To understand what a Business Associate Agreement does, you must first understand what a Business Associate is. The information below is provided by the Department of Health & Human Services, Office for Civil Rights, to better understand the relationship between Covered Entities and Business Associates.
Covered Entity- A health care provider who electronically transmits health information in connection with certain transactions (such as claims, benefit eligibility inquiries, or referral authorization requests), a health plan, or a health care clearinghouse.
Examples of Covered Entities include:
- Doctors, Clinics, Nursing Homes and Pharmacies that transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard
- Health insurance companies
- Company health plans
- Government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans health care programs
- Entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.
Business associate- a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. A member of the covered entity’s workforce is not a business associate. A “business associate” also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate.
A covered health care provider, health plan, or health care clearinghouse can be a business associate of another covered entity.
Business associate functions and activities include: claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing. Business associate services are: legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial.
Examples of Business Associates.
- A third party administrator that assists a health plan with claims processing.
- A CPA firm whose accounting services to a health care provider involve access to protected health information.
- An attorney whose legal services to a health plan involve access to protected health information.
- A consultant that performs utilization reviews for a hospital.
- A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer.
- An independent medical transcriptionist that provides transcription services to a physician.
- A pharmacy benefits manager that manages a health plan’s pharmacist network.
Business Associate Contract -The HIPAA Rules generally require that covered entities and business associates enter into contracts with their business associates to ensure that the business associates will appropriately safeguard protected health information. The business associate contract also clarifies and limits, as appropriate, the permissible uses and disclosures of protected health information by the business associate.
Protected Health Information - The Privacy Rule defines “protected health information” (PHI) as individually identifiable health information, held or maintained by a covered entity or its business associates, that is transmitted or maintained in any form or medium. This includes identifiable demographic and other information relating to the past, present, or future physical or mental health or condition of an individual, or the provision or payment of health care to an individual that is created or received by a health care provider, health plan, employer, or health care clearinghouse. For purposes of the Privacy Rule, genetic information is considered to be health information.