HIPAA applies directly to:
- A health plan.
- A health care clearinghouse.
- A health care provider who transmits any health information in electronic form in connection with a transaction covered by subchapter 45 CFR 160.103.
It does not apply to any other parties, except for a special group HIPAA calls Business Associates(BA). BA's are businesses that have access to protected health information(PHI) from a covered entity as a normal course of business. (See the definition of a Business Associate for more clarification of the term.) Since HIPAA does not apply directly, the law mandates that covered entities MUST have the BA sign a Business Associate Agreement(BAA) agreeing to provide the same privacy and security to the data that the covered must do. If the BA refuses to sign or violates this agreement, the covered entity must ultimately stop doing business with the BA.
This agreement is a contract that is enforceable in court and is sometime referred to as the Business Associate Contract.
There are various levels of BAA's depending on the level of access or availability the BA has to the PHI. A janitorial firm or computer consultant, for example, is not given access to PHI but has availability to it. These BAA's should be a confidentiality agreement. On the other hand, a third party collection business or a law firm representing the covered entity is given direct access to the PHI and must sign a full BAA. Essentially, in the later example, the Agreement pulls the BA deep into the HIPAA compliance water. That Agreement says the BA will treat the data the same as the covered entity.
There are circumstances where BA's give the protected health information to another party that may not even have a direct relationship with the original covered entity. This type of relationship requires a "Chain of Trust" Agreement between the multiple Business Associates. (See Chain of Trust for more details.)
The Office of Civil Rights gives this definition:
When a covered entity uses a contractor or other non-workforce member to perform "business associate" services or activities, the Rule requires that the covered entity include certain protections for the information in a business associate agreement (in certain circumstances governmental entities may use alternative means to achieve the same protections). In the business associate contract, a covered entity must impose specified written safeguards on the individually identifiable health information used or disclosed by its business associates. Moreover, a covered entity may not contractually authorize its business associate to make any use or disclosure of protected health information that would violate the Rule. Covered entities that have an existing written contract or agreement with business associates prior to October 15, 2002, which is not renewed or modified prior to April 14, 2003, are permitted to continue to operate under that contract until they renew the contract or April 14, 2004, whichever is first.
Related Terms:Business Associate