HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases

More»

E-learning

  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation

More»

Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


More»

Archive for Business Associate Agreement

Submit your HIPAA questions to Editoquestionr John Castelluccio at jcastelluccio@hcpro.com and we will work with our experts to provide the information you need.

Q: The hospital where I work uses a large radiology group for radiology interpretations, for which the group bills the hospital. Both are covered entities (CE).

The hospital provides the group with an electronic data feed of all demographic information needed for billing on patients admitted to the hospital. The feed transmits information about all patients, because it is impossible to know at admission which patients will need radiology services. The group uses the demographic data to prepare interpretative radiology reports and then bills us for the professional services. Should either party be concerned about unauthorized disclosure or is it okay to provide the additional patient information because the stream is needed for group’s payment activity? Read More→

questionbubblesSubmit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: My facility is considering working with a software company based in Canada. What can we do to ensure that our facility and the vendor are HIPAA-compliant? Should we have a business associate agreement (BAA) with the vendor?

A: A Canadian company would not be required to comply with the privacy and security rules. A BAA would still be a good idea, as it outlines actions to take in the event of a breach, but it wouldn’t provide you any protection from liability (nor would one signed with an American company, actually). I would also vet the product and the company to ensure it is as secure as possible and document reference checks as well. In the event of an incident, such activities will show you exercised due diligence.

Editor’s note: Chris Simons, MS, RHIA, director of health information and privacy officer at Cheshire Medical Center/Dartmouth-Hitchcock in Keene, New Hampshire, answered this question for HCPro’s Medical Records Briefing. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Comments (3)

questionbubblesSubmit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: I work for a small hospital that recently received requests to sign business associate agreements (BAA) with physician practices in the area whose patients we treat. I have heard that BAAs are required for business associates (BA) who are dealing with PHI but are not required when the relationship is based on providing direct patient care. I do not think we need to sign these BAAs. What is correct under HIPAA?

A: You are correct. Since your hospital is not providing services on behalf of these physician practices, they are not BAs. However, you may share PHI with them as part of the treatment process. Your hospital would be a BA of the practices if it performed specific services, such as billing, for them.

Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, vice president of health information for Baylor Scott & White Health in Temple, Texas, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Comments (0)

questionSubmit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: What must an organization consider in terms of HIPAA if it were to film a commercial on-site? Does the hospital need to sign a confidentiality agreement or business associate agreement (BAA) with the film crew? Should the privacy, security, or compliance officers be notified? Would the crew be permitted to film in the ED without consent from those present if the curtains were drawn and doors were closed?

A: You should have the film crew sign confidentiality agreements since they may see or overhear patient information while they are on-site. If the commercial is being produced for the healthcare organization, the company creating the commercial would be considered a business associate (BA) and should sign a BAA.

Discuss the situation with your HIPAA privacy, security, and compliance officers in advance to ensure the filming complies with your organization’s policies.

Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, vice president of health information for Baylor Scott & White Health in Temple, Texas, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Sep
12

HIPAA Q&A: Group health plans

Posted by: | Comments (0)
Email This Post Print This Post

Submit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com, and we will work with our experts to provide the information you need.

Q: I am employed by an independent and assisted living retirement facility. The facility does not transmit electronic records (i.e., PHI) of our residents or staff for any kind of reimbursement. We offer health insurance to our employees and have been asked by our health insurance broker to sign a business associate agreement (BAA) because our broker says our organization is considered a covered entity (CE) under HIPAA. Upon requesting that the facility enter into a BAA, the broker sent the following message:

“As an employer, you are a ‘covered entity’ under HIPAA because you sponsor a Group Health Plan. That means you are responsible for making sure that your business associates who receive PHI about you or your employees handle this information properly—we are one of these business associates.”

The retirement facility does not consider itself a CE. Is the organization considered a CE because it offers health insurance to its employees?

A: CEs under HIPAA are healthcare clearinghouses, certain healthcare providers (those that use covered transactions like electronic billing), and health plans.

A group health plan is a CE (except for self-administered plans with fewer than 50 participants). The group health plan is considered to be a separate legal entity from the employer or other parties that sponsor the group health plan. Neither employers nor other group health plan sponsors are defined as CEs under HIPAA.

 Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, vice president of health information for Baylor Scott & White Health in Temple, Texas, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.