Chapter 7: Risks from Your Business Associates
Understanding who falls under HIPAA's jurisdiction can be tricky. Healthcare providers, including doctors and nurses, are the main and most obvious group. But the reality is that HIPAA regulations are widespread and apply to a range of companies that don't necessarily belong to the healthcare industry.
In 2009, HITECH mandated that all "business associates" of HIPAA-covered entities must comply with HIPAA guidelines.
What is a Business Associate?
According the Department of Health and Human Services (HHS), a business associate is a contractor or business whose work with the covered entity involves access to protected health information.
So if a company or person is involved in the creation, receipt, maintenance, or transmission of protect health information, that entity or person is a business associate and must be HIPAA compliant. For example, the following groups could be business associates that are subject to HIPAA laws:
- Group health plans.
- Data storage providers.
What's more, any subcontractors working with a business associate can be considered a business associate if they're involved with PHI.
For help determining whether someone is a business associate, check out this article by Inside Counsel .
HITECH requires that the business associates of HIPAA-covered entities also comply with HIPAA regulations.
Nurses as Business Owners: What You Need to Know
If you're a sole proprietor or have employees working for your nursing business, know that all of your business associates must be HIPAA compliant. You may be found liable for their noncompliance if any data breaches occur.
To communicate this, nurses should have a business associate agreement (BAA) in place with any business associate. A BAA should include…
- An agreement that the business associate will follow HIPAA and HITECH guidelines and restrictions.
- An agreement that the business associate will hold any applicable subcontractor to the same guidelines and restrictions.
- Explicit steps for how the business associate will report and respond to a data breach, including those caused by a subcontractor.
- A demonstration of how a business associate will respond to an investigation by the Office for Civil Rights (part of the HHS).
For a fully detailed business associate agreement form, consult the HHS's Sample Business Associate Agreement Provisions .
Having these contracts helps protect you from the repercussions of a data breach caused by a business associate and can prevent breaches in the first place. The BAA can educate the individuals or companies you work with on HIPAA's reach and their responsibilities. Just remember: those who can access protected health information must follow the same privacy rules that apply to your nursing business.
Next: Chapter 8: HIPAA & the Rising Tide of Data Breach Awareness