Business Associate Management

Business Associate Management

Business Associate Management

  1. Coverage

Insert site name(hereafter referred to as the ‘Organization’) workforce members who access, use, disclose or transmit confidential patient information.Our workforce includes all clinical providers, clinical support staff, volunteers, students and other staff members involved in the routine operations of our delivery of care.

  1. Create / Revision Date

March 13, 2013

  1. Purpose

The purpose of this policy is to provide guidance on management of the Organization’s Business Associates (BAs) and their Contractors.

  1. Policy Statement
  1. This Organization establishes and maintains relationships with Business Associates that are in full compliance with all the requirements of HIPAA.
  1. Business Associates must access, use and disclosure PHI (Protected Health Information) strictly in accordance with the written Business Associate Agreement (BAA) they maintain with this Organization.
  1. Under HIPAA Omnibus Privacy Final Rule the definition of a BusinessAssociate includes an entitythat ‘creates,receives, maintains, ortransmits’ protectedhealthinformationon behalf of a Covered Entity (CE).
  1. The definition of a Business Associateincludesa‘subcontractorthatcreates, receives, maintains, or transmits protected health information on behalf of the Business Associate’. Subcontractormeans: ‘a person to whoma Business Associate delegates a function, activity, or service, otherthaninthecapacity ofamember of theworkforce of such Business Associate.’
  1. A CE may treat a contractor who has his or her duty station onsite at a covered entity and whohasmore thanincidental accesstoPHI as either a member of the CE workforceorasaBA for purposesof the HIPAARules.
  1. An external researcher isnotaBA ofa CEby virtue of its research activities, even ifthe CE has hiredthe researcher toperformthe research. This is an example of a technical change or clarification; sites may need legal guidance in this area if in it is question.
  1. The responsibility for maintaining compliant relationships with our Business Associates shall reside with our designated HIPAA (Privacy and/or Security) Officer(s), who shall ensure that all aspects of our Business Associate relationships are compliant and who shall ensure that Protected Health Information is properly protected and safeguarded by our Business Associates.
  1. Business Associates are responsible for their Contractor’s HIPAA compliance, however the Covered Entity sets the guidelines and ultimately the levels of HIPAA compliance the Contractors must also meet by way of specifics called out in our Business Associate Agreement language.
  1. The duties and responsibilities of the designated Privacy and/or Security Officer(s) managing Business Associate compliance includes seeing that:
  1. PHI is protected and safeguarded in a HIPAA compliant manner (and according to other applicable regulations, if any) by our Business Associates and their Contractors.

Business Associate Agreements meet all HIPAA requirements and standards, including HITECH Act regulations and the requirements of applicable State laws.

  1. Business Associates have proper and appropriate safeguards in place for the PHI they manage and PHI managed by their Contractors.
  1. Business Associates must comply with HIPAA and report to this Organization, in its role as a Covered Entity, any privacy and security events (or incidents) they discover that could be determined to be a ‘Violation’ or ‘Breach’ as defined under HIPAA and outlined within the Business Associate Agreement.Business Associates must immediately report their own ‘events’ (or incidents) that need investigation (within the BAA allowable timeframe) and those of their Contractors as well.
  1. The BAA shall guide the roles and responsibilities of our Organization, the Business Associate and their Contractors, including Breach determination and notification for which HIPAA allows options where BAs may be designated to perform Breach determination or reporting. Under all circumstances this Organization retains control of the final Breach determination and reporting, even if Business Associates are allowed or required to perform them.
  1. All ‘Patients’ Rights’ are also required of Business Associates. Amendments, restrictions on the use or disclosure of PHI, Accounting of Disclosures, Confidential Communications, and Right to file complaints with OCR (Office for Civil Rights)are all required of Business Associates as they are of Covered Entities, if applicable to the roles performed by the BA.
  1. This Organization shall assess and monitor our Business Associates’ privacy and security safeguards. Business Associates must assess and monitor their Contractors according to their roles.Business Associates and their Contractors are required to follow all HIPAA Privacy and Security rules as applicable to their roles.
  1. All BAs and their Contractors are responsible for following Minimum Necessary guidelines as required for their roles.
  1. Aperson or entity becomesaBA by definition, not by the act of contracting (or operating under an agreement withaCE).Liability for impermissible uses anddisclosuresattachesimmediately whena person or entity creates, receives, maintains, or transmits PHI on behalfof a CE or BA and otherwise meets the definitionofaBA.
  1. PHI created,received, maintained, or transmitted by a Business Associatemay not necessarily include diagnosis-specific information, suchas treatment information and may be limited to demographic or other information not indicative of the type of health care services provided to an individual.If the informationistiedtoaCE, then it is PHIbydefinitionand it must be protected bythe BA inaccordance withthe HIPAARulesanditsBusiness Associate Agreement.
  1. Per the HIPAA Omnibus Final Rules issued in January of 2013, Business Associates are directlyliable underHIPAA Rules.
  • BAs aredirectly liable under the Privacy Rule forusesand disclosuresofprotectedhealthinformationthatare notinaccordwithitsBusiness Associate agreement (BAA) or the Privacy Rule.
  • BA is directly liable for providing information to OCR for investigations and notifying CEs of potential violations.
  • BA is directly liable for failing to utilize Minimum Necessary.
  • For impermissibleusesanddisclosures of PHI.
  • Forafailure toprovidebreachnotification tothe coveredentity.
  • Fora failure to provide access to acopy of electronic protected health informationtoeitherthecoveredentity,theindividual,ortheindividual’sdesignee (whicheverisspecifiedintheBAA).
  • For a failure to disclose protectedhealthinformationwhererequiredbythe Secretaryto investigate or determine thebusinessassociate’s compliance withtheHIPAARules.
  • For a failure to provide an accountingofdisclosures.
  • For afailure to complywith the requirements of the Security Rule.BusinessAssociatesremaincontractuallyliableforotherrequirementsof the BAA.
  1. Business Associate Agreements shall be documented and maintained, as all documentation used for HIPAA compliance in regards to the Business Associates or their Contractors, according to the HIPAA documentation policies, with a minimum retention of six (6) years.
  1. Related Documents
  • 29 -- Business Associate Agreement

List additional related documents

  1. References
  • HIPAA Omnibus Privacy Final Rules – Issued January 2013
  • Stericycle Online Security Risk Assessment tool
  • Stericycle Online Privacy Risk Assessment tool
  • 45 CFR 164.302 - 164.318
  • PRA Line Item: I.1, I.2, I.3, I.4, I.5, I.6, I.7, I.8, I.9, I.10, J.3
  • SRA Line Item: E.1, E.2, E.3, E.4, E.5, E.6, E.7, E.8, E.9

List additional references

Page 1 of 3Copyright © 2013 Stericycle, Inc. All rights reserved.
HIPAA Compliance Program