HIPAA requires that every healthcare professional maintain the privacy and confidentiality of all protected health information (PHI). Business associates are a person or entity that provides services to a covered entity involving the disclosure of PHI. Reinforce a participant’s understanding of HIPAA privacy, security, and breach notification rules with this starter Qstream microlearning course.
HIPAA for Business Associates
Content Preview
HIPAA for Business Associates
Navigate through the Qstream questions below to preview. Each challenge is designed following Qstream’s best practices for maximum knowledge reinforcement and engagement. This Qstream is free for clients to use as a starting point.
Click on each title to preview the question in the mobile/desktop widget.
Follow the interactions on each screen to answer Qstream questions as a Participant.
The Privacy Rule requires that a covered entity obtain satisfactory assurances from its business associates. In return, the business associates will appropriately safeguard the protected health information (PHI) it receives or creates on behalf of the covered entity.
The business associate may use the PHI only to help the covered entity carry out its health care functions – not for their independent use or purposes.
Which of the following are true statements regarding HIPAA business associates (BAs)?
Answer explanation:
A HIPAA business associate (BA) is any entity that is provided with access to Protected Health Information (PHI) to perform services or functions for a HIPAA-covered entity. A BA can be either an individual, a corporation or a company.
Examples of Business Associates include a/an:
• Third-party administrator that assists a health plan with claims processing
• Consultant that performs utilization reviews for a hospital
• Healthcare clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a healthcare provider, and forwards the processed transaction to a payer
• Independent medical transcriptionist that provides transcription services to a physician
BAs of covered entities must also comply with HIPAA Rules and can be fined directly by regulators for non-compliance.
Heather is a medical coder and biller for Dr. Kittrell. After working for Dr. Kittrell for seven years, Heather decided to open her own business. They have agreed that Heather will work for Dr. Kittrell as an independent contractor from home two days a week and from his medical office one day a week to oversee the billing and training of the staff.
Which of the following statements are/is true about this situation?
Answer explanation:
Heather’s function is billing which is defined as a business associate function. Her service is administrative in that she oversees some employee billing as well as providing training in-office. Because of this, Heather will be considered a business associate of Dr. Kittrell for all activities covered by their independent contractor relationship whether they are performed at home or in the office.
Examples of Business Associates (BAs) functions and activities include claims processing or administration, benefits management, utilization review, quality assurance, and billing.
Examples of services provided by BAs include legal, accounting, data aggregation, and financial.
Financial institutions process consumer-conducted financial transactions in their normal course of business for covered entities by debit, credit, clearing checks, initiates or processing electronic funds transfers, for payment for health care.
Emily, Dr. Frankel’s office manager, is negotiating contracts with Visa and Mastercard for payment for health care. Which of the following statements is true about their business associate agreements?
Answer explanation:
Dr. Frankel may decide to submit a modified agreement to Visa and Mastercard that is more aligned with his state’s HIPAA regulations than federal ones.
Because Visa and Mastercard provide standard banking and financial transactions (i.e., processing of credit card and electronic funds payments), they are exempt from HIPAA Rules for Business Associates.
According to the U.S. Department of Health and Human Services (HHS), this applies when a financial institution;
• Processes consumer-conducted financial transactions by debit, credit, or other payment cards
• Clears checks
• Initiates or processes electronic funds transfers
• Conducts any other activity that directly facilitates or affects the transfer of funds for payment for healthcare or health plan premiums
An office manager for a doctor’s office is negotiating with a medical device manufacturer for a new visual field machine that will transmit patient information to their patient electronic health record software.
True or False: If the medical device includes software whose solutions and/or data interact with systems containing electronically protected health information (ePHI), the manufacturer is considered to be a business associate.
Answer explanation:
A software provider, whose solutions interact with systems containing electronically protected health information (ePHI), is considered a business associate. The same applies to cloud service providers, cloud platforms, document storage companies (physical and electronic storage), collection agencies, medical billing companies, asset, and document recycling companies, answering services, attorneys, actuaries, consultants, medical device manufacturers, transcription companies, CPA firms, third party administrators, medical couriers, and marketing firms.
