 |
 |
|
|
|
|
|
|
|
|
When is a Person or Entity a Business Associate Under HIPAA? After languishing for more than two years, the HIPAA Omnibus Rule was finally released on January 17, 2013. The Final Rule updates the HIPAA Privacy and Security Rules to comply with the changes created to the Rules by the HITECH Act. The HITECH Act made clear that Business Associates would be directly liable for data breaches. But, based on the comments HHS received, there appeared to be some confusion about who is a business associate for the purposes of HIPAA. In addressing a comment regarding human research, HHS provided the following helpful response: A person or entity is a business associate only in cases where the person or entity is conducting a function or activity regulated by the HIPAA Rules on behalf of a covered entity, such as payment or health care operations, or providing one of the services listed in the definition of 'business associate,' and in the performance of such duties the person or entity has access to protected health information.As such, whether an individual or entity is a business associate is a fact specific inquiry and all circumstances must be considered. Moreover, a person or entity can be a business associate when engaging in one activity but not a business associate when engaging in another. Consider the following example provided by HHS: [A]n external researcher is not a business associate of a covered entity by virtue of its research activities, even if the covered entity has hired the researcher to perform the research. ...To determine whether an individual or entity is a business associate, the tasks the individual or entity are undertaking must be reviewed carefully. Resources: |
| Home About Us Attorneys Practice Areas |
News & Insights Our Blogs Terms & Conditions Privacy Policy Disclaimer |
US
Healthcare Laws 123 Any Road Suite 123 Anytown, FL 33615 Ph. 1-800-555-1212 |
Follow us online:
|
