What is a HIPAA Service?
When is a HIPAA Service Used and What is Required?
A HIPAA service is a service performed by one entity, that enables another entity to meet its HIPAA compliance obligations. Under HIPAA, healthcare providers frequently contract with vendors who perform services involving protected health information. The services include billing, collections, medical transcription, e-prescribing, and many others. If a vendor is performing such a HIPAA service, the vendor is considered to be a business associate, and must comply with HIPAA regulations.
When is a HIPAA Service Used?
Healthcare providers frequently contract with other entities to perform services involving protected health information (PHI). Sometimes, healthcare entities will contract with a service for the sake of convenience. For example, if a patient has not paid for healthcare services, a healthcare organization may refer the patient’s account to a collections agency. Once the account is referred, the collections agency seeks payment directly from the patient. By contracting with the collection agency to provide this service, the healthcare entity can spend time on other activities.
Healthcare providers also contract with other entities to provide a HIPAA service when the service the provider needs is outside its area of expertise. For example, the healthcare provider may not have a designated IT department capable of providing remote backup services. Healthcare providers often contract with IT consultants and contractors to provide these and other security services that allow the provider to satisfy its obligations under the HIPAA Security Rule.
What is Required When a Provider Uses a HIPAA Service?
Entities with which providers contract to provide services involving creation, maintenance, receipt, or transmission of protected health information, are known under HIPAA as “business associates.” Before a business associate can create, maintain, provide, or transmit PHI, the business associate must enter into an agreement with the provider. This agreement, known as a business associate agreement or business associate contract, must contain language requiring the business associate to provide satisfactory assurances to the provider that the business associate will appropriately safeguard the protected health information it receives or creates on behalf of a provider. The HIPAA Privacy Rule requires that these satisfactory assurances must be in writing.
The business associate agreement must contain the following components, among others:
◈ A description of when the business associate is permitted to use PHI, and when the business associate is required to use PHI; ◈ A provision prohibiting the business associate from further using or disclosing the PHI other than as permitted or required by the contract or as required by law; ◈ A requirement that the business associate use appropriate safeguards to prevent a use or disclosure of the protected health information other than as provided for by the agreement.