Covered Entity (CE) and Business Associate (BA) Distinctions
HIPAA designates that healthcare providers that transmit transactions such as claims are covered entities. This is clearly described in the Centers for Medicare and Medicaid Services (CMS) information, including a page that also gives examples of business associates.
Note: This paper includes direct links to HIPAA pages for further information.
Your home healthcare agency is a CE and your answering service is a BA, as it provides aid in fulfilling the functions of service provision. The answering service is not a CE because it does not electronically submit claims for HIPAA transactions. Despite this, the BA is required to be HIPAA compliant according to the Privacy Rule. That is because its functions may mean using private health information (PHI) to assure timely, safe home healthcare for clients.
The Business Associate Agreement
Regulations specify that you as the CE will enter into a contract or agreement with your agency’s business associates. This is often referred to as a business associate agreement (BAA). It describes the particulars of your business relationship, including assurances that the BA adheres to HIPAA rules. Your institution’s contract must include points related to:
- Management of disclosures and uses of protected information by the BA.
- The roles of the CE and BA required for health information protections, including implementation safeguards mandated by HIPAA protections.
- Assurances that BA’s safeguards, uses, and disclosures align with the CE’s privacy policies related to protected health information.
- Reporting and compliance assurances between the CE and BA related to the Privacy Rule, including potential security breaches.
- CE interaction with BA business practices, such as:
- Availability of business practices and relevant documents,
- Contract termination parameters, and
- BA subcontractor requirements.
Who’s Responsible for a HIPAA Breach?
There are distinctions related to HIPAA information breaches for the CE and the BA.
A CE is not required to monitor or oversee the HIPAA-related functions of a BA with which it has a BAA. The CE is out of compliance for specific situations, including:
- Failure to address and correct a material breach by a BA when one is reported.
- Violation of the contract by the BA.
The BA is potentially liable for several circumstances including:
- Not notifying the covered entity of a potential breach.
- Failing to enter into a business associate agreement with a subcontractor.