HIPAA – Business Associates

Business Associate Training

This is an accordion element with a series of buttons that open and close related content panels.

Objectives

You have been selected to take this training because you have been identified as a UW-Madison employee who will serve as a Business Associate either to the UW-Madison Health Care Component (HCC) or a third party.

At the end of this training you should:

  • Understand the purpose and scope of HIPAA and the importance of HIPAA compliance.
  • Recognize and understand important defined terms.
  • Understand how HIPAA impacts your role as a Business Associate, recognize common HIPAA issues that you may encounter as a Business Associate, and understand your responsibilities as a Business Associate with respect to HIPAA compliance.
  • Know where to look and/or whom to contact if you need additional information or assistance related to HIPAA compliance.

History of HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that was passed in 1996. HIPAA addressed a wide variety of issues involving the health insurance and health care industries. One of the issues addressed by HIPAA is the privacy and security of patients’ health information. Specifically, the HIPAA Privacy Rule and the HIPAA Security Rule govern how Covered Entities and Business Associates keep Protected Health Information physically and technologically secure and how Covered Entities and Business Associates use and disclose Protected Health Information. The Privacy Rule also grants patients certain rights with respect to accessing and controlling their Protected Health Information.

HIPAA was amended in 2009 by the Health Information Technology for Economic and Clinical Health (HITECH) Act. Final regulations implementing the HITECH Act were issued in 2013. The 2013 regulations are important, in part, because they dramatically increased both the responsibility of Business Associates for HIPAA compliance and the penalties associate with noncompliance.

Definitions

Business Associate

  1. When that person or entity:
    • Performs certain functions or activities on behalf of a Covered Entity; or
    • Provides services to a Covered Entity; and
  2. When, in the course of performing that function or providing that service, the person or entity creates, receives, maintains or transmits Protected Health Information.

Covered Entity – A health plan; health care clearing house; or health care provider.

Disclosure – the release, transfer, provision of access to, or divulging in any manner of protected health information by an individual within the covered entity with a person or entity outside the covered entity.

Protected Health Information – information which meets all of the following criteria:

    1. The information is created or received by a CE; and
    2. The information relates to the past, present or future:
      • Health or health condition of an individual; or
      • Health care provided to an individual; or
      • Payment by an individual for health care; and
    3. The information identifies the individual or could reasonably be used to identify the individual.

If information includes even one of the following elements it is considered to identify the individual:

    • Name
    • Any geographic subdivision smaller than a State
    • Any element of a date for a date directly related to the individual, including, for example: birth date, discharge date, date of death, any age over 89 or any part of any date indicating an age over 89
    • Telephone number
    • Fax number
    • Email address
    • SSN
    • Health plan beneficiary number
    • Account number
    • Certificate of license number
    • Vehicle identification number, vehicle serial number, or license plate number
    • Device identifiers and serial numbers
    • URL
    • IP address number
    • Biometric identifiers, including fingerprints and voiceprints
    • Full face photographic images and any comparable images
    • Any other unique identifying number, characteristic, or code

Use – the sharing, employment, application, utilization, examination, or analysis of PHI by an individual within the covered entity.

Business Associate Agreements

If you are going to serve as a BA, you are required to enter into a Business Associate Agreement (BAA). The terms of the BAA will outline your rights and responsibilities as a BA. While the Privacy Rule and Security Rule establish a baseline for these rights and responsibilities, a CE may attempt to use the BAA to limit those rights and/or to impose even greater responsibilities. In reviewing and negotiating a BAA, UW-Madison will be careful to preserve those rights which are most important to you as a BA and to ensure that you only assume those additional responsibilities which are operationally feasible for you as a BA. For example, UW-Madison will work with you to consider:

Deadlines for Security Incident and Breach Notification – BAs are required to notify CEs of security incidents and breaches of unsecured PHI without unreasonable delay, but in no event later than 60 days after it is discovered. CEs often request shorter, more specific deadlines for providing this notice. When deciding whether to agree to a CE’s request for a shorter deadline, be sure that responding in that shortened timeframe is operationally feasible.

