In order to properly assess the relevance of HIPAA compliance to your organization, it is important to understand what a Covered Entity (CE) and a Business Associate (BA) are. In this blog we’ll talk about what these items are, the differences between them, and how they are handled differently when assessing HIPAA compliance.
Differences Between Covered Entities & Business Associates
The relevancy of HIPAA compliance is different depending on whether your company is a covered entity or a business associate. Both terms are used within HIPAA guidance, so it’s important to know which applies to you. If you are a software company that develops a tool used by a pharmacy (business associate), or if you are the pharmacy (covered entity), the security of health-related information is critical to your business operations.
Business Associates
A HIPAA business associate can be a person or company that performs a function or provides a service to a covered entity, where the functions or services being provided involve access to protected health information (PHI). The functions provided by a HIPAA business associate can vary depending on the services and industry-specific regulations. It includes businesses that create, store, transmit, or involve the receipt of PHI. Some examples of these companies are:
- Consulting companies that provide advisory services.
- Businesses that dispose of physical or electronic data.
- Companies that provide technology solutions.
- Billing companies that process billing and claims.
- Administrators of self-funded health plans.
We also offer this additional guidance regarding PHI:
- De-Identification of Personal Information: What is It & What You Should Know
- PII, PHI, PCI: Understanding the Differences for Compliance
- HIPAA Authorization: Requirements & Consent for Disclosing PHI
Covered Entities
The types of companies that can be a covered entity are more restricted than a business associate. Additionally, a covered entity can be a business associate of another covered entity. There are three major types of covered entities:
- A Health Plan – Health insurance companies and government programs, such as Medicare, that pay for healthcare.
- A Healthcare Clearinghouse – A company that converts non-standard health data into data types that conform to HIPAA regulations.
- A Healthcare Provider – Doctors, dentists, pharmacies, etc.
There are also unique examples of companies that are not considered covered entities. They include schools because public schools that provide healthcare services for students have student health information classified as “education records” under the Family Educational Rights and Privacy Act, according to the US Department of Education’s Student Privacy Policy Office. Also, employers that maintain employee health records but do not use them for HIPAA-covered transactions are not covered entities. However, an employer may be a “partial entity” if they administer a self-insured health plan, according to the HIPAA journal.
Complying with HIPAA Rules
The differences between a covered entity and a HIPAA business associate can have significant implications on who is required to comply with the HIPAA regulations. When engaged with covered entities, a HIPAA business associate is expected to comply with the same HIPAA Security rules and Breach Notification rules. A business associate’s compliance with the Privacy Rule will depend on the service that is being provided to the covered entity.
Business Associate Agreements & Benefits
A business associate agreement (BAA) should be signed by the business associate and the covered entity prior to commencing business. Contracts between business associates and business associates that are subcontractors are subject to these same requirements as well. A BAA should include specific items such as required use and disclosures, implementation of appropriate safeguards, and violation of the terms of the contract.
The BAA assists in fulfilling HIPAA compliance requirements for covered entities and in establishing the obligations for business associates. The legal responsibilities stated within the agreement protect covered entities and also lessen the likelihood of disputes while increasing trust between the parties. Additionally, BAAs lower the risk for the involved parties by requiring safeguards to be implemented in order to protect data.
A Business Associate Agreement versus a Non-Disclosure Agreement
Most of us have probably signed a Non-Disclosure Agreement (NDA) in our lifetime, either when we were starting a new job or meeting with a client. NDAs are widely utilized between companies and individuals who are planning to share information or may be prospective buyers of products or services. For example, if you are hiring someone or are meeting with a prospective buyer of your services you will want the future hire or prospective buyer to sign an NDA prior to discussing confidential business-related information. Within an NDA the key features include:
- Identification of the involved parties.
- Defining what is confidential between the parties.
- Scope of the confidentiality obligation by the receiving party.
- Exclusions from confidential treatment.
- Terms of the agreement, such as when the agreement will terminate.
Summary
Hopefully this blog has helped increase your understanding of the differences between business associates and the covered entities. Along with understanding the differences in terms and the different types of agreements, it can be a competitive advantage to be able to evidence the company’s awareness and commitment to privacy and security.
If you are interested in learning more information about HIPAA compliance rules or would like assistance with an upcoming HIPAA audit, please contact us and request a consultation.
Check out our other articles to learn more about HIPAA compliance:
- SOC 2 vs. HIPAA: What’s the Difference Between a SOC 2 Report & a HIPAA Report?
- What is the Scope of HIPAA Compliance?
- HIPAA Risk Assessment: Security Compliance vs Risk Analysis – What is the Difference?
Hilary has eight years of IT audit and assurance experience. Prior to starting at Linford & Co, Hilary worked for Deloitte managing audit readiness assessments, Sarbanes-Oxley 404 and SOC examinations, and complex remediation procedures. Hilary is a certified information systems auditor (CISA), holds a Master’s Degree in Accounting from the University of Colorado-Denver and a Bachelor’s in Business Administration from Colorado State University.