Marty’s Corner: HIPAA Rules - Keeping Patient Data Safe, No Matter Who Touches It
Up until more recently, if you heard the term, business associate, you would probably think of a colleague with whom you’d collaborate on a project or enjoy a pleasant lunch. Since the advent of HIPAA, though, and especially the current step-up in enforcement of certain aspects of the HIPAA Privacy Rule, a Business Associate is a defined entity with specific responsibilities to ensure that patients’ protected health information (PHI) is kept safe and secure. Per the Privacy Rule, a business associate is "a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity."1
So, what exactly does this mean? A covered entity is either a: 1) health care provider, such as a doctor, clinic, hospital, pharmacy, dentist, or long-term care facility; 2) health plan, such as an insurance company, HMO, Medicare, or Medicaid; or a 3) health care clearinghouses such as billing services, or any entities that "process nonstandard information they receive from another entity into a standard (i.e., standard format or data content), or vice versa." It’s important to note that a person or entity that does not transmit PHI electronically is not a covered entity.
Business associates, therefore, have a legal responsibility to ensure that PHI they receive from a covered entity is kept safe. The law requires that these assurances be in writing, typically in the form of a contract. Examples of business associates include a person or entity that has access to PHI from a covered entity, such as a CPA firm providing accounting services to a health care provider, or an attorney providing legal services to a health plan. Even a shredding service can be a business associate if they have access to PHI! The fines for HIPAA Privacy Rule violations range from $100 when a covered entity or individual did not know the act was a HIPAA violation, all the way up to $1.5 million for willful neglect.
A food & nutrition management software company that receives PHI from an electronic health record can also be considered a business associate. It’s important, therefore, that safeguards be in place such as limiting access to PHI for certain users (e.g., a storeroom clerk or food production manager), being able to scramble PHI when a copy of a site’s data is needed for support diagnostic purposes, or including the ability, if desired, to hide a portion of a patient’s name on a tray ticket or nourishment label. These and other safeguards will help keep PHI safe, as well as help ensure that business associates do not inadvertently commit violations that could incur crippling fines.
- http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/businessassociates.html, accessed 8 May 2015.
Article by: Marty Yadrick, MBI, MS, RDN, FAND - Director of Nutrition Informatics and former President of the Academy of Nutrition and Dietetics; Fusion, 3rd Quarter, 2015