Since the passing of the Final Omnibus Rule in 2013, business associates and subcontractors also bear the responsibility for HIPAA compliance. Business associates are now independently responsible for complying with the HIPAA Privacy, Security, and Breach Notification Rule.

Who are Business Associates?

Business associates are vendors to a covered entity that creates, receives, maintains, or transmits protected health information (PHI) while performing their functions that involve PHI. Business associates may include, but not limited to these careers:

  • Lawyers
  • Accounting or consulting firms
  • Cloud service providers
  • File sharing vendors
  • Shredding service providers
  • Translator service providers
  • Consultants hired to conduct internal audits, perform coding reviews, etc.
  • Information technology vendors

According to HHS, a covered entity can only disclose PHI to an entity to help carry out their healthcare operations, but not for the business associate’s independent use or purpose. For example, a business associate or a subcontractor cannot use the covered entity’s PHI for its own email communications.

HIPAA Compliance Management Application

Reduce Administrative Burden

See all the information in a centralized space

Keep your team updated with regular information

Contact Us

Who are business associates’ subcontractors?

Similar to business associates, subcontractors are vendors to a business associate that creates, receives, maintains, or transmits PHI on behalf of a business associate. For instance, a business associate may delegate a function, service, or activity to an entity to streamline their operations. While a covered entity may take help from a business associate, business associates may take help from another entity. Under HIPAA, these entities are called business associate subcontractors. 

What are Business Associate Agreements (BAA)?

Business Associate Agreements (BAA) are contracts that specify the responsibilities of each party as it pertains to PHI. Under the federal law HIPAA, covered entities are required to execute business associate agreements (BAA) with their business associates. The law requires that covered entities only work with organizations that can assure complete protection of PHI. There should be a written arrangement of these assurances between a covered entity and a business associate.

Similarly, business associates are also required to execute a similar type of agreement, commonly known as the Business Associate Subcontractor Agreement (BASs) with their subcontractors. 

It is not just covered entities that can be audited for HIPAA compliance by HHS, but business associates and subcontractors as well. Given that all three groups are responsible for protecting PHI, it is very important to have a Business Associate Agreement (BAA) at all three levels in order to comply with HIPAA. 

According to HHS, the following information must be included in a Business Associate/Subcontractor Agreement:

  • Description of the permitted use and disclosure of PHI by the entity
  • Assurance that the entity will not use or further disclose PHI in any way other than as permitted or required by the law or contract
  • A written statement as required by the law that the entity will use appropriate safeguards to prevent unauthorized use of PHI

Once the covered entities, business associates, and business associate subcontractors identify their relationship with each other, it is crucial to ensure that the third-party entity will protect any PHI they receive. A signed agreement documents that the entity is responsible for handling PHI safely as required by HIPAA.

HIPAA Ready for Business Associates

Like covered entities, business associates can also be held liable for exposing PHI and can be subjected to heavy penalties. Much of the HIPAA compliance requirements apply to business associates. Business associates are also required to conduct risk analysis, internal audits, and have policies and procedures in place that follow the HIPAA Privacy and Security Rule.

In short, HIPAA Ready offers a comprehensive HIPAA compliance solution for every entity that is required to comply with federal mandates. HIPAA Ready combines all seven compliance management modules in a single centralized platform, thus enabling your organization to streamline compliance efforts more efficiently and effectively than ever. HIPAA compliance does not have to be a frustrating task. With the right solution, you can break down your compliance efforts into small, manageable pieces from a centralized platform such as HIPAA Ready.

Leave a comment to schedule a demo or to know more about HIPAA Ready!