As a resource that could be useful for our members, ANCOR is sharing this fact sheet on when business associates are liable for Health Insurance Portability and Accountability Act (HIPAA) violations, as written by the Department of Health and Human Services (HHS). HIPAA is a cornerstone law to ensure the privacy of people receiving health care – including people with disabilities receiving supports in the community. Note that ANCOR is expecting to see a proposed rule out in July around HIPAA that may alter some of these definitions – but this fact sheet sates the current law in place.
Those less familiar with what business associates are might find this HHS webpage informative. The definition of business associates on the page is:
“What Is a “Business Associate?” A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. A member of the covered entity’s workforce is not a business associate. A covered health care provider, health plan, or health care clearinghouse can be a business associate of another covered entity. The Privacy Rule lists some of the functions or activities, as well as the particular services, that make a person or entity a business associate, if the activity or service involves the use or disclosure of protected health information. The types of functions or activities that may make a person or entity a business associate include payment or health care operations activities, as well as other functions or activities regulated by the Administrative Simplification Rules.
Business associate functions and activities include: claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing. Business associate services are: legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial. See the definition of ‘business associate’ at 45 CFR 160.103.”