It’s hard to believe we are nearing the end of the first quarter of 2019. It’s been a busy few months for sure and it’s easy to let the finer points of compliance slip to the back recesses of your mind if you’re not careful.
Most healthcare providers understand the basics of what constitutes a business associate but do not understand how broad the term is. Originally, covered entities, such as labs providing testing or clinics providing direct services, weren’t subject to BAAs, since they’re responsible for their own HIPAA compliance standards. The Omnibus rule changed that. Now, anyone who processes, stores, transmits or accesses your PHI that is not part of your organization is a business associate, including other covered entities. If a healthcare provider isn’t employed by you but does work on your behalf, they’re subject to the HIPAA business associate agreement.
Since the rule change, IT providers who furnish infrastructure used for ePHI are also considered associates, even if their employees don’t usually read, store or process it. That can include companies providing:
Messaging
Cloud hosting
Backup storage / Disaster Recovery
Paper Records Storage
Applications that process PHI
Technical support
Data destruction
Electronic security tools
Business associate agreements are an important part of providing protection for your patient’s health information. It’s critical that you review yours today.
Do you need help in determining who is a business associate or need a review of your current BAAs? Email info@nexa1.com or drop a note in the comments and let us know how we can help you. We’re here for the success of your practice.
