HIPAA Compliance – Covered Entity vs. Business Associate

The path to HIPAA compliance is paved with many hurdles. One of the first issues most organizations encounter is identifying how HIPAA applies to them and whether they need to meet compliance. So in order to move forward and start applying the necessary controls to meet compliance, you’ve got to determine whether you are a Covered Entity or a Business Associate. So let’s take a look at which organizations fall under each of these categories before we move forward and take a closer look at the specific controls needed to meet compliance.

Covered Entity

For HIPAA, a covered entity would be any health plans, clearinghouses, or health care providers that submit electronic claims information. These organizations transmit electronic claims information electronically for healthcare activity for which they receive payment. HIPAA has a helpful tool to determine if your organization is a covered entity or not, but really for healthcare providers it boils down to two questions:

Does the person, business, or agency furnish, bill, or receive payment for, health care in the normal course of business?

https://www.cms.gov/Regulations-and-Guidance/Administrative-Simplification/HIPAA-ACA/Downloads/CoveredEntitiesChart20160617.pdf

Does the person, business, or agency transmit (send) any covered transactions electronically?

https://www.cms.gov/Regulations-and-Guidance/Administrative-Simplification/HIPAA-ACA/Downloads/CoveredEntitiesChart20160617.pdf

If you can answer “Yes” to both those questions, then you are a healthcare provider that is considered a covered entity for the purposes of HIPAA. Health plans and healthcare clearinghouses are a little more straightforward, and if you call yourself either of those things, then HIPAA compliance definitely applies to you.

Business Associate

Business associates (sometimes referred to as BAs) include any third-party entity that assists a covered entity and has access to the protected information under their control. This can include everything from a transcription service used by a physician to software providers that interact with solutions containing ePHI. Additionally, a covered entity could be considered a business associate to another covered entity. Any individual or organization that is a business associate must comply with HIPAA rules, and if they don’t, they could actually be fined directly for their noncompliance.

Any business associate engaged by a covered entity must be documented and tracked, with specific contracts in place specifying what function the BA has been engaged to perform and their acknowledgment that they must be HIPAA-compliant. Ultimately though, it is the responsibility of the covered entity to ensure that any BAs they engage with are compliant.

Now with these foundational definitions, hopefully you have a better idea of where your organization fits in to HIPAA. The next step in determining your responsibilities, as they relate to protecting covered health information, is a third-party gap analysis to help determine what changes in security controls, administrative policies, and business processes are required to reach and maintain compliance. If you want to talk about everything involved with this type of assessment, reach out today!