A business associate is some kind of individual or entity that's not acting as an employee, okay. So it's not somebody on your payroll, it's not somebody who's working in your offices as, under your managers, following your manager's directions or like that, they're not acting as an employee, that uses or discloses PHI on behalf of a covered entity. Read these expert information provided by our speaker in a HIPAA conference to know more.
The key words are “on behalf of”. So it's something that a covered entity could do for itself but instead has somebody else do it for them.
If you have somebody who you submit your encounter information to and they generate claim and send those off to the insurers for you, there are companies who do that. Those are your business – that's a business associate as per the most recent HIPAA guidelines. They're doing something on your behalf.
Business associates were not covered directly by HIPAA earlier. They had to be covered by contracts and there had to be certain required elements in those contracts. And the covered entities were the ones that were responsible for putting the contracts in place and making sure the business associate did the right thing. And the covered entities were also responsible for the violations by the business associate.
Now, think about this for a second and you realize there's some real flaws with this approach. Our expert mentioned in HIPAA online training event that what happens if you're in a situation where we have – for instance, we have as a business associate right now, there's a large, you know, electronic record systems company that provides EHR services for a number of hospitals.
And these are hospitals that are, you know, by themselves are – they're big enough that they could be running their own EHR systems within their facilities if they want to. They've chosen instead to outsource this to this company that keeps them all in this data center out in the Midwest. They manage it all and they – the hospital's access is over the Internet.
Now, what happens if there's somebody at that business associate, this large company that handles data for a number of hospitals, dozens of hospitals, what happens if they have a problem in their facility and, you know, there's a – there's a breach within their facility and there's a problem with the data that gets exposed?
Suddenly all these hospitals that are – that there – are their clients, they are the ones who are responsible for those violations of HIPAA security standards. Does that seem fair? Not exactly.
The way the old way worked was fine when they were like considered equals or, you know, the business associates were just little companies, you know, do – providing some services, some business services, something like that.
But when you start to get some of this modern context, suddenly the old definition starts to not really make sense. You know, you'll think if there's a problem with that particular business associate, they are the ones who should be responsible for those – for those violations. They are the ones who should be – the ones who are on the hook for anything – having done the right thing or not.
Certainly the covered entity will still have to make notifications, will still have some cost but at least we'll have some clarity as to who's responsible what they should – for what they should be doing.
So the changes that we have is the business associates are now under HIPAA. And that's brought about by in the HITECH Act in Sections 13401 and 13404 as the HITECH Act came along. That was part of their Recovery Act.
That's where they said that the HIPAA Security Rules safeguards apply to business associates and the Privacy Rule use and disclosure provisions also apply. That means basically business associates can't do anything with the data that the covered entities can't do with the data and that they have to also provide the same kind of safeguards that covered entities do directly under the regulations, okay, directly under the HIPAA regulations now.
As well, they can only use the information as stated in the contract. This is very important. Your business associate agreements should state clearly what the information can be used for and as well you might put in some clauses as to what the information cannot be used for because it's very clear can only be used as it is stated in the contract and any use beyond that is a violation.
So the business associate can't decide, “Hey, listen. Let's do something different.” And they contact you on the telephone and say, “You know, we should do – we should do this and we'll use this information differently.”
And if it's something different than what's called for in the contract, you're going to be in trouble even if you both agree to it. You want to make sure your contract stays accurate, okay.
And part of the deal here is the penalties can apply directly to business associates. And the business associates are also responsible for having the agreements in place. So they're responsible for making – they're also responsible for making sure that they have agreements that are both upstream and downstream.
And so the final rule is effective March 26 of 2013 and is enforceable September 23rd of 2013. And there's something about the agreement there, some – there are some other dates involved with that but for some other circumstances. But these are the dates that you really need to think about this. You need to be doing things according to the book by September 23rd 2013 to maintain HIPAA compliance.
Visit AudioEducator for a wide range of informative health system conferences and online HIPAA training programs to help you ensure healthcare compliance.