Difference between revisions of "LII:HIPAA Compliance - LII 007 02. Who Needs to Comply?"
| Line 65: | Line 65: | ||
* An independent medical transcriptionist who provides transcription services to a physician. | * An independent medical transcriptionist who provides transcription services to a physician. | ||
* A pharmacy benefits manager who manages a health plan’s pharmacist network.<ref name="BusinessAssociates">{{cite web |url=http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html |title=Business Associates |publisher=U.S. Department of Health & Human Services |accessdate=8 June 2016}}</ref> | * A pharmacy benefits manager who manages a health plan’s pharmacist network.<ref name="BusinessAssociates">{{cite web |url=http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html |title=Business Associates |publisher=U.S. Department of Health & Human Services |accessdate=8 June 2016}}</ref> | ||
====Business Associate Agreement (BAA)==== | |||
A covered entity’s contract or other written arrangement with its business associate must contain the elements specified at 45 CFR 164.504(e). For example, the contract must: Describe the permitted and required uses of protected health information by the business associate; Provide that the business associate will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law; and Require the business associate to use appropriate safeguards to prevent a use or disclosure of the protected health information other than as provided for by the contract. Where a covered entity knows of a material breach or violation by the business associate of the contract or agreement, the covered entity is required to take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, to terminate the contract or arrangement. If termination of the contract or agreement is not feasible, a covered entity is required to report the problem to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Guidance on constructing a BAA is available from the HHS at http://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html. | |||
===Others (Plans, etc.)=== | ===Others (Plans, etc.)=== | ||
Revision as of 16:12, 8 June 2016
HIPAA compliance is highly important in the healthcare arena. Non-compliance can result in fines and other serious consequences. But who is actually bound by this law? HIPAA is comprised of two main segments, the Privacy Rule and the Security Rule. Those who must comply are called "covered entities". According to the HHS, these are:
HIPAA Covered Entities:
So covered entities are doctors, clinics, hospitals, dentists, nursing homes and pharmacies that transmit data electronically, as well as health plans, insurance plans and healthcare clearinghouses.[1]
Healthcare Providers
Every health care provider (regardless of size) who electronically transmits health information in connection with certain transactions, is a covered entity. These transactions include:
- Claims
- Benefit eligibility inquiries
- Referral authorization requests
- Other transactions for which HHS has established standards under the HIPAA Transactions Rule
It's important to note that using electronic technology (e.g. email) does not mean a healthcare provider is a covered entity. The transmission must be in connection with a "standard transaction".
Transactions are electronic exchanges involving the transfer of information between two parties for specific purposes. For example, a healthcare provider will send a claim to a health plan to request payment for medical services.[2]
In the HIPAA regulations, the Secretary of Health and Human Services (HHS) adopted certain standard transactions for Electronic Data Interchange (EDI) of healthcare data. These transactions are:
- Claims and encounter information
- Payment and remittance advice
- Claims status
- Eligibility, enrollment and disenrollment
- Referrals and authorizations
- Coordination of benefits and premium payment[2]
The standard does not encompass telephone voice response and fax-back systems.[3]
The Privacy Rule covers a healthcare provider whether it electronically transmits these transactions directly or uses a billing service or other third party to do so on its behalf. Healthcare providers include all “providers of services” (e.g., institutional providers such as hospitals) and “providers of medical or health services” (e.g., non-institutional providers such as physicians, dentists and other practitioners) as defined by Medicare, and any other person or organization that furnishes, bills, or is paid for healthcare.[1]
Business Associates
Healthcare providers don't always do everything that involves patient information themselves. There are very often other entities contracted for a variety of services. As a result of the Health Information Technology for Economic and Clinical Health (HITECH) Act that was passed in 2009, HIPAA has also been expanded to include business associates. Business associates are those persons or organizations that function on behalf of a covered entity, such as a doctor, and who either use or receive identifiable health information.[4]
According to 45 CFR 160 part 103 Definitions, Business Associate functions or activities on behalf of a covered entity include:
- Claims processing
- Data analysis
- Utilization review
- Billing
- Legal services
- Actuarial services
- Accounting
- Consulting
- Data aggregation
- Management
- Administrative services
- Accreditation
- Financial services
A Business Associate is also anyone, not in the workforce of the covered entity, who performs any activities for a covered entity that are covered by HIPAA. Consider that an "...and all other related" kind of clause. Subcontractors of Business Associates who fit these criteria are also subject to HIPAA.[5]
However, persons or organizations are not considered business associates if their functions or services do not involve the use or disclosure of protected health information, and where any access to protected health information by such persons would be incidental, if at all. A covered entity can also be the business associate of another covered entity.[1]
Here are some examples provided by the HHS of Business Associates:
- A third party administrator that assists a health plan with claims processing.
- A CPA firm whose accounting services to a health care provider involve access to protected health information.
- An attorney whose legal services to a health plan involve access to protected health information.
- A consultant who performs utilization reviews for a hospital.
- A healthcare clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer.
- An independent medical transcriptionist who provides transcription services to a physician.
- A pharmacy benefits manager who manages a health plan’s pharmacist network.[6]
Business Associate Agreement (BAA)
A covered entity’s contract or other written arrangement with its business associate must contain the elements specified at 45 CFR 164.504(e). For example, the contract must: Describe the permitted and required uses of protected health information by the business associate; Provide that the business associate will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law; and Require the business associate to use appropriate safeguards to prevent a use or disclosure of the protected health information other than as provided for by the contract. Where a covered entity knows of a material breach or violation by the business associate of the contract or agreement, the covered entity is required to take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, to terminate the contract or arrangement. If termination of the contract or agreement is not feasible, a covered entity is required to report the problem to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Guidance on constructing a BAA is available from the HHS at http://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html.
Others (Plans, etc.)
References
- ↑ 1.0 1.1 1.2 "Summary of the HIPAA Privacy Rule". U.S. Department of Health and Human Services. http://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html. Retrieved 8 June 2016.
- ↑ 2.0 2.1 "Transaction & Code Sets Standards". U.S. Centers for Medicare and Medicaid Services. https://www.cms.gov/Regulations-and-Guidance/HIPAA-Administrative-Simplification/TransactionCodeSetsStands/index.html?redirect=/TransactionCodeSetsStands. Retrieved 8 June 2016.
- ↑ "What Are HIPAA Transaction and Code Sets Standards?". Texas Medical Association. https://www.texmed.org/Template.aspx?id=1599. Retrieved 8 June 2016.
- ↑ "Patient Privacy: A Guide for Providers". Office for Civil Rights at the US Department of Health and Human Services. http://www.medscape.org/viewarticle/781892_2. Retrieved 8 June 2016.
- ↑ "Title 45: Public Welfare, PART 160—GENERAL ADMINISTRATIVE REQUIREMENTS, Subpart A — General Provisions". US Government Publishing Office. http://www.ecfr.gov/cgi-bin/text-idx?SID=7d3448738e75c9fd893c236c65924180&mc=true&node=se45.1.160_1103&rgn=div8. Retrieved 8 June 2016.
- ↑ "Business Associates". U.S. Department of Health & Human Services. http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html. Retrieved 8 June 2016.
