HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases



  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation


Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos



HIPAA Q&A: Guidelines for credentials verification organizations

Email This Post Print This Post

Submit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: I am looking for any information that would help my organization determine how to define a credentials verification organization (CVO) under HIPAA guidelines. A CVO performs healthcare operations for a covered entity (CE) and must be HIPAA compliant, according to HHS. However, a CVO does not seem to fit the definition of healthcare provider, health plan, or clearinghouse.

A: If the CVO is an outside company that is providing services on behalf of your CE and needs access to PHI to do its job, the CVO is considered a business associate (BA) of your organization. You are required to have a BA agreement with the CVO, and it must meet the requirements of a BA agreement. If the CVO has access to provider information but not patient information, it does meet the definition of a BA.]

Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, vice president of health information at Baylor Scott & White Health in Temple, Texas, answered this question for HCPro’s Briefings on HIPAA.

Categories : HIPAA Q&A

Leave a Reply