Standard for HIPAA Ohio University Acting as a Business Associate
Purpose
A business associate relationship exists when Ohio University, acting for and/or on behalf of a covered entity, performs a service, function or activity involving the use or disclosure of PHI. Generally, Ohio University is deemed a business associate when it receives PHI from a covered entity in the course of providing legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation or financial services. Even though Ohio University is a hybrid HIPAA entity, with designated HIPAA covered components, it may be the business associate of another covered entity depending upon the activities being performed. Ohio University will identify business associate relationships and, prior to acting as a business associate to a covered entity, Ohio University shall enter into a business associate agreement in accordance with the procedures set forth below.
Scope
This standard shall apply to all Ohio University units that store, process or transmit PHI.
Standard
- Identification of Business Associate Relationship.
- HIPAA Compliance Coordinators in collaboration with the HIPAA Privacy Officer will determine if a relationship between the outside entity and the University constitutes a Business Associate Relationship.
- Current relationships: Ohio University will, in connection with any existing business arrangement with covered entities, identify whether such arrangement (contractual or otherwise) constitutes a business associate relationship under HIPAA by doing both of the following:
- Identifying whether Ohio University is performing a function or activity for or on behalf of the covered entity; and
- Determining whether Ohio University receives PHI from the covered entity to perform such function or activity.
- Newly formed relationships: Prior to entering into any new relationships with covered entities, Ohio University will evaluate whether such relationships will constitute business associate relationships by:
- Identifying whether Ohio University will perform a function or activity for or on behalf of the covered entity; and
- Determining whether Ohio University will receive PHI from the covered entity to perform such function or activity.
Exceptions to a Business Associate Relationship.
A business associate relationship does not exist, even though Ohio University may receive PHI from a covered entity in order to perform a function or activity for or on the covered entity’s behalf, in the following instances:
- Treatment. A business associate relationship does not exist when a covered entity discloses PHI to Ohio University for purposes of treatment.
- Disclosures between a Group Health Plan and Plan Sponsor. A business associate relationship does not exist between a group health plan and plan sponsor.
- Organized Health Care Arrangements. Entities that participate in an organized health care arrangement are not business associates of each other.
- Entities Acting as Mere Conduits. A business associate relationship does not exist between business associates acting as mere conduits in the transmission of PHI (such as the U.S. Postal Service or a courier service).
Contracting Requirements of Business Associate Agreements.
Where Ohio University has identified that a business associate relationship exists and an exception does not apply, then Ohio University shall enter into a business associate agreement (BAA) with the covered entity using a form of such agreement as specified by Ohio University and/or another such form that has been reviewed and approved by Ohio University’s HIPAA Privacy Officer and legal counsel. Such an agreement will containing the following provisions:
- Permitted Uses and Disclosures. The BAA will state the purpose(s) for which the business associate may use and/or disclose PHI and will indicate generally to reasons and types of persons to whom the business associate may make further disclosures.
- Assurances. The BAA will contain the following assurances from the business associate:
- The business associate will not use or disclose PHI other than as permitted by the BAA or as required by law;
- The business associate will use appropriate safeguards to protect the confidentiality of PHI;
- The business associate will report to the covered entity any use or disclosure of PHI not permitted by the BAA;
- The business associate will ensure that its agents or subcontractors will agree, in writing, to the same restrictions and conditions as the business associated;
- The business associate will make available to the covered entity the information necessary for the covered entity to comply with an individual’s rights to access, amend, and/or receive an accounting of disclosures of their PHI;
- The business associate will make available to the Secretary of the Department of Health and Human Services (HHS) the business associate’s internal practices, books and records relating to the use and disclosure of PHI; The business associate will return or destroy the PHI once the contract is terminated; and Such other provisions as may be required by amendments to HIPAA and or such other later amendments as required by law.
- Breach and Termination. The BAA will provide that, if the covered entity knows (i.e., has substantial or credible evidence) of a business associate’s pattern of activity or practice which constitutes a material breach or violation of the business associate’s obligations under the BAA, the covered entity will take “reasonable steps” to cure the breach or violation. If the measures taken are unsuccessful, the covered entity may terminate the BAA.
- Appropriate Safeguards. The Baa will contain language that requires the business associate to use “appropriate safeguards” to prevent the use or disclosure of PHI other than as provided for in the BAA.
- Optional Provisions. In consultation with Ohio University’s legal counsel, the following provisions also may be included in the BAA:
- No third party beneficiary provision;
- Provisions to allow the business associate to use PHI in the performance of the business associate’s management and administrative functions;
- Insurance and indemnification provisions;
- Independent contractor, not agent provision;
- Conflict provision;
- Notice provision; and
- Governing law provision.
Timing of Execution of Business Associate Agreement.
Business Associate Agreements, when necessary by law and/or under the provisions for this STANDARD, shall be entered into prior to Ohio University performing any activities for or on behalf of a covered entity that require access to patient PHI.
- All executed BAA’s must be submitted to the HIPAA Privacy Officer and Legal Affairs.
Definitions
- PHI: Protected Health Information.
- HIPAA Privacy Officer: The individual appointed by Ohio University to be the Privacy Officer as required by the HIPAA Privacy Rule.
- HIPAA Compliance Coordinator: The individual designated as the point of contact for privacy and security matters and liaison between staff members within a HIPAA Covered Entity Unit and the University HIPAA Privacy and Security Officers.
References
- 45 C.F.R. §§164.103 and §164.504(e)
- Policy 03.001 General Policy on Health Insurance Portability and Accountability Act (HIPAA) Compliance
- Ohio University HIPAA Privacy Standards and Procedures
- OU BAA Decision Tree
Governance
This standard will be reviewed and approved by the University HIPAA Steering Committee, and other key stakeholders in the interest of ensuring the privacy and security of individual’s health information, as deemed appropriate based on the current regulatory requirement mandates.
Status: Approved
Effective: September 24, 2019