Am I a Business Associate under HIPAA HITECH?

October 14, 2013

It is October of 2013 and there are still tens if not hundreds of thousands of business associates who through ignorance or denial are not compliant with HIPAA HITECH or the Omnibus Rule. How can that be when there has been so much written since 2009 when the law passed, 2010 when the Notice of Proposed Rule Making was published and 2013, when the Omnibus Rule was finally published?

The blame can be shared by HHS, covered entities, healthcare law firms, and the business associates themselves. HHS has done a poor job of educating both covered entities (CE) and business associates (BA) about their responsibilities. Healthcare law firms until very recently were telling their CEs that all they had to do was get the BA to sign an agreement. The BAs then felt that once they signed the agreement they were done. With little or now enforcement this arrangement worked quite well. The law firm got a fee for creating the agreement, the CE felt they were compliant, and the BA signed and duly filed any agreement they received.

The shameful delay in publishing the Final Rule or Omnibus Rule was a great contributor to this lack of compliance. The NPRM was published in July of 2010 and contained all of the key elements of what was finally published in January of 2013 and effective March 26, 2013. A single person working with a quill pen on parchment paper should have been able to write this in far less time.

But enough of the blame game, what are the rules and how do you know whether you are a busines associate and if you are how do you know whether you are compliant? Here is what HHS says:

_What Is a “Business Associate?” A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. A member of the covered entity’s workforce is not a business associate. A covered health care provider, health plan, or health care clearinghouse can be a business associate of another covered entity. The Privacy Rule lists some of the functions or activities, as well as the particular services, that make a person or entity a business associate, if the activity or service involves the use or disclosure of protected health information. The types of functions or activities that may make a person or entity a business associate include payment or health care operations activities, as well as other functions or activities regulated by the Administrative Simplification Rules. _

_Business associate functions and activities include: claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing. Business associate services are: legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial. See the definition of “business associate” at 45 CFR 160.103. _

_Examples of Business Associates. _

_A third party administrator that assists a health plan with claims processing. _

_A CPA firm whose accounting services to a health care provider involve access to protected health information. _

_An attorney whose legal services to a health plan involve access to protected health information. _

_A consultant that performs utilization reviews for a hospital. _

_A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer. _

_An independent medical transcriptionist that provides transcription services to a physician. _

_A pharmacy benefits manager that manages a health plan’s pharmacist network. _


Back to News