The definition of a Business Associate (B.A.) may be as easy as, “a person or entity who performs certain activities or tasks that involve the disclosure or use of personal health information” but that's only the tip of the iceberg.
Basically, a Business Associate is an entity or person that does certain activities or tasks that involve the release or use of personal health information on behalf of a covered entity. The HIPAA Privacy Rule covers only Covered Entities by statute. A Business Associate can be another business or individual that accesses or obtain private health information through improper means.
There are several ways that a Business Associate can access or obtain personal health information. Examples of activities could include the following:
o As a healthcare provider – In many cases, a B.A. will be a hospital or other medical facility. A B.A. must have an agreement with the Health Insurance Portability and Accountability Act (HIPAA) that governs how they can access patient data in the event that they need it.
o As a consumer – Many healthcare consumers do not understand their rights under HIPAA and are unaware that the Privacy Rule even applies to them. Consumers have the right to request that their privacy is protected and if their request is not granted, a covered entity must ensure that the B.A. obtains an appropriate waiver from the Department of Health and Human Services to protect consumer privacy.
o As a third party – If a patient needs a Health Care Provider to access and share personal health information in order to make medical decisions for them, then a B.A. is required to obtain a privacy waiver from the patient prior to accessing and sharing health records on that patient.
o As a business owner – As previously mentioned, some businesses that access and disclose private health information on behalf of a Covered entity are not health care providers. They may be financial companies, retailers, accounting firms, or law firms.
While the above are just a few examples of activities a Business Associate might engage in, the possibilities are endless. The above list is not intended to be an exhaustive list of possible activities that could occur between the Covered entity and its Business Associate, however. For more information on HIPAA and the Business Associate Agreement, visit the Department of Health and Human Services website.
Under HIPAA, the Covered entity must provide their Business Associate with a written Privacy Rule. This Privacy Rule outlines the types of health information that the Business Associate will be permitted to review, or discloses. For example, if a business chooses to provide health care to an individual who has Alzheimer's Disease and a business associate learns that a patient requested to view his or her doctor's files, then the Business Associate must obtain the consent of the patient or the person's attorney before providing the patient with this information.
The Privacy Rule also provides that the Business Associate will only provide the patient's attorney with the permission to review and/or disclose the patient's files, if the patient requests it. and the Privacy Rule states that it is the client's responsibility to obtain and/obtain the consent of the patient.
The Privacy Rule requires a covered entity to notify a business associate that they intend to share the patient's health records. If a covered entity intends to share a patient's health records with another Covered entity, the covered entity must notify the B.A. In addition, the Privacy Rule provides that the B.A. must only provide their client with authorization to provide their client's attorney with . . . . . . the patient's authorization if they have the consent of the patient.
This requirement applies whether or not the B.A. intends to notify the attorney or the client that the client intends to receive the patient's authorization to view or access his or her files. This requirement applies whether or not the attorney or the client consents to the disclosure of a patient's files.
Finally, the Privacy Rule states that the B.A. will only be obligated to comply with the Privacy Rule and to abide by the Privacy Rule if a business associate contracts with the covered entity that the business associate will not disclose the health records of any third party without the prior consent of the client.