A Business Associate Agreement (BAA) is a written arrangement that specifies each party’s responsibilities as it relates to personal health information (PHI).
When the office manager of a doctor’s office is updating their existing BAAs, what areas should they evaluate and modify?
Answer explanation:
If a covered entity engages a business associate to help carry out its health care activities and functions, the covered entity must have a written business associate contract with the business associate that:
• Establishes specifically what the business associate has been engaged to do
• Requires the business associate to comply with HIPAA
Access to protected health information (PHI) is permitted to accomplish the performance of certain tasks for a covered entity. Vendors must agree to use the PHI exclusively for the tasks they have been contracted to perform before PHI can be shared. They must also agree not to disclose the PHI to other entities and must implement safeguards to ensure the confidentiality, integrity, and availability of PHI.
JBW Services, Inc. has contracted with Mark Jackson, M.D., to identify conflicting software issues that may be impacting patient data. A BAA between Dr. Jackson’s practice and JBW Services, Inc. has been signed.
As part of their evaluation, JBW Services believes Dr. Jackson’s practice would be best served if they retained an expert in biometrics (e.g., a fingerprint, voice, and face ID).
As a subcontractor, the biometric expert ________ sign a business associates agreement with ________.
Answer explanation:
The U.S. Department of Health and Human Services (HHS) stated that business associates and their subcontractors may now face HIPAA enforcement actions and are directly liable for violating the HIPAA Security Rule and enumerated provisions of the Privacy and Breach Notification Rules.
The subcontractor must sign a BAA with the vendor. The subcontractor may - but is not required to -sign a BAA with the covered entity. In the BAA the subcontractors must promise to safeguard the electronically protected health information (ePHI) it creates, receives, maintains, or transmits on behalf of the business associate.
Gina works with protected health information (PHI) for a business associate of a covered entity. Her boyfriend had lunch with her at her workstation. Another employee observed the boyfriend scrolling through patient data on Gina’s computer while she stepped away. There is no indication he made notes of this information or did anything other than view it on Gina’s monitor.
This impermissible disclosure of PHI was reported to the Privacy Officer of the business associate of the covered entity.
Given the above, which of the following statements are true?
Answer explanation:
An impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity demonstrates that there is a “low probability” that the PHI has been compromised.
The severity of improper use or disclosure of PHI must be made by assessing whether the use or disclosure meets HIPAA’s “low probability of compromise” threshold. A 4-factor test should be used which evaluates:
• The nature and extent of the PHI involved, including the types of identifiers
• The unauthorized person who accessed or used the PHI, or to whom the disclosure was made
• Whether the PHI was acquired or viewed
• The extent to which the risk to the PHI has been mitigated
If, after an evaluation is made of whether the PHI has been compromised, and a covered entity or business associate reasonably determines that the probability of such compromise is low, breach notification is not required.
Physical security measures should immediately be put in place to prevent non-staff members from accessing the area with PHI, and computer/monitor shutoff should be activated before staff moves away from the workstation.
Crissy’s Coding is a billing and coding company for a healthcare clinic. She just learned that one of her employees accidentally clicked on a ransomware email and no one is sure if any information was stolen.
Which of the following statements are true?
Answer explanation:
Always look at your business associate agreement first to decide the next steps because the notice requirements there might be shorter than HIPAA law and may require notice even if it’s proven that it wasn’t ransomware.
Ransomware is presumed to be a breach under HIPAA unless you can prove it isn’t. HIPAA requires that you let the covered entity know about a breach promptly, but no later than 60 days after discovery.
To evaluate the extent of the breach and determine the “low probability” of PHI compromise, four factors have to be assessed according to HIPAA:
• The nature and extent of the PHI involved, including the types of identifiers
• The unauthorized person who accessed or used the PHI, or to whom the disclosure was made
• Whether the PHI was acquired or viewed
• The extent to which the risk to the PHI has been mitigated
The process of determining low probability has to be thorough. Covered entities and their business associates must also sufficiently document their analysis to meet the burden of proof regarding the breach assessment.
Purging medical records containing PHI in accordance with HIPAA is often the duty of a business associate. During the transport of encrypted records from a medical office, the business associate’s transport van was stolen.
