Blog Archives

HIPAA Compliance Certification for Business Associates

HIPAA Compliance Certification for BA


          The Department of Health and Human Services has imposed its first CMP (civil money penalty) for violations of the HIPAA Privacy Rule by Cignet.  The Privacy Rule violations and the fine of $4.3 million are based on provisions of the HITECH (Health Information Technology for Economic and Clinical Health) Act.  OCR found that Cignet should willful neglect by knowingly denying patient access to their medical records when they were requested.  Had Cignet provided those 41 medical records within 30 and no longer than 60 days of the patients’ request, and had they cooperated with OCR during their investigation, they could have avoided this devastating fine.  The Director of OCR stated that DHHS will continue such investigations and the DHHS Secretary stated privacy of health information is a priority and the DHHS is serious about enforcing HIPAA Rules. 

          Subsequently, the HITECH Act not only made noncompliance more costly, but are charging BAs (Business Associates) to be statutorily responsible for HIPAA Privacy and Security Rules.  The HIPAA Administrative Simplification regulation, 45CFR160.103, defines a Business Associate as working, performing or assisting on behalf of a CE (covered entity) by using or disclosing PHI (protected health information.  Claims processing, data analysis and processing, billing, benefit management and quality assurance are some of the functions performed by a BA.  A BA is not an employee of the CE. 

          The following are examples of Business Associates:

  • A third-party administrator who assists a health plan with claims processing.
  • A CPA firm whose accounting services to a healthcare provider involves access to PHI (protected health information).
  • An attorney whose legal services to a health plan involve access to PHI.
  • A consultant who performs utilization reviews for a hospital
  • A healthcare clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a healthcare provider and forwards the processed transaction to a payer.
  • An independent medical transcriptionist who provides transcription services to a physician.
  • A pharmacy benefits manager who manages a health plan’s pharmacist network.

Achieving HIPAA compliance as a Business Associate is a necessity to stay in business and to avoid fines.  A solid business plan to achieve this is to educate your employees on HIPAA Privacy and Security Rules, use a comprehensive process that lays out a the roadmap to compliance, and have a compliance assessment by an independent third party.  Upon passing the assessment, HIPAA provides certification that your business is HIPAA compliant via a dated seal to be used for your company, services and products.  Learn more by clicking here and start the process of attaining HIPAA compliance certification today!