Chat with us, powered by LiveChat

Is a Covered Entity Liable For, or Required to Monitor The Actions of Its Business Associates?

Luckily, the answer to this question is a good one for covered entities. Business associates are liable for their own actions and every piece of protected information they are given. The important thing that covered entities need to be sure of is to properly enter into a contract that protects the privacy of protected information.

Monitoring or overseeing the work or actions of business associates is not required nor is it expected. Business associates are wholly responsible for complying with the privacy safety measures spelled out in the contract between the covered entity and the business associate.

The biggest concern a covered entity has when it comes to its business associates is acting upon the information or evidence that their business associates are not doing or complying with the contract. If a covered entity neglects to act on evidence found, or discovered, that indicates the business associates are not in compliance with the precautions in place in the contract, then the covered entity can be charged for neglect.

The actions that a covered entity is expected to take when a breach or violation is discovered are: take appropriate action to secure the breach or end the violation, if it is not possible to secure the breach or end the violation the entity is expected to terminate the contract.

There are several details that can’t be succinctly explained in a short summary, therefore, it is up to the covered entity to make sure they are operating within the policies of the HIPAA laws.

What’s The Difference Between A Covered Entity & Business Associate?

Knowing the distinction between a covered entity and a business associate is essential because the Health Insurance Portability and Accountability Act Privacy Rule is administered differently between the two. If you understand the difference, then you understand who has access to your medical data and what authority they possess to do with that medical information.

The HIPAA Privacy Rule protects a person’s medical records and their other personal health information, as well as gives that patient rights to their health information. But it also applies to covered entities and business associates, in that it requires each to follow specific rules and sets restrictions and conditions on the use and disclosure of certain patient information.

Legally, the HIPAA Privacy Rule just applies to covered entities. A covered entity can be health plans, health care clearinghouses or health care providers that electronically transmit any type of health information. Examples of these are your doctor, hospital, insurance company and health insurance plan — no matter if it’s a private, employee, state or federal plan.

But it’s common for a lot of health care providers and health plans to use the services of other individuals or a business to help carry out their health care functions. Thus we get business associates.

More specifically, a business associate is an individual or entity that executes particular responsibilities that include the use or disclosure of protected health information in support of, or as a service to, a covered entity. A health plan, health care clearinghouse or covered health care provider could be a business associate for another covered entity, but a member of the covered entity’s personnel is not considered a business associate.

Possible business associates are an attorney, a CPA firm, an independent medical transcriptionist or a pharmacy benefits manager. Services provided by business associates can be accounting, billing, claims processing or data management. And of course, these are just a few examples of each.

Covered entities hold the responsibility for guaranteeing its business associates are safeguarding protected health information. The contract between a covered entity and its business associate must be HIPAA compliant, and if a business associate breaches its contract, then it’s up to the covered entity to correct that breach or terminate the contract.