Sunday, June 4, 2023
OANDP-L
  • Login
No Result
View All Result
The O&P EDGE
  • PECOS
  • Magazine
    • Subscription
    • Current Issue
    • Issue Archive
    • News Archive
    • Product & Service Directory
    • Advertising Information
    • EDGE Flipbooks
  • O&P Jobs
    • Find a Job
    • Post a Job
  • EDGE Advantage
  • O&P Facilities
  • Resources
    • Product & Service Directory
    • Calendar
    • Contact
    • About Us
    • O&P Library
    • The Guide
    • Custom Publications
    • Advertising Information
    • EDGE Direct
    • Amplitude Media Group
  • PECOS
  • Magazine
    • Subscription
    • Current Issue
    • Issue Archive
    • News Archive
    • Product & Service Directory
    • Advertising Information
    • EDGE Flipbooks
  • O&P Jobs
    • Find a Job
    • Post a Job
  • EDGE Advantage
  • O&P Facilities
  • Resources
    • Product & Service Directory
    • Calendar
    • Contact
    • About Us
    • O&P Library
    • The Guide
    • Custom Publications
    • Advertising Information
    • EDGE Direct
    • Amplitude Media Group
No Result
View All Result
The O&P EDGE Magazine
No Result
View All Result
Home News

HIPAA and the Business Associate Puzzle

by Sheila Press Attorney
July 1, 2003
in News
0
SHARES
14
VIEWS
Share on FacebookShare on Twitter

HIPAA is the acronym for the Health Insurance Portability and
Accountability Act of 1996. One part of that law, the Privacy Rule,
went into effect on April 14, 2003. If your business is a “covered
entity” as defined by the privacy regulations, you must comply with
the requirements of these regulations.

The final regulations for the HIPAA Privacy Rule were released
by the Department of Health & Human Services (DHHS) in August
2002. The Office for Civil Rights (OCR) that is charged with
enforcement of the provisions of the Rule. Because these
regulations are rather new, OCR is continuing to interpret them as
well as to provide both technical assistance and information to
entities required to comply. Thus, clarification of the issues
under the HIPAA Privacy Rule is an on-going process.

A key concept under the privacy regulations is that of “business
associate.” This term is defined as “a person or entity that
performs a function or activity on behalf of a covered entity that
involves individually identifiable health information.” The
regulations require that your business have a written agreement
with persons/entities who are business associates to ensure that
the personal health information that you share with them is both
used and safeguarded appropriately (“satisfactory assurances”).
Thus, a covered entity cannot generally disclose protected health
information (PHI) to a business associate without such a written
agreement. Interestingly, the burden is on the covered entity to
initiate the business associate agreement, but there is no
requirement that the covered entity monitor how the business
associate abides by the terms of the agreement. Furthermore, under
the regulations, you are not legally liable for the actions of your
business associate, but, if you discover that your business
associate has violated the agreement, you must take reasonable
steps to correct the violation; if you cannot correct the
violation, you must terminate the agreement.

Identifying your business associates is not an easy task. The
regulations add some information: The business associate is a
person/entity who performs, or assists in performing, a “function
or activity involving the use or disclosure of” personal health
information. These functions or activities include “claims
processing or administration; data analysis, processing or
administration; utilization review; quality assurance; billing;
benefit management; practice management and repricing,” and it also
includes providing “legal, accreditation or financial services.”
Complex legal language!

For the use of O&P businesses, a “business associate” is NOT
a member of your workforce. Also, it is NOT another healthcare
provider to whom you disclose personal health information for
treatment purposes, such as a referring physician or physical
therapist. Furthermore, it is NOT a payer nor is it a health plan
to which you disclose personal health information for the purposes
of payment or accepting a discounted rate for your services. It is
NOT your janitorial service or a courier service, UPS, FedEx, or
the US Postal Service. Finally, it is NOT a telephone or copier
repair person who might stumble across some personal health
information; this sort of situation is referred to within the
regulations as an “incidental disclosure;” it is a very different
situation with a software vendor who sees PHI while installing or
developing new software for you.

Thus, you can start the process of defining your business
associates by asking three questions:

(1) Does the business perform or assist in the performance of an
activity or function involving the use or disclosure of PHI? Or

(2)  Does the business provide legal, actuarial, accounting,
consulting, management, claims processing, accreditation, or
financial services that require the disclosure of PHI? And

(3) Does the business require the PHI in order to perform its
function or does the person need the PHI to perform his/her
duties?

