Am I a HIPAA Business Associate? | HIPAA Consulting and Training Services | Kardon

Facebook
Twitter
Linkedin

Home
About Us
Services
Resources
Contact Us

Select Page

Am I a Covered Entity?

Is my vendor a Business Associate?

Am I a HIPAA Business Associate?

It is important to first determine if there is any patient information involved in your business at all. Before you quickly determine that your services are not those of a Business Associate, let’s review some examples:

Consider and weigh incidental exposure to PHI
There are exceptions for entities that function as conduits. Those exceptions apply to companies that transmit but never hold access to data. In these cases, you should consider protecting yourself as well as the the data you or your staff may be able to access. For example:
- Courier services, US Post office, etc fall under the conduit exception.
- As a phone company, PHI may go over your lines. There is little access to data, if at all. However, if you are telecom service provider, do your technicians ever have access to voicemail or data transmissions?
- There are no concerns for a company that sells copier/fax machines or similar office or clinical equipment. However, can your service technicians or any staff member access data during repairs or at the end of a lease term?
- A cleaning service may never see patient information when cleaning the office during normal business hours. Any work they do shouldn't put them in direct contact with patient information except by complete accident. However, consider gaps in physical and technical security safeguards if service is performed after normal business hours.
Based on the excerpt above, which of the following is most likely represents your company's exposure to PHI?
- My services are more involved than these examples
- Although my business may not perform the services of a Business Associate, there may not be sufficient controls in place that completely restrict access to patient data
- I am absolutely certain access to PHI would be limited and incidental
Do you provide services to any businesses (medical or otherwise) that use, store or have access to patient information for any medical procedures of any kind?*
Don't worry yet about what happens with it, just consider if there is any chance of seeing or accessing patient data.
- Yes
- No
- I'm not sure
Access to protected health information.
If anything you do involves being able to see or access a patient name, address, social security number or date of birth, you are likely a Business Associate.
- Name
- Street address
- Telephone number
- E-mail addresses
- Social Security Number
- Medical record number or other health plan account numbers
- Certificate or License Numbers
- Device identifiers and serial numbers
- Device URL’s or IP addresses
Does any of the data you have access to include any of the above fields, on paper or electronically; whether or not you use or need the data to perform your services?*
- Yes
- No
- I'm not sure
Provide Services or Activities to Medical Practices
A Business Associates as defined by HIPAA regulations cover a broad spectrum of activity. Below are a list of services that often involve Business Associates:
- legal
- actuarial
- accounting
- consulting
- data aggregation
- physical or electronic data storage
- management
- administrative
- accreditation
- financial services
- technology support services
- application support services
- data storage services
- shredding services
And here is a list of some activities that may be performed a Business Associate or Subcontractor:
- claims processing or administration - data analysis, processing, or administration
- utilization review
- quality assurance
- patient safety activities
- billing
- benefit management
- practice management
- repricing
- data storage services
Do you, your vendors or subcontractors provide any of the these services or activities to a medical practice or to a company that supports the healthcare industry?
- Yes, I perform one or more of these services or activities
- No, I do not perform any of these services, but I have vendors or subcontractors that do
- No, my services do not fall within these guidelines
Access, Controls and Exceptions*
Any company that stores patient information, even encrypted, is now considered a BA under the 2013 rules. Simply having persistent access to the protected information is all that matters.
The key for determining exceptions that might apply is defining the transient vs persistent nature of access. If the access to data or your level of access to the data is very rare, very brief in nature and then removed, you may not be a BA. If, however, your access to the data is always present, then you are a BA. Even if you have no need to see the data, the fact that you have it consistently available makes you a BA. The Final Rule specifically states that a data storage company is a BA even if they store the data in an encrypted format - what matters is it is always on their servers.
- I store patient information on my servers or through my services
- To provide my services I must have administrative rights to systems that access or store patient information
- Neither I nor any of my vendors or subcontractors have any access to patient information electronically
You would be considered a Business Associate defined by HIPAA standards
Your vendor may not be a Business Associate defined by HIPAA standards. However, be certain to consider the physical and technical safeguards you have in place. Addressing confidentiality is also strongly recommended.

Wanna Talk To Us?

Ready to join the Kardon Family? Contact Us Now.



info@kardonhq.com



(678) 292-5001



PO Box 2790, Tucker, GA 30085

Home
About Us
Services
Resources
Contact Us

Facebook
Twitter
Linkedin

We use cookies for various purposes including analytics and personalized marketing. By continuing to use the service, you agree to our use of cookies.