Susan Miller, Security & Privacy Work Group Chair, WEDI with Jim Sheldon-Dean
Business Associates first made their appearance in the HIPAA regulations almost a decade ago. During the first few years under the HIPAA regulations business associates used PHI of a HIPAA covered entity to do work for the covered entity including claims processing, data analysis, utilization review, benefit management, and practice management. In other words, the work was in the areas of administration, payment and health care operations. This electronic data sharing was between no more than two or three entities.
The world has advanced and we now have Electronic Health Records (EHRs), Personal Health Records (PHRs), Regional Health Information Organizations (RHIOs) and Health Information Interchanges (HIEs) that share clinical information electronically. This data sharing is among a much larger universe, among many more entities, through much different technologies.
Until the HITECH Act PHRs, RHIOs and HIEs were not business associates. Business associates now include these new forms of clinical data repositories and sharing organizations and must keep most of the HIPAA privacy and security requirements as if they are covered entities and not just through a contract, a business associate agreement with a covered entity.
This session will outline the new world of business associates in clinical information sharing.