HIPAA laws concerning the privacy and security of health information are quite strict. Currently, business associates of HIPAA covered entities must also be HIPAA-compliant. Most businesses are aware whether or not their company is a HIPAA covered entity or not, but what about a HIPAA business associate? If you signed a HIPAA business associate agreement (BAA), defined here, then you are definitely a business associate. The following are some of the instances where there might be some questions:
Do any of the companies your company regularly works with qualify as a covered entity? The U.S. Department of Health and Human Services (HHS) says that a health care provider, a health plan, and a health care clearinghouse are covered entities. These entities engage business associates to help them and should be signing some form of BAA or contract when they do so. The Legal Information Institute at Cornell University provides access to the actual 45 CFR 160.103 section of the law that defines "covered entities" and "business associates." For further information, Forbes contributor Newtek offers some good examples that elaborate on covered entities in the article "Does Your Business Need To Be HIPAA-Compliant?"
In general, if a company handles Protected Health Information (PHI) either on paper or electronically (ePHI), it is potentially a HIPAA business associate. This sometimes includes businesses that are not generally thought of as part of the medical field, such as law firms and accounting firms. If any health records come across a company's desk for transcription or if the company does data conversion or de-identification, there are cases when the company will be considered a business associate. HealthInfoLaw.org has an infographic put together by the Robert Wood Johnson Foundation and the Hirsh Health Law and Policy Program from George Washington University to help companies determine if they are a HIPAA business associate. If a company wishes to be 100% certain, consult an attorney to determine if your company is a HIPAA business associate, needs a BAA, and must be HIPAA-compliant.
It is important to know whether or not a company is a HIPAA business associate because those who are can be audited by the HHS Office of Civil Rights. Companies that business associates subcontract to may also need to be HIPAA-compliant. View Giva's PDF on HIPAA-compliance, including BAAs, here.