HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases

More»

E-learning

  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation

More»

Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


More»

Archive for Business Associates

Submit your HIPAA questions to Editoquestionr John Castelluccio at jcastelluccio@hcpro.com and we will work with our experts to provide the information you need.

Q: The hospital where I work uses a large radiology group for radiology interpretations, for which the group bills the hospital. Both are covered entities (CE).

The hospital provides the group with an electronic data feed of all demographic information needed for billing on patients admitted to the hospital. The feed transmits information about all patients, because it is impossible to know at admission which patients will need radiology services. The group uses the demographic data to prepare interpretative radiology reports and then bills us for the professional services. Should either party be concerned about unauthorized disclosure or is it okay to provide the additional patient information because the stream is needed for group’s payment activity? Read More→

questionSubmit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: What must an organization consider in terms of HIPAA if it were to film a commercial on-site? Does the hospital need to sign a confidentiality agreement or business associate agreement (BAA) with the film crew? Should the privacy, security, or compliance officers be notified? Would the crew be permitted to film in the ED without consent from those present if the curtains were drawn and doors were closed?

A: You should have the film crew sign confidentiality agreements since they may see or overhear patient information while they are on-site. If the commercial is being produced for the healthcare organization, the company creating the commercial would be considered a business associate (BA) and should sign a BAA.

Discuss the situation with your HIPAA privacy, security, and compliance officers in advance to ensure the filming complies with your organization’s policies.

Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, vice president of health information for Baylor Scott & White Health in Temple, Texas, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Sep
12

HIPAA Q&A: Group health plans

Posted by: | Comments (0)
Email This Post Print This Post

Submit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com, and we will work with our experts to provide the information you need.

Q: I am employed by an independent and assisted living retirement facility. The facility does not transmit electronic records (i.e., PHI) of our residents or staff for any kind of reimbursement. We offer health insurance to our employees and have been asked by our health insurance broker to sign a business associate agreement (BAA) because our broker says our organization is considered a covered entity (CE) under HIPAA. Upon requesting that the facility enter into a BAA, the broker sent the following message:

“As an employer, you are a ‘covered entity’ under HIPAA because you sponsor a Group Health Plan. That means you are responsible for making sure that your business associates who receive PHI about you or your employees handle this information properly—we are one of these business associates.”

The retirement facility does not consider itself a CE. Is the organization considered a CE because it offers health insurance to its employees?

A: CEs under HIPAA are healthcare clearinghouses, certain healthcare providers (those that use covered transactions like electronic billing), and health plans.

A group health plan is a CE (except for self-administered plans with fewer than 50 participants). The group health plan is considered to be a separate legal entity from the employer or other parties that sponsor the group health plan. Neither employers nor other group health plan sponsors are defined as CEs under HIPAA.

 Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, vice president of health information for Baylor Scott & White Health in Temple, Texas, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

The September 22, 2014 deadline to revise business associate agreements (BAA) may have seemed like a date far into the future when the HIPAA omnibus final rule was released January 25, 2013. However, this compliance date is just around the corner as we continue to move along the road toward establishing and maintain compliance with the HIPAA privacy and security rules.

This date in September is notable because many organizations—both covered entities (CE) and business associates (BA)—find themselves dealing with the need to update or revise their BAAs. CEs were allowed to use existing BAAs for an additional year following the September 23, 2013 omnibus rule compliance date. Essentially, this meant that BAAs in place prior to January 25, 2013, which were not going to expire prior to September 22, 2013, could continue to be used until September 22, 2014. This gave BAs and CEs 18 months to determine what changes were needed to comply with the omnibus rule and then update or revise their BAAs accordingly. Despite the window of opportunity to address the issue of updating BAAs, it seems from my perspective that the majority of activity related to this task began occurring about a month or so before September 22, 2014.

HHS posted a sample BAA on its website January 25, 2013. In the second paragraph of the introduction, HHS lists 10 items that must be included in the written contract between a CE and its BA. Even though CEs and BAs may have recently updated their BAA in time for the compliance date, I believe it is worth the time to review these updated agreements and ensure they include the requirements identified in the HIPAA omnibus final rule.

Editor’s note: This post is adapted from an article written by Frank Ruelas, MBA, principal of HIPAA College in Casa Grande, Arizona, for HCPro’s Briefings on HIPAA (BOH). Look for the complete article in an upcoming issue of BOH. Ruelas is a BOH editorial advisory board member.

 

Submit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: I understand that the U.S. Postal Service (USPS), United Parcel Service, and other delivery service employees and/or their management are not considered business associates (BA) under the HIPAA Privacy Rule. Therefore, I reasonably conclude that because HIPAA does not directly apply to the USPS, its inadvertent “loss” of patient medical records by any means through its systems and/or processes is not a breach. My organization has been informed several times that USPS mail equipment destroyed an outer envelope, patient records were then “lost,” and no one knows where the records are. Our attorney says this is a breach situation for which we are responsible, though the error is through no fault of our own. If the USPS is neither a covered entity nor BA, does this situation truly qualify as a breach?

A: Your attorney is correct. USPS is not a BA; it is a conduit. That said, if a breach of unsecure PHI occurs, it is potentially reportable no matter who is responsible. Your organization should conduct the four-factor risk assessment described in the Breach Notification Rule. Assume that patients must be notified unless you can prove otherwise.

Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.