HIPAA Business Associates or BA’s are persons or companies that are not an employee of the pharmacy but will receive Protected Health Information (PHI) from the pharmacy for specific functions, or activities on behalf of the pharmacy, or services for the pharmacy. These functions or activities could include:
- claims processing or administration
- data analysis
- processing or administration
- utilization review
- quality assurance
- benefit management
- practice management
- and re-pricing
A Business Associate could also conduct the following services for the pharmacy: legal, actuarial, credit collection agencies, document destruction and third party reconciliation services. As you change vendors, BA’s are required to be issued. In addition, all Business Associates Agreements were required to be updated in February 2010 due to the HITECH requirements in the American Recovery and Restoration Act (ARRA).
It is not uncommon for a Business Associate to send the provider their Business Associate Agreement to be signed. This is done in the spirit of making it easier to the provider. However, the devil is in the details. Always review a vendor issued BA. Ensure the vendor is not excluding themselves from breach reporting requirements and other important BA responsibilities.
Business Associates are an integral part of your Disaster Recovery Plan. Are your BA’s able to assist in a time of an emergency? Pharmacies and other healthcare providers should test your Disaster Recovery Plan. This plan is required by the HIPAA Security Rule and is a great resource if an earthquake, flood, fire, or some other natural or man-made disaster strikes your facility.
Photo from http://resource.onlinetech.com