Chat with us, powered by LiveChat

Can A Business Associate Self-Certify or Be Certified By A Third Party As HIPAA Compliant?

Too often there are misconceptions about new laws or policies because there has been too little effort to educate or to elaborate on details concerning the changes that the new laws or policies will effect.

That is the case with the new HIPAA laws that have been in effect since September 2013. Evidence of this is the overwhelming number of people who are asking for clarification on many of the details of the new changes and restrictions applicable to their organizations.

The question that serves as the title of this post is an example of the many questions that have been surfacing ever since the initiation of the enforcement of the new policies regarding the new HIPAA laws. To answer that question it is a simple response in the negative. No, a business associate cannot self-certify or be certified by a third party as HIPAA compliant.

The reason behind this is the business associate has a responsibility towards the covered entity while performing their paid duties to be subject to exactly the same restrictions and laws that the entity is. Therefore it is required that the business associate be under contract in order to be HIPAA compliant.

So, what must the contract include in order to be compliant under the new HIPAA law?

The contract must make them accountable for the proper use of protected medical information. It must also restrict the business associate to how it uses said information. Additionally, it must make available any health information to the parties to whom it belongs as well as the covered entity.

Apart from these there are several other details that a covered entity should research and abide by for protection and comply with the new HIPAA laws.

What’s The Difference Between A Covered Entity & Business Associate?

Knowing the distinction between a covered entity and a business associate is essential because the Health Insurance Portability and Accountability Act Privacy Rule is administered differently between the two. If you understand the difference, then you understand who has access to your medical data and what authority they possess to do with that medical information.

The HIPAA Privacy Rule protects a person’s medical records and their other personal health information, as well as gives that patient rights to their health information. But it also applies to covered entities and business associates, in that it requires each to follow specific rules and sets restrictions and conditions on the use and disclosure of certain patient information.

Legally, the HIPAA Privacy Rule just applies to covered entities. A covered entity can be health plans, health care clearinghouses or health care providers that electronically transmit any type of health information. Examples of these are your doctor, hospital, insurance company and health insurance plan — no matter if it’s a private, employee, state or federal plan.

But it’s common for a lot of health care providers and health plans to use the services of other individuals or a business to help carry out their health care functions. Thus we get business associates.

More specifically, a business associate is an individual or entity that executes particular responsibilities that include the use or disclosure of protected health information in support of, or as a service to, a covered entity. A health plan, health care clearinghouse or covered health care provider could be a business associate for another covered entity, but a member of the covered entity’s personnel is not considered a business associate.

Possible business associates are an attorney, a CPA firm, an independent medical transcriptionist or a pharmacy benefits manager. Services provided by business associates can be accounting, billing, claims processing or data management. And of course, these are just a few examples of each.

Covered entities hold the responsibility for guaranteeing its business associates are safeguarding protected health information. The contract between a covered entity and its business associate must be HIPAA compliant, and if a business associate breaches its contract, then it’s up to the covered entity to correct that breach or terminate the contract.