Which of the following statements is true?
Answer explanation:
HIPAA only requires breach notification for unsecured PHI (e.g., unencrypted PHI). As such, physicians are encouraged to use appropriate encryption and destruction techniques for PHI, which render PHI unusable, unreadable or indecipherable to unauthorized individuals. Best practices and often BAA’s would require that the originating medical office be notified
A covered entity may hire an outside vendor to pick up PHI in paper records or electronic media from its premises, to shred, burn, pulp, or pulverize the PHI, or purge or destroy the electronic media, and deposit the deconstructed material in a landfill or other appropriate area.
The HIPAA Privacy Rule requires a business associate to provide individuals with access to their protected health information (PHI) or an accounting of disclosures, or an opportunity to amend protected health information (PHI).
As it pertains to the above, which of the following statements are true?
Answer explanation:
The Privacy Rule regulates covered entities, not business associates.
However, the Privacy Rule requires that a covered entity obtain satisfactory assurances from its business associate that the business associate will appropriately safeguard the protected health information (PHI) it receives or creates on behalf of the covered entity. These satisfactory assurances must be in writing, in the form of a contract or other agreement between the covered entity and the business associate.
The business associate is required to appropriately safeguard the protected health information (PHI) that it creates, receives, maintains, or transmits for the covered entity or business associate per HIPAA Rules.
There is also direct liability for failing to safeguard ePHI under the Security Rule and for impermissible uses or disclosures of the PHI.
HIPAA audits performed by a business associate must be shared with the covered entity _____________.
Answer explanation:
The HIPAA Rules do not expressly require that a business associate provide documentation of its security practice, or otherwise allow a customer to audit its security practices.
However, covered entities may require through the BAA, service level agreement, or other documentation additional assurances of protections for the PHI. This may include documentation of safeguards or audits based on their risk analysis and risk management or other compliance activities.
There is a direct liability for business associates who fail to safeguard ePHI under the Security Rule and for impermissible uses or disclosures of the PHI.
Business associates have a schedule of best practices created for them by an appointed HIPAA Officer. They include entering into subcontractor business associate agreements with any subcontractors to which PHI will be sent.
When PHI sent to the subcontractor is impermissibly used or disclosed, the first step of the business associate should be to consult the business associate agreement to determine all obligations at that point.
Additional steps that should be taken by the business associate include which of the following?
Answer explanation:
Some best practices for business associates include the following:
• Adopt and operationalize HIPAA policies and procedures that comply with the HIPAA Rules
• Distribute the HIPAA Policies and Procedures to members of your workforce.
• Conduct a risk analysis
• Make sure to enter into business associate agreements with any covered entities that will send you PHI.
• When any PHI you have is impermissibly used or disclosed, consult your business associate agreement to see what your obligations are at that point.
The Privacy Rule requires that a covered entity obtain satisfactory assurances from its business associates. In return, the business associates will appropriately safeguard the protected health information (PHI) it receives or creates on behalf of the covered entity.
The business associate may use the PHI only to help the covered entity carry out its health care functions – not for their independent use or purposes.
Which of the following are true statements regarding HIPAA business associates (BAs)?
Answer explanation:
A HIPAA business associate (BA) is any entity that is provided with access to Protected Health Information (PHI) to perform services or functions for a HIPAA-covered entity. A BA can be either an individual, a corporation or a company.
Examples of Business Associates include a/an:
• Third-party administrator that assists a health plan with claims processing
• Consultant that performs utilization reviews for a hospital
• Healthcare clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a healthcare provider, and forwards the processed transaction to a payer
• Independent medical transcriptionist that provides transcription services to a physician
BAs of covered entities must also comply with HIPAA Rules and can be fined directly by regulators for non-compliance.
Heather is a medical coder and biller for Dr. Kittrell. After working for Dr. Kittrell for seven years, Heather decided to open her own business. They have agreed that Heather will work for Dr. Kittrell as an independent contractor from home two days a week and from his medical office one day a week to oversee the billing and training of the staff.
Which of the following statements are/is true about this situation?
