The HIPAA Business Associates Training course will educate business associates on dealing with protected health information alongside a covered entity.
The HIPAA Privacy Rule only applies to covered entities by law, such as health plans or health care clearinghouses. However, many providers do not carry out all of their activities and functions by themselves.
Instead, they often use the services of a business associate. According to the Privacy Rule, providers and health plans can disclose protected health information to business associates as long as the associate maintains the patient’s privacy under the Privacy Rule.
What You’ll Learn
- Introduction to HIPAA Privacy Rule
- Overview of business associates
- Overview of covered entities
- Overview of business associate contracts
- Elements of a business contract
Details
Course length: 45 minutes.
Languages: American English
Key features: Audio narration, learning activity, and post-assessment
Get Certified
American Medical Compliance (AMC) is a leader in the industry for compliance, Billing, and HR solutions. To become certified, please visit us at American Medical Compliance (AMC).
Explore our other courses by visiting the AMC Course Library.
Business Associates
A business associate is a person or organization that performs functions involving the protected health information of patients to aid covered entities. Members of covered entities are not business associates. However, a covered health care provider or health plan can act as a business associate to a different covered entity.
The Privacy Rule details functions or activities that are common to businesses associated with using protected health information. Some activities include payment or operations management, or other administrative tasks. For more detailed information on business associate functions and activities, please refer to this course.
HIPAA and Covered Entities
All individuals and organizations that meet HIPAA’s definition of a covered entity must comply with their privacy and security rules and requirements. If a covered entity uses the services of a business associate, it must establish a written business associate contract or other arrangement laying out the exact services that the associate will aid in. All business associates must comply with HIPAA’s Privacy Rule to maintain the privacy and security of protected health information. Covered entities often include healthcare providers, health plans, and healthcare clearinghouses. Healthcare providers consist of doctors, clinics, and mental health professionals. Next, health plans include health insurance companies, company health plans, and government health care programs like Medicare. Healthcare clearinghouses are entities that process health information into a standard format. For more information on covered entities, please complete this training.
Business Associate Contracts
HIPAA requires that covered entities and business associates enter into contracts to ensure that the associate will appropriately protect personal health information. These contracts also help to clarify and limit the use of protected health information by the business associate.
Business associates can only use protected health information as permitted in the business associate contract. They are liable under HIPAA and are therefore subject to civil and criminal penalties for violations. Electronically protected health information must also be kept secure by business associates under HIPAA’s Security Rule. This course provides more details on business associate contracts.
Written Business Associate Contracts
Business associate contracts must establish the permitted use of protected health information by the associate. Additionally, the associate must confirm that they will not use the information in a manner that they are not permitted to.
Covered entities can work with business associates to implement appropriate safeguards protecting against the unauthorized use of health information. For example, business associates must report to the covered entity when they use protected health information in a manner not authorized by the contract. For more details on the required elements of a business associate contract, please complete this training.
Business Associate Liability
The OCR is the agency that takes enforcement actions against business associates for violating HIPAA’s Privacy Rule. There are several different HIPAA violations that business associates are liable for. For example, if they fail to provide a covered entity with patient records or staff compliance reports, they are liable. Additionally, associates cannot take any retaliatory action against any entity that filed a HIPAA complaint against them. Failing to comply with HIPAA’s Privacy and Security Rules are common ways that business associates violate their contracts. Lastly, business associates who do not provide notification of breached security to the covered entity are liable for unprotected health information.
Privacy Rule Exceptions
In these exceptions, the covered entity does not need to have a business associate contract in place. An example of an exception is the disclosure of health information to a provider for treatment. If a hospital refers the patient to a specialist and sends that specialist medical records, a contract is not required. This is also the case in terms of laboratories that are testing patients’ bloodwork.
Additionally, public benefits programs such as Medicare do not need contracts due to their government-authorized activities. There are several other situations where a business associate contract is not required. This course describes these exceptions in greater detail.
