HIPAA Privacy and Security Frequently Asked Questions

Q: What is HIPAA Privacy and Security?

A: The HIPAA Privacy Rule provides federal protections for Personal Health Information (PHI) held by covered entities, and  gives patients an array of rights with respect to that information. In addition, the Privacy Rule is balanced so that it permits the disclosure of PHI needed for patient care and other important purposes. 

The HIPAA Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities to use to assure the confidentiality, integrity, and availability of electronic Protected Health Information (ePHI)1.

The HITECH Act, which is an addition to the overall HIPAA mandates, holds business associates responsible for being compliant with the HIPAA Privacy Rule and Security Rule. The HITECH Act also mandates the Business Associate’s responsibility for holding the covered entity to the Business Associate contract and the HIPAA Privacy Rule and Security Rule. If the Business Associate becomes aware of any non-compliance by the Covered Entity, the business associate must fix the breach, terminate the Business Associate contract, and/or report the non-compliance to the Department of Health and Human Services (HHS)2.

In order to fulfill HIPAA regulations, Business Associates have to comply with the HIPAA Privacy Rule and Security Rule effective Feb 17, 20102.

Q: Who are Business Associates, Trading Partners, and Covered Entities?

A: Covered Entities: Persons or organizations subject to the Privacy Rule. If you will be sending PHI (ePHI) to any outside entity for any services, like a billing service or clearinghouse, you are categorized as the Covered Entity.

Trading Partners: Persons or organizations who will be receiving Electronic Data Interchange (EDI) for purposes of providing a service for the Covered Entity or Business Associate. Any entity that will be sending EDI, such as Electronic Remittance Advice (ERAs), meaning an electronic statement of an explanation of insurance benefits, or any reports covering the statistics of accepted claims versus rejected claims, etc. is the Trading Partner.

Business Associate: Persons or organizations who will be receiving Protected Health Information (PHI or ePHI) from the Covered Entity to provide a service for the Covered Entity. This could be a billing service or clearinghouse, in which you send insurance claims to be further disbursed to multiple payers/health plans.2

 Example:

  • For any person, practice, or business that creates an account with Office Ally and sendsPHI (ePHI) via Office Ally’s services, the account holder, or User, is the Covered Entity, and Office Ally is the Business Associate.
  • When Office Ally sendsthe PHI (ePHI) to payers or third parties, Office Ally becomes the Covered Entity, and the payer or third party is the Business Associate or Trading Partner.
    • User (Covered Entity) sends PHI (ePHI) to Office Ally(Business Associate)
    • Office Ally (Covered Entity) sends PHI (ePHI) to payer/third party (Business Associate/Trading Partner)

Q:What is a Business Associate/Trading Partner Agreement?

A:The Business Associate Agreement (BAA) is Office Ally’s contract between the Covered Entity (the User) and the Business Associate (Office Ally) to ensure the protection of privacy and security of the PHI (ePHI) the User sends to Office Ally. The HIPAA Privacy and Security Rule require a contract of this kind.1  The User (Covered Entity) is responsible for obtaining a Business Associate contract of some kind. Office Ally provides the Business Associate Agreement as a way to satisfy this measure for the User, however, it is not required by Office Ally for the User to sign one.

As Office Ally becomes the Covered Entity by sending PHI (ePHI) to payers or third parties, Office Ally requires a similar Business Associate/Trading Partner contract to be signed, with Office Ally defined as the Covered Entity, and the third party defined as the Business Associate, to ensure continued compliance and privacy. 


Note: In the questions below, the Covered Entity refers to the Office Ally User, and Office Ally as the Business Associate. The obligations and requirements of a Covered Entity and a Business Associate are the same when Office Ally becomes the Covered Entity with a third party Business Associate or Trading Partner

Q: What are the Obligations of the Business Associate?

A: The Business Associate Agreement (BAA) stipulates the requirements and limitations on how PHI (ePHI) is handled by Office Ally.
 

  • Limitations on Use and Disclosures
    • The BAA specifically limits what Office Ally (Business Associate) can do with PHI (ePHI) that has been received or created for the User (Covered Entity). Strict limits are set so Office Ally is only able to use PHI (ePHI) to complete the agreed upon services for the User.
    • Specific Uses and Disclosures that are permitted for Office Ally are listed in the BAA
  • Implement Safeguards to protect PHI (ePHI)
    • Administrative4
    • Physical5
    • Technical6
    • Policies and Procedures determined by HIPAA7
  • Reporting a Breach of PHI (ePHI) security
    • Outlines the responsibilities of Office Ally (Business Associate) if there was any unauthorized discloser of PHI (ePHI)
      • Required to inform the User (Covered Entity) of any breach of PHI (ePHI) within a reasonable timeframe, no more than 10 days from discovery, unless specifically indicated in BAA (II.e.ii)
      • The notice needs to include what information was breached, and who it may have affected
      • Office Ally (Business Associate) will assist in investigating and responding to the breach by providing the necessary information to the User (Covered Entity)
  • Availability of Information to Covered Entity
    • The BAA outlines the type of information and the timeframe in which, if requested, Office Ally (Business Associate) must provide to the User (Covered Entity). This could include, but not limited to:
      • Request to amend PHI
      • Accounting of PHI
      • Availability of Books and Records
      • Record Retention

Q: What are the Obligations of the Covered Entity?

A: The User (Covered Entity) is responsible for conforming to all HIPAA regulations in their own practices, as well as in their dealings with Office Ally (Business Associate). Outlined in the BAA, there are multiple notifications the User (Covered Entity) must give Office Ally (Business Associate) if any of the circumstances apply.

  • One of the HIPAA Privacy Rule regulations is the Notice of Privacy Practices for PHI[1]. If there are any restrictions or changes to that notice that would hinder Office Ally’s (Business Associate) ability to perform its services, the User (Covered Entity) must notify Office Ally.
  • If there are any changes in who is authorized to access PHI (ePHI) in the User’s (Covered Entity) organization or practice, Office Ally (Business Associate) must be notified if the change would, in any way, affect the services provided.
  • The User (Covered Entity) must notify Office Ally (Business Associate) of any new restrictions or changes they have agreed to for the use or disclosure of PHI (ePHI) that would hinder the Business Associate’s ability to provide services.

The HIPAA Privacy and Security Rules establish new regulations to protect patients’ privacy, and improve the security surrounding that information. New obligations and responsibilities for Covered Entities and Business Associates help accomplish this. Office Ally strives continuously to ensure the utmost privacy and security for our users, in both the Covered Entity and Business Associate roles.

 


If any concerns or violations have come to your attention, please contact Office Ally’s Security Officer/HIPAA Project Manager.

Karen Forden
Security Officer/HIPAA Project Manager
360-975-7000 ext. 6241
karen.forden@officeally.com


 

Sources:

1 http://www.hhs.gov/ocr/privacy/hipaa/understanding/index.html
2 http://www.apapracticecentral.org/update/2010/01-27/hipaa-change.aspx
345 CFR 164.504(e)
445 CFR 164.308
545 CFR 164.310
645 CFR 164.312
745 CFR 164.316
845 CFR 164.520