HIPAA Covered Entity & HIPAA Business Associate

HIPAA Covered Entity & HIPAA Business Associate

Patient Health Information (or PHI) and Patient Health Records (or PHR) refer to types of patient medical data that are protected under HIPAA regulations. While all types of PHI are covered by HIPAA, some types of PHR are outside the realm of HIPAA regulations. All types of organizations, corporations and individuals who are handling PHI or PHR need to ensure HIPAA compliance and follow mandates listed as a part of the HITECH Act—Health Information Technology for Economic and Clinical Health Act.

Understand Covered Entity
The HHS or Health and Human Services refers to a 'covered entity' as one of the following:

  • Healthcare Providers that handle patient information in the electronic form
  • Healthcare clearinghouses that handle patient information listed as a part of claims forwarded by the healthcare organizations
  • Health plans under which medical care of patients is covered

Administrative Simplification standards adopted by the HHS refer to the following as a Healthcare Provider:

  • Doctor
  • Clinic
  • Dentist
  • Clinic
  • Chiropractor
  • Nursing Home
  • Psychologist
  • Pharmacy

The following are included as a part of Health Plans:

  • HMOs
  • Carriers—Health Insurance Companies
  • Employer-sponsored health plans for employees
  • Government medical insurance plans like Medicaid and Medicare
  • Government-sponsored veteran or military healthcare plans

Understand HIPAA Business Associates
It should be understood that besides the three, main categories listed above, healthcare information of a patient is also shared across many vendors or service providers attached to a healthcare facility. Services provided by Business Associates that are usually contracted by healthcare facilities like hospitals and private clinics of physicians include:

  • Data Analysis
  • Claims Processing
  • Quality Audits
  • Accounting Software Providers
  • Medical Records Management Providers
  • Medical Billing
  • Legal Consultations
  • Accreditation Services
  • Medical Transcription Service Providers
  • Third party Administrators Helping in Claims Processing

For instance, a hospital might contract a vendor for providing scanning services for patient data. Thus, the medical scanning provider too is provided access to patient data. The HIPAA Privacy Rule mandates that PHI can be disclosed or shared with such business associates only if an assurance is provided by the business associate that the integrity of patient medical data will be maintained in compliance with the data security demands put forth under HIPAA.

Relationship Between Covered Entity & Business Associate
The assurance provided by the business entity must be in writing. This should be drafted in the form of a contract or an agreement that needs to be signed by the business associate and covered entity. There are no defined formats or wording that should be used for such documentation but the basic HIPAA regulations such as those listed as a part of 45 CFR 164.504(e) should be addressed. The document must substantiate upon what circumstances permit the use or access to PHI.

In this way, the responsibility of complying with HIPAA regulations is equally shared between the covered entity and its business associate. This is why healthcare organizations trying to establish a comprehensive HIPAA-compliant workflow need to ensure that their business associates too are educated about the issues threatening integrity of patient medical data. This is why online HIPAA training courses that were initially demanded by organizations to train their employees only are now being recommended to business associates also.