Answer explanation:
Heather’s function is billing which is defined as a business associate function. Her service is administrative in that she oversees some employee billing as well as providing training in-office. Because of this, Heather will be considered a business associate of Dr. Kittrell for all activities covered by their independent contractor relationship whether they are performed at home or in the office.
Examples of Business Associates (BAs) functions and activities include claims processing or administration, benefits management, utilization review, quality assurance, and billing.
Examples of services provided by BAs include legal, accounting, data aggregation, and financial.
Financial institutions process consumer-conducted financial transactions in their normal course of business for covered entities by debit, credit, clearing checks, initiates or processing electronic funds transfers, for payment for health care.
Emily, Dr. Frankel’s office manager, is negotiating contracts with Visa and Mastercard for payment for health care. Which of the following statements is true about their business associate agreements?
Answer explanation:
Dr. Frankel may decide to submit a modified agreement to Visa and Mastercard that is more aligned with his state’s HIPAA regulations than federal ones.
Because Visa and Mastercard provide standard banking and financial transactions (i.e., processing of credit card and electronic funds payments), they are exempt from HIPAA Rules for Business Associates.
According to the U.S. Department of Health and Human Services (HHS), this applies when a financial institution;
• Processes consumer-conducted financial transactions by debit, credit, or other payment cards
• Clears checks
• Initiates or processes electronic funds transfers
• Conducts any other activity that directly facilitates or affects the transfer of funds for payment for healthcare or health plan premiums
An office manager for a doctor’s office is negotiating with a medical device manufacturer for a new visual field machine that will transmit patient information to their patient electronic health record software.
True or False: If the medical device includes software whose solutions and/or data interact with systems containing electronically protected health information (ePHI), the manufacturer is considered to be a business associate.
Answer explanation:
A software provider, whose solutions interact with systems containing electronically protected health information (ePHI), is considered a business associate. The same applies to cloud service providers, cloud platforms, document storage companies (physical and electronic storage), collection agencies, medical billing companies, asset, and document recycling companies, answering services, attorneys, actuaries, consultants, medical device manufacturers, transcription companies, CPA firms, third party administrators, medical couriers, and marketing firms.
A Business Associate Agreement (BAA) is a written arrangement that specifies each party’s responsibilities as it relates to personal health information (PHI).
When the office manager of a doctor’s office is updating their existing BAAs, what areas should they evaluate and modify?
Answer explanation:
If a covered entity engages a business associate to help carry out its health care activities and functions, the covered entity must have a written business associate contract with the business associate that:
• Establishes specifically what the business associate has been engaged to do
• Requires the business associate to comply with HIPAA
Access to protected health information (PHI) is permitted to accomplish the performance of certain tasks for a covered entity. Vendors must agree to use the PHI exclusively for the tasks they have been contracted to perform before PHI can be shared. They must also agree not to disclose the PHI to other entities and must implement safeguards to ensure the confidentiality, integrity, and availability of PHI.
JBW Services, Inc. has contracted with Mark Jackson, M.D., to identify conflicting software issues that may be impacting patient data. A BAA between Dr. Jackson’s practice and JBW Services, Inc. has been signed.
As part of their evaluation, JBW Services believes Dr. Jackson’s practice would be best served if they retained an expert in biometrics (e.g., a fingerprint, voice, and face ID).
As a subcontractor, the biometric expert ________ sign a business associates agreement with ________.
Answer explanation:
The U.S. Department of Health and Human Services (HHS) stated that business associates and their subcontractors may now face HIPAA enforcement actions and are directly liable for violating the HIPAA Security Rule and enumerated provisions of the Privacy and Breach Notification Rules.
The subcontractor must sign a BAA with the vendor. The subcontractor may - but is not required to -sign a BAA with the covered entity. In the BAA the subcontractors must promise to safeguard the electronically protected health information (ePHI) it creates, receives, maintains, or transmits on behalf of the business associate.
Gina works with protected health information (PHI) for a business associate of a covered entity. Her boyfriend had lunch with her at her workstation. Another employee observed the boyfriend scrolling through patient data on Gina’s computer while she stepped away. There is no indication he made notes of this information or did anything other than view it on Gina’s monitor.
This impermissible disclosure