Business Associate - What is it, Roles & Responsibilities, Covered Entities, HIPAA Privacy Rule, BAA expiration date
Whether you’re smack dab in the middle of the medical field or providing support from the sidelines, odds are you’re worried about HIPAA compliance.
It may surprise you to learn how many different pieces of private information are protected under HIPAA and its accompanying regulations titled HITECH and Omnibus. Today, we’ll demystify the need-to-know HIPAA compliance terms and everything that goes into business associate agreements.
Topics covered in this article include:
Our team is dedicated to making your experience with digital security as straightforward as possible. We’ve poured time and resources into ensuring that our email encryption services are both HIPAA compliant and easy to master.
We know that having full control over your email security is important. Read on to learn more about the ins and outs of being a Business Associate and how email encryption plays in fulfilling your digital safety obligations.
The digital version of a patient’s paper chart. These invaluable tools allow professionals to update results in real-time. With the benefits of automation and workflow streamlining come heightened responsibilities. It is important to keep EHRs secure as they are the entirety of a patient’s medical history, medications, images, and treatment plans.
Protected Health Information (PHI) is Any health-related information combined with a unique identifier that matches a particular individual. This includes the date of birth, social security number, address, etc. Digital examples include IP addresses, biometric data, and payment methods. The digital version of this information is called ePHI (Electronic Protected Health Information).
A federal law that applies to everyone’s right to privacy in health care. Associated regulations cover employees, patients, clients, etc. The Department of Health and Human Services Office for Civil Rights (HHS OCR) is responsible for monitoring organizations that are legally required to comply with HIPAA.
Health Information Technology for Economic and Clinical Health Act
Established to increase the use of Electronic Health Records (EHR). This act rewards health care providers that use digital medical records and imposes penalties for failing to digitize their health record systems. It also outlines technical requirements for hospitals, doctors, and other healthcare providers who use EHR.
The introduction of HITECH extended HIPAA requirements to Business Associates and Business Associate Subcontractors. It also established firmer breach penalties even in cases where the violation went unnoticed.
Improves patient privacy protections and strengthens individuals’ rights to their health information. Direct examples this rule applies to include:
Simply put, the differences lie in which tasks each individual or group undertakes regarding the information being shared, stored, and analyzed. Business Associates tend to be vendors and third-party companies that work for Covered Entities.
When it comes to healthcare privacy laws, everyone that comes into contact with (e)PHI is expected to adhere to the same levels of privacy and protection. Likewise, Covered Entities and Business Associates are held equally liable for HIPAA law violations and breaches.
Covered Entities fall into three categories:
This includes academic medical centers, physicians, hospitals, etc. Important to know is that Covered Entities can be institutions, organizations, or even individuals. Researchers and physicians involved in clinical studies are only two examples of entities that must comply with HIPAA.
In short, anyone who has access to (and therefore the possibility of sharing) identifiable information.
Examples of Business Associates include:
BAs assist Covered Entities in adhering to HIPAA Privacy Rules in a number of ways:
Here’s the formal definition: “A person or entity who, on behalf of a covered entity, performs or assists in the performance of a function or activity involving the use or disclosure of individually identifiable health information, such as data analysis, claims processing or administration, utilization review, and quality assurance reviews, or any other function or activity regulated by the HIPAA Administrative Simplification Rules, including the Privacy Rule.”
Overall, HIPAA requirements trickle all the way down to positions that you may not expect to have any connection to (e)PHI and EHR. That’s why documentation of expectations, responsibilities, and privacy protocols are so critical.
Under HIPAA, HITECH, and the Omnibus Rules, all involved in the management, sharing, and protection of (e)PHI are held to the same guidelines and standards.
Signed contracts ensure that all Covered Entities, BAs, and any individuals or companies the BA may employ are complying with these regulations. Everyone that comes into contact with EHRs and (e)PHIs must be committed to the protection of the sensitive information involved.
To fully comply with HIPAA guidelines, a BA needs to know everything possible about the email service provider they are communicating through. A significant tool for controlling access to sensitive, protected information is email encryption.
More info about BAA and Subcontractor BAAs
The internet wasn’t nicknamed “information highway” for nothing. Just as many retro scifi movies depict, emails are sent through a veritable network of servers and cloud based providers before being received. While in transit, it is likely that the body and attachments of these emails are seen by hackers, third-party companies, and even email providers themselves.
It’s impossible to fully trust email service providers without meticulously combing through the user and privacy agreements. A BAA should always be established between the BA and their service provider. However, there is a quick and simple way on top of that to ensure security.
Encryption creates layering of code that hides sensitive information from these prying eyes.
It’s not just any type of coding that’s needed though. End-to-end encryption, such as our SecureSend function, is the highest level of security that HIPAA compliant services can guarantee.
Ensuring that each and every email is manually encrypted can get messy and time consuming. That’s why the Canary Mail team has worked hard to make our interface intuitive and user friendly. With us, you’ll never have to worry if your emails are HIPAA compliant again.
Yes, you can simultaneously be classified as a Covered Entity and a Business Associate.
Exact protocols and responsibilities should be thoroughly outlined in the BAA and any resulting subcontractor BAAs. General duties include:
A BAA must be in effect for the entire time a BA offers assistance to a Covered Entity. If a BAA has an expiration date that is a red flag that something is amiss.
Yes. There are rare and niche BAA circumstances where a contract is not required. Some of these explain many health care providers’ resistance to digitizing health records and private information. These exceptions include:
If you are unsure of your status in regard to private information, we recommend seeking out a qualified professional with expertise in these matters.
We are dedicated to protecting data privacy. Not only are our Enterprise Plans completely HIPAA compliant, but they also come with easy-to-learn tutorials.
Our SecureSend feature even allows you to revoke an email anytime after sending and set expiration dates. That means that your whole team has total control over sensitive content and attachments.
Contact us at any time to discuss business associate agreements and how Canary Mail can integrate seamlessly with your pre-existing infrastructure.
Learn about our simple licensing and intuitive administrative control center today!
With us, you never have to worry about who has access to your information ever again.
