When you think about HIPAA, I bet your mind will jump to healthcare professionals. After all, the law does stand for the Health Insurance Portability and Accountability Act.

If you happen to work as a healthcare professional, odds are that you already know that you have to train your employees on an annual basis about the law’s requirements. If you don’t you’ll face a massive fine.

But the truth is that HIPAA extends beyond facilities that treat patients. Organizations that work with and support the operations of healthcare practices, hospitals and pharmacies also need to abide by HIPAA requirements.

The wing of the government that’s responsible for enforcing HIPAA is the Department of Health and Human Services (HHS). They define those organizations that help healthcare facilities as “business associates” (more on that later).

Since business associates must also adhere to HIPAA’s requirements, it means that they also have to train their employees on an annual basis. But what should that training look like? Here’s everything you need to know about business associate HIPAA training.

• What is HIPAA?

• What is a business associate?

  • What are some examples of business associates?

  • The Business Associate Agreement

  • Exceptions to the Business Associate Standard

• Why are business associates liable for HIPAA?

• HIPAA Business Associate Training Requirements

• What to expect from Business Associate HIPAA Training

• Conclusion

First, if you don’t know what HIPAA is, let’s take a look at the HIPAA Privacy Rule…

“The HIPAA Privacy Rule establishes national standards to protect individuals' medical records and other individually identifiable health information (collectively defined as “protected health information” or PHI) and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically.” (via HHS)

This rule applies safeguards to protect the privacy of protected health information (PHI). But it’s not the only one. HIPAA also includes a Security Rule and Breach Notification Rule.

The need for authorization is another layer of security within the rule. This is for when someone needs to get a patient’s health information. If a patient is unable to give their authorization, there are limitations in place in regards to their information.

HIPAA also gives a person rights over their protected health information. An example of this is the right to view and get a copy of their health records. 

Simply put, a business associate helps healthcare organizations manage sensitive data.

Luckily, the law provides a very specific definition within its Privacy Rule.

Not every business that healthcare organizations work with is a business associate.

For example, janitors don't deal with any sensitive data…so HIPAA’s requirements don’t apply to it.

Some examples of business associates include…

1. Third-party companies that assist with claims processing and medical billing companies.

2. Attorneys whose services allow them access to patient health information.

3. Healthcare clearinghouses that handle claims before forwarding the processed transaction to a payer. 

4. Cleaning services that work for hospitals, physician offices, and other medical facilities. 

5. Software companies that handle patient health information for documentation, storage, payment, etc.

Business associates can also be subcontractors. Meaning they can receive, maintain, and/or send PHI on behalf of another business associate.

Let’s say you’re using an application to check your personal health information after a routine visit to your doctor’s office. The organization that developed the app you use in this case are business associates. This is because they’re storing your health information on behalf of the doctor’s office.

If the information is then sent to a voice processing firm for speech-to-text processing, this would also be a subcontractor.

If you ever have a question about whether an organization falls under the business associate umbrella, remember that it’s the presence of patient health information that determines this. If protected health information is available, then this is a business associate and falls under HIPAA regulations.

Healthcare organizations can't give out patient information to anyone you work with without any rhyme or reason. At least... it's pretty frowned upon.

Covered entities and business associates, when required, will enter into Business Associate Agreements (BAAs) before sharing PHI. This is to ensure that those business associates will protect patient health information. A BAA is also important for covered entities to define and limit what uses of information are appropriate. 

Just because you haven’t signed a contract with a health provider, doesn’t mean you’re exempt from HIPAA. So long as you are working with patient health information, you will need to follow protocol.

The Privacy Rule does include exceptions to the business associate standard, but there aren’t many. 

In these cases, protected health information is available to a business associate without a contract.

1. Disclosure of patient health information from a covered entity to a healthcare provider. This is in the scenario that a patient needs to seek treatment at another facility. A hospital does not need to have a business associate contract with a specialist with whom a patient is going to continue treatment. 

2.  For persons or organizations, such as janitorial services, whose services do not directly involve the use or disclosure of protected health information. In this case, any access to protected health information by this person would be incidental.

3.  For persons or organizations that offer delivery/send protected health information. A good example of this would be the US Postal Service.

So, how and why does HIPAA apply to anyone outside of medical providers and the patient?

Most healthcare plans and providers don’t carry out all of their operating functions by themselves. So it’s not uncommon for a covered entity to use the services of another person or business. After all, healthcare providers' sole purpose is to treat patients.

Anyway, if a third-party organization works with or handles PHI, it’s considered a “business associate” under HIPAA.

As of September 2013 with the HITECH Act, business associates have become directly liable for HIPAA compliance. 

Even though it added stricter requirements on working with healthcare organizations. It makes sense that business associates are equally liable.

Consider this.

Healthcare organizations don’t have software developers on staff. They can't just create an encrypted electronic health record (EHR) system. Thus, they have to find an EHR provider. It doesn’t matter which EHR system these organizations choose. That’s up to preference.

What does matter, though, is that the EHR systems all encrypt the PHI that they store. And, that they don’t suffer a hack that affects the provider’s patient data. If an EHR system provider falls victim to a hack, the HHS holds them liable for breaching HIPAA.

Since business associates need to understand HIPAA, it means that the training requirement is in scope.

In other words, a business associate MUST train its employees on HIPAA.

But, what are the specific training requirements that HIPAA lays out for business associates? The truth is, it doesn’t specify.

The HIPAA Privacy Rule mentions training in its Administrative Requirement section (45 CFR § 164.530).

The standard on training states that covered entities must train every member of their workforce. It also mentions that the training must happen as a part of onboarding and within a reasonable period of time afterward.

The HIPAA Security Rule also mentions a training requirement.

This portion of HIPAA also mentions training as a requirement and that it should go out “periodically”.

For a business associate to be able to enter into a contract and handle patient health information, they must uphold HIPAA standards. This includes HIPAA’s training requirement.

So what should business associate HIPAA training look like? The requirements help identify topics, so let’s take another look at them.

Based on the requirements spelled out by both the Privacy Rule and Security Rule we learn a few key takeaways.

Business associates need to train their employees on…

1. HIPAA

2. Malware

3. Password Management

Employees need to receive this training…

• During onboarding

• Annually

The business associate HIPAA training should cover…

• The differences between covered entities and business associates.

• The intricacies of a business associate agreement.

• Introduction to HIPAA. What is HIPAA and why is it necessary?

• What are an individual’s HIPAA rights and how can you be sure to protect them?

• What are Organization Responsibilities? The Dos and Don'ts of working with PHI.

• Malware attacks and HIPAA Breaches.

• Permissible Uses and Disclosures of Patient Health Information as a Business Associate.

• HIPAA and State Laws and how to avoid a lawsuit.

If someone has access to protected health information, you’re required to train your employees on HIPAA. Companies and organizations are accountable for protecting this information. Neglecting this responsibility can come with fines. 

HIPAA violations are expensive. The penalties for non-compliance can range from $100 to $50,000 per violation. These violations can also carry criminal charges which result in jail time.

Hospitals, doctors' offices, and other healthcare facilities provide HIPAA training to their employees. BUT, as we learned throughout this blog post…business associates also need to provide HIPAA training to their employees.

Reach out to Etactics to find out more about our online HIPAA training module.