HHS Provides Guidance re: BA Compliance and Transactions
On March 22nd, The Department of Health and Human Services (HHS) published "Guidance on HIPAA Covered Entities’ responsibility to require that Business Associates’ comply with
Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulations" to clarify covered entities’ (CE) obligation to require business associates (BA) comply with Administrative Simplification administrative requirements. What does this mean and what does a CE need to do? This guidance is outside of the Privacy, Security and Breach Notification Rules that we work with and we cannot provide legal advice of course, so we've linked the source document to the graphic below and we'll summarize and share what we're reading.
Some BA provide services to, or conduct transactions on behalf of, CE, using electronic health care transactions, code sets, unique identifiers, and operating rules. The responsibilities of the CE are found under § 162.923(c) and state that a "...CE may use a BA, including a health care clearinghouse, to conduct a transaction covered by this part. If a covered entity chooses to use a business associate to conduct all or part of a transaction on behalf of the covered entity, the covered entity must require the business associate to do the following:
(1) Comply with all applicable requirements of this part.
(2) Require any agent or subcontractor to comply with all applicable requirements of this part.
Requirements related to standards for electronic transactions, code sets, unique identifiers, and operating rules apply only to covered entities, but § 162.923(c) requires CE to require their BA to comply. When a CE engages a BA to conduct all or part of a transaction for which a standard has been adopted on behalf of the CE, the BA, and any agents or subcontractors thereof, must comply with applicable requirements.
The guidance provided also discussed scenarios when a CE is performing duties as a BA for another CE. It is our observation that many CE don't acknowledge their relationship as a BA, despite performing services on behalf of the CE - but that's a different discussion.
Stay (HIPAA) safe,