Our previous HIPAA entry exposed you to some of the basics of HIPAA.   One of the things we did was to identify who was covered by the HIPAA rules.  Entities or individuals that are Covered Entities (remember: Health Care Plans, Health Care Clearinghouses, or Health Care Providers) are certainly subject to HIPAA.

But, effective February 17, 2010 under the HITECH Act, Business Associates (BA) became subject to HIPAA privacy and security rules as well.  What this means is that a company that is not in the healthcare industry, per se, but deals with medical records as part of their job duties, COULD be subject to HIPAA rules.

A BA is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information (PHI) on behalf of, or provides services to, a Covered Entity; attorneys, accountants, consultants, and others are some possible examples.  But there is not a list in HIPAA which defines who is a BA by trade.  Thus, the following test is used:

  • a party who is performing a function for a Covered Entity;
  • that has access to PHI;
  • but is not an employee of the Covered Entity.

Now that you have had a chance to determine if you are or are not a BA, what are your HIPAA requirements?  Well, you must comply with HIPAA of course.  But generally you must secure the PHI, and use it only for the same purpose it was given to the Covered Entity.

Where it sometimes gets tricky is, you must make the PHI “accessible” to the individual to whom the PHI belongs; most often the patient.  So you cannot just lock it up and throw away the key.  You must also perform risk assessments of your security and mitigate determined risks.  Finally, you have notice obligations should there be a breach.

Next we will talk about what a breach is, your reporting requirements, and the related fines and penalties for a breach.