Thursday, May 30, 2019

Department of Health and Human Services Clarifies how HIPAA Applies to Business Associates


HIPAA can be a complicated and often scary (if you are a small provider) to follow correctly.  Many large healthcare companies have entire departments dedicated to helping understand and keep their entities in compliance with the federally mandated privacy laws.  And some of the other scary parts of the ruling have to do with the simple fact that healthcare is such a complicated field  that hardly any healthcare entity works in isolation.

No, most use 3rd parties for all types of services and those services can frequently mean that the 3rd parties have access to federally protected data.  Here is how the Department of Health and Human Services  addresses the issue of 3rd parties:

By law, the HIPAA Privacy Rule applies only to covered entities – health plans, health care clearinghouses, and certain health care providers. However, most health care providers and health plans do not carry out all of their health care activities and functions by themselves. Instead, they often use the services of a variety of other persons or businesses. The Privacy Rule allows covered providers and health plans to disclose protected health information to these “business associates” if the providers or plans obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the Privacy Rule. Covered entities may disclose protected health information to an entity in its role as a business associate only to help the covered entity carry out its health care functions – not for the business associate’s independent use or purposes, except as needed for the proper management and administration of the business associate.  

Now, thankfully, HHS has come up with a “Fact Sheet on Direct Liability of Business Associates Under HIPAA.

This document will help healthcare companies and their 3rd parties understand what is covered, what is not, and who is responsible for what.  Hopefully this will bring some much needed clarity to a very confusing aspect of the business of healthcare and responsibilities of keeping patient data safe.

The new Fact Sheet can be accessed from this link.

No comments:

Post a Comment