If you’re part of an organization that works closely with ePHI (electronic protected health information), you’ll need to understand the responsibility you bear when it comes to patient data. Both covered entities (CE) and business associates (BA) need to be part of a business associate agreement (BAA) as outlined by HIPAA policies. This blog post will go over some common terms and what they mean in relation to maintaining HIPAA compliance.
What Defines a Covered Entity and Business Associate?
- Covered entities include: health insurance companies, data aggregate companies, healthcare providers
- Business associates include: companies that are directly involved in handling protected health information on behalf of or for a covered entity, subcontractors of business associates
Government and law enforcement agencies, as well as two covered entities transmitting data between themselves are not considered business associates.
What Covered Entities Need To Know
All CE’s should draft business associate agreements that are tailored to their needs, as well as meeting HIPAA requirements. CE’s are personally responsible for the actions of their BAs, and so must routinely check how a BA is handling and processing patient data. Both a CE and BA have a shared liability, and CE’s must ensure they monitor compliance in the event of a data breach, as they will be required by law to testify their due diligence. Not maintaining compliance could ruin a covered entity’s reputation should a cybersecurity incident occur.
What Defines A Business Associate Agreement?
Sections of a BAA that are required:
- What a business associate can or can’t do, or is required to do with the data they have access to
- What rules subcontractors of the BA need to follow
- How a BA is to maintain safety of the data, in reference to the HIPAA privacy rule
- How a BA will notify the covered entity in the event of compromised security (such as a data breach)
- How data is to be handled in the event of a BA’s termination
Sections of a BAA that aren’t required but are best practice:
- Audit clause, so a CE can monitor a BA’s compliance
- Financial responsibility clause
- Expiration date of a BAA
Many BAs don’t consider themselves a part of the healthcare industry, however if they come into any sort of contact with protected health information, they must maintain HIPAA compliance. Creating straightforward policies and procedures that outline responsibility in the form of a business associate agreement will help keep patient data secure and set the standard for what both a CE and BA can expect out of the arrangement.
Who’s Got Your Data?
Need an estimate? Request a quote below!