Permitted Uses and Disclosures of PHI – BAs are permitted to use and disclose PHI for any reason which is required by law. A BA may not use or disclose PHI for any other reason unless that reason is permitted or required under the BAA. If you anticipate wanting to use the PHI for a specific purpose, be sure to include language in the BAA which permits you to use and disclose PHI for that purpose.

Additional details about negotiating, executing, and managing a BAA can be found in Privacy Policy 6.2 (UW-117) Managing Business Associate Agreements when the University of Wisconsin-Madison is the BA.

Security Rule Responsibilities & Common Issues

The regulations require BAs to comply with the Security Rule in its entirety and to the same degree that a CE is expected to comply. In general, the Security Rule requires that a CE or BA:

  • Ensure the confidentiality, integrity, and availability of electronic PHI; and
  • Protect against any reasonably anticipated threats or hazards to the security or integrity of such electronic PHI; and
  • Protect against any reasonably anticipated uses or disclosures of such electronic PHI that are not permitted or required under the Privacy Rule; and
  • Ensure that its workforce complies with the Security Rule.

More specifically, the Security Rule requires that CEs and BAs implement administrative, physical, and technical safeguards, including, among other things:

  • Providing security awareness training;
  • Developing a security management process, including performing a risk assessment;
  • Auditing and monitoring relevant IS activity;
  • Implementing and enforcing certain access- and security-related policies and procedures;
  • Limiting physical access to certain areas by use of badge access controls;
  • Conducting periodic risk assessments;
  • Implementing security measures sufficient to reduce risks and vulnerabilities; and
  • Implementing and complying with a disciplinary/sanctions policy.

The UW-Madison Office of Campus Information Security will work with you to determine the most appropriate method for ensuring compliance with the Security Rule requirements. In some cases, compliance with existing UW-Madison policies will meet these requirements. In other cases, you may need to work with the Office of Campus Information Security in conjunction with your local/departmental IT to identify department-specific means of achieving compliance with the Security Rule requirements.

Privacy Rule Responsibilities & Common Issues

In general, the Privacy Rule governs when and how a CE or BA may use or disclose (to outside third parties) PHI. Unlike the Security Rule which applies equally to CEs and BAs, the Privacy Rule applies to BAs in a slightly differently manner than it applies to CEs. Specifically, BAs:

    1. May only use or disclose PHI to the extent that the use or disclosure is either required by law or permitted by the BAA or by any other underlying contact between the CE and BA. Disclosures required by law include:
      • Disclosures to the Secretary of the Department of Health and Human Services during an investigation by the Secretary; and
      • Disclosures to a patient pursuant to the patient’s request for an electronic copy of PHI.
    2. Must, even to the extent that a use or disclosure is permissible because it is required by law or permitted by the contract between the CE and BA, only use and/or disclose the minimum amount of PHI necessary to perform the services requested under the underlying contract between the CE and BA. This means that a BA must ensure that:
      • Only individuals performing services under the contract between the BA and CE have access to the PHI; and
      • The individual(s) performing services under the contract understand that they must limit their uses and disclosures to the minimum necessary to perform their assigned tasks.
    3. Are required to make PHI available to patients as required under the Privacy Rule.

Certifications

Before UW-Madison will execute a business associate agreement on behalf of an employee or agent, the employee or agent must make certain certifications within the Checklist for UW-Madison Business Associates attesting to the fact that the employee or agent:

  • Has reviewed the business associate agreement and understands his or her responsibilities; and
  • Has reviewed the above Business Associate Training.

You must complete the checklist and attach it to the business associate agreement prior to sending it to the appropriate UW-Madison office (e.g. Office of Industrial Partnerships, Purchasing Services) to be executed by a Board of Regents signatory.