Submit your HIPAA questions to Editor Jaclyn Fitzgerald at email@example.com  and we will work with our experts to provide the information you need.
Q: I am looking for any information that would help my organization determine how to define a credentials verification organization (CVO) under HIPAA guidelines. A CVO performs healthcare operations for a covered entity (CE) and must be HIPAA compliant, according to HHS. However, a CVO does not seem to fit the definition of healthcare provider, health plan, or clearinghouse.
A: If the CVO is an outside company that is providing services on behalf of your CE and needs access to PHI to do its job, the CVO is considered a business associate (BA) of your organization. You are required to have a BA agreement with the CVO, and it must meet the requirements of a BA agreement. If the CVO has access to provider information but not patient information, it does meet the definition of a BA.]
Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, vice president of health information at Baylor Scott & White Health in Temple, Texas, answered this question for HCPro’s Briefings on HIPAA .