In O&P, we do know that a central fabrication facility is
considered part of “treatment” and is not a business associate.
However, an entity that sells componentry and receives PHI in order
to provide the appropriate componentry would be considered to be
your “business associate.” In fact, such a provider is referred to
as a “specialty vendor” or a vendor that assists the direct
treatment provider or enables the direct treatment provider to
provide its services. Another business associate question has
arisen regarding an entity that receives PHI as part of the
warranty process: such an entity should be considered a business
associate under the definition of the regulations as it is
receiving PHI in order to perform its duties, i.e. warranty a
particular component.

It is important to note that, even if your business is a covered
entity, it may also be a business associate. For example, if you
have a contract to provide services to a clinic or hospital and you
are paid by that entity for the provision of services, you are a
business associate of that clinic or hospital. The key in this
situation is that you are being paid under a contract to provide
services. Also, there has been some advice issued regarding the
signing of a business associate agreement with another provider
even if you are not a business associate under HIPAA. However, your
lawyer would most likely tell you that it is never advisable to
undertake legal obligations when it is not necessary to do so.

The issue of “business associate” will, no doubt, continue to be
clarified by OCR as the implementation of the privacy regulations
proceeds, and you will receive that information in later issues of
The O&P Edge.

Sheila M. Press, Attorney, is president of Healthcare Compliance
Solutions, a company providing consulting services, including HIPAA
and OIG compliance, and customized compliance programs for O&P.
Contact her at 480.767.9477; e-mail [email protected]; www.hccsolutions.com.

Related posts:

  1. HIPAA Privacy: Are You Ready to Comply?
  2. HIPAA Privacy: Are You Ready to Comply?
  3. Provider Compliance Update
  4. HIPAA Privacy Regulations: A Compliance Challenge
Previous Post

Medicare Bills Pass: Impact on O&P

Next Post

New England AAD Opens

Next Post

New England AAD Opens

  • VIEW CURRENT ISSUE
  • SUBSCRIBE FOR FREE

RECENT NEWS

News

TMR at Amputation Lessens Neuroma Formation

by The O&P EDGE
May 25, 2023

While targeted muscle reinnervation (TMR) is an effective technique for the prevention and management of phantom limb pain and residual...

Read more

SPS Employees Mark Anniversaries

Prosthetic Ankle Design Increased Foot Clearance, May Decrease Fall Risk

CAF Gala Raises Over $675,000

Get unlimited access!

Join EDGE ADVANTAGE and unlock The O&P EDGE's vast library of archived content.
SUBSCRIBE TODAY

O&P JOBS

Pacific

Hanger Clinic is Hiring in California!

Eastern

Immediate opening for a CPO at Hanger Clinic Dayton, Ohio!

Eastern

Director of Prosthetics and Orthotic Department

 

© 2021 The O&P EDGE

  • About
  • Advertise
  • Contact
  • EDGE Advantage
  • OANDP-L
  • Subscribe

CONTACT US

866-613-0257

[email protected]

201 E. 4th St
Loveland, CO 80537

The most important industry news and events delivered directly to your inbox every week.

No Result
View All Result
  • PECOS
  • MAGAZINE
    • SUBSCRIBE
    • CURRENT ISSUE
    • ISSUE ARCHIVE
    • NEWS ARCHIVE
    • PRODUCTS & SERVICES DIRECTORY
    • ADVERTISING INFORMATION
  • O&P JOBS
    • FIND A JOB
    • POST A JOB
  • EDGE ADVANTAGE
  • FACILITES
  • RESOURCES
    • PRODUCTS & SERVICES DIRECTORY
    • CALENDAR
    • CONTACT
    • ABOUT US
    • O&P LIBRARY
    • THE GUIDE
    • CUSTOM PUBLICATIONS
    • ADVERTISING
    • EDGE DIRECT
    • AMPLITUDE
  • OANDP-L
  • LOGIN

© 2023The O&P EDGE

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In
The O&P EDGE Magazine
 
Required 'Candidate' login to applying this job. Click here to logout And try again
 

Login to your account

  • Forgot Password? | Sign Up

Reset Password

  • Already have an account? Login

Enter the username or e-mail you used in your profile. A password reset link will be sent to you by email.

Signup to your Account

  • By clicking checkbox, you agree to our Terms and Conditions and Privacy Policy

    Already have an account? Login

Close
Are you sure want to unlock this post?
Unlock left : 0
Are you sure want to cancel subscription?
 

Account Activation

Before you can login, you must activate your account with the code sent to your email address. If you did not receive this email, please check your junk/spam folder. Click here to resend the activation email. If you entered an incorrect email address, you will need to re-register with the correct email address.