Jun 12, 2019
As a broker, you’re not likely to be considered a covered entity under HIPAA. But, if you have access to private health information, you may still have HIPAA responsibilities as a business associate. The HHS Office for Civil Rights (OCR) issued a new HIPAA fact sheet for business associates. OCR Director, Roger Severino said, “We want to make it as easy as possible for regulated entities to understand and comply with their obligations under the law.”
According to the fact sheet, business associate activities include the following:
- Benefit management
- Claims processing or administration
- Data analysis
- Utilization review
- Quality assurance
- Billing
- Practice management
- Repricing
OCR has the authority to take enforcement action against business associates for the following:
- Failing to make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request
- Having impermissible uses and disclosures of protected health information
- Retaliating against anyone who files a HIPAA complaint, participates in an investigation or other enforcement process, or opposes an act or practice that is unlawful under HIPAA.
- Failing to comply with Security Rule requirements
- Failing to provide records and compliance reports to the Secretary
- Failing to cooperate with investigations and compliance reviews
- Failing to allow the Secretary to have access to information, including protected health information
- Failing to provide breach notification to a covered entity or other business associate.
- Failing to disclose a copy of electronic protected health information to the covered entity, the individual, or the individual’s designee (whichever is specified in the business associate agreement) to satisfy a covered entity’s obligations regarding the form and format, and the time and manner of access under 45 C.F.R. §§ 164.524(c)(2)(ii) and 3(ii), respectively
- Failing to provide an accounting of disclosures in certain circumstances
- Failing to enter into business associate agreements with subcontractors that create or receive protected health on their behalf, and failing to comply with the implementation specifications for such agreements.
- Failing to take reasonable steps to address a material breach or violation of the subcontractor’s business associate agreement
LISI compliance services are designed to support you and your employer groups. Contact your LISI Regional Sales Manager for additional guidance on HIPAA.
