PROTECTING THE PRIVACY OF
PATIENTS' HEALTH INFORMATION - US Dept of Health and Human
This version includes COMPANY NOTES from Biometrics Direct
James Childers - CEO of ASG
- My NOTES will be
Who is affected by HIPAA?
The law applies directly to three groups
referred to as “covered entities.” Under HIPAA, this is a
health plan, a health care clearinghouse, or a health care
provider who transmits any health information in electronic form
in connection with a HIPAA transaction. Also see Part II, 45 CFR
Health Care Providers:
Any provider of medical or other health services, or
supplies, who transmits any health information in electronic
form in connection with a transaction for which standard
requirements have been adopted.
Health Plans: Any
individual or group plan that provides or pays the cost of
Clearinghouses: A public or private entity that transforms
health care transactions from one format to another.
HIPAA, however, indirectly
affects many others in the health care field. For instance,
software billing vendors and third party billing services that
do not qualify as clearinghouses or some other covered entity,
are not covered by HIPAA. They may however need to change their
business operations if they are trading partners or business
associates of a covered entity.
This is Where The Definitions Get "Sticky"...
Business Associates - what is a "Business Associate"?
Associate is an individual or entity that receives
protected health information (PHI) from a
such as a medical practice, so that the business associate
may perform services or functions, or assist in the
performance of services or functions, on behalf of the
covered entity. HIPAA mandates the covered entity require a
Business Associate to sign a Business Associate Agreement
This agreement pulls parties that normally do not fall under
the definition of a covered entity right into the HIPAA
water. The agreement requires the BA to offer the same
protection of the data as the covered entity must and it is
a contract enforceable in court. If the BA does not sign the
agreement or fails to protect the data, HIPAA requires the
covered entity to terminate relationship with the BA. Bottom
line is BA's must follow the same guidelines as a covered
entity. A BAA can also be an addendum to an existing
business agreement and does not have to be separate.
What are some examples of Business Associates?
Medical Transcription Service
IT Support Services
Help Desk Outsourcing
employee of the covered entity or a member of the covered
entity's own workforce is not considered a business
associate. Independent contractors are Business Associates.
Also, other health care providers to whom covered entities
disclose PHI for treatment purposes are considered business
associates, too. This includes other covered entities as
well as those not directly affected by HIPAA.
Business Associates need to demonstrate "HIPAA Compliance"
by going through the same processes that a covered entity
must. This means setting up a manual for HIPAA policies &
procedures and training employees and implementing the