What is PHI Under HIPAA? Requirements for Compliance
Read articleBusiness Associate Agreement Template
Use this template as a starting point for your business associate agreement and customize it to fit your needs.
DownloadWho Needs to be HIPAA Compliant? Covered Entities vs Business Associates Explained
Join the thousands of companies using Secureframe
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 established standards for protecting the security and privacy of sensitive patient data. The law applies to covered entities and their business associates.
But there’s a simpler way to answer the question: do I need to be HIPAA compliant?
If your organization creates, stores, processes, or transmits protected health information, you must adhere to HIPAA regulations.
Under HIPAA, protected health information — commonly referred to as PHI — includes any personal data that can be directly or indirectly linked to a specific individual.
HIPAA rules apply to both covered entities and business associates, but the way the law is administered varies slightly based on which category an organization falls into.
Recommended Reading
What’s the difference between a covered entity and a business associate?
Covered entities include:
- Healthcare providers: doctors’ offices, clinics, psychologists, dentists, chiropractors, nursing homes, pharmacies, labs
- Health plans: health insurance companies, HMOs, company health plans, and government programs that pay for healthcare including Medicare/Medicaid and veterans’ healthcare programs
- Healthcare clearinghouses: organizations that process nonstandard health information to conform to standards for data content or format on behalf of another organization
Business associates are individuals or organizations that provide services on behalf of a covered entity and also interface with PHI or ePHI. Examples of business associates include:
- Software providers whose products interact with systems that contain ePHI, as well as cloud service providers, cloud platforms, and file storage companies
- Claims processing services
- Data analysis services
- Quality assurance services
- Billing services
- Attorneys or legal consulting services
- CPA firms
- Accounting services
Consultants employed by a covered entity are considered part of that covered entity’s workforce and are not considered business associates.
HIPAA compliance requirements for covered entities and business associates
The HIPAA Privacy Rule requires that covered entities get “satisfactory assurances” from business associates that they will take the necessary steps to safeguard any protected health information they may receive or create on behalf of the covered entity. These assurances must be made in writing in the form of a Business Associate Agreement (more on BAAs below).
Business associates may only use protected health information for the express purposes defined by the covered entity. They must also protect that information from misuse by following the requirements laid out in the HIPAA Privacy Rule. Business associates are responsible for ensuring any subcontractors also agree to comply with HIPAA rules in the form of a BAA.
If a covered entity discovers that a business associate has suffered a data breach or otherwise mishandled PHI, they must take reasonable steps to address the breach and end the HIPAA violation —or terminate their contract with the business associate. If none of those steps are possible, the covered entity is required to report the issue to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR).
What to include in a HIPAA business associate agreement (BAA)
Business Associate Agreements define the business associate’s responsibilities regarding PHI and the steps they will take to comply with HIPAA rules. These agreements include a few key elements:
- A description of the permitted and required uses of PHI by the business associate
- Provisions that the business associate will not use or disclose PHI other than is permitted or required by the contract or by law
- Requirements that the business associate will implement proper safeguards to prevent the unauthorized use or disclosure of protected health information
There are some situations where covered entities are not required to have a business associate agreement in place before disclosing PHI. These include:
- When a covered entity discloses PHI to facilitate treatment for an individual patient. For example, transmitting a patient’s medical record to an outside specialist or laboratory.
- When a public health plan such as Medicare discloses PHI to an administrator to determine eligibility for enrollment
- When a covered entity discloses PHI to a health plan for payment purposes
- When the business associate’s services do not involve the use or disclosure of PHI, such as an electrician or plumber, or when the business associate acts as a conduit for PHI, such as the US Postal Service or private couriers
- When PHI is disclosed among covered entities that are part of an organization health care arrangement (OHCA), such as when a group health plan purchases insurance from a health insurance issuer or HMO
- When PHI is disclosed to a researcher for research purposes, either with patient authorization or as a limited data set
- When a financial institution processes payment card transactions, clears checks, or processes electronic funds transfers
