is needed to defend the provider/practice against a patient and PHI is disclosed, the attorney is then a BA.

An easy way to remember this is… if PHI/ePHI is disclosed or the possibility of being disclosed during the job function of the vendor, then they are a BA.

A cleaning company is NOT considered a business associate even though they may encounter PHI because their job function does not include the creation, transmitting, or maintaining of ePHI. It is advisable to require the company to sign a confidentiality agreement and require their employees receive HIPAA training, so they understand the HIPAA rules.

When hiring a business associate it is required under HIPAA to ensure your vendor is HIPAA compliant. The first step is to obtain a Business Associate Agreement (BAA), but you must also have reasonable assurances they are in fact HIPAA compliant. You may request their most recent HIPAA training for the employees that will be responsible for working withing your practice, policies on data security, and depending on the services they provide, a copy of their latest risk analysis (first and last page that demonstrates who conducted the analysis and when). You also have the right to ask if they use business associates (subcontractors). The practice must ensure that anyone and everyone that comes in contact with ePHI/PHI understands how to protect this data.

Large medical practices are targeted by hackers since this information is so valuable. Smaller practices are hacked through phishing attacks, unsuspecting employees, business associates, and outdated software/hardware. It is everyone’s responsibility within the practice to ensure all data is secure and to avoid data breaches. I am sure you are thinking that if the government cannot keep data secure, how can you? Large organizations are always a target, and they have the same issues as smaller ones just more area of vulnerabilities for the bad actors to get in.

Stay safe out on the World Wide Web (WWW), we call it, the Wild Wild West. The biggest difference is, during the Wild Wild West days, you could see trouble coming into town and prepare. On the World Wide Web, trouble is invisible until it is too late.

If you need assistance with Risk Management or guidance with your HIPAA Compliance, contact us at 877.659.2467 or complete the contact us form.

“Simplifying HIPAA through Partnership, Education, and Support”

About Suze Shaffer

Suze Shaffer is the owner and president of Aris Medical Solutions. She specializes in HIPAA compliance, risk management, and cyber security. She believes that by educating her clients in understanding why and what needs to be done to protect their practice they have a better outcome.

Suze has been instrumental in helping clients nationwide with risk management, implementing privacy and security rule policies and procedures, and ultimately protecting patient data. She includes state and federal regulatory requirements to ensure clients are protected in all areas.

She has spoken at numerous conferences and functions. She continues to educate organizations how to minimize the risks of data breaches. HIPAA compliance is not an option, it is mandatory for every organization that comes in contact with protected health information to have reasonable and appropriate security measures in place. Unfortunately, most organizations don’t realize they are not compliant until they suffer a data breach or they are faced with an audit or investigation.

Did you know that the Office for Civil Rights (OCR) is the agency that investigates data breaches? Have you seen the heavy fines that have been imposed for non-compliance?

All 50 states now have their own set of privacy laws and the State's Attorney General may also investigate privacy violations!

Share This HIPAA Blog

Security Rule requirements, Part 4, Evaluations 45 CFR § 164.308(a)(8)

May 15, 2021

Changes to the HIPAA Privacy Rule

July 15, 2021
©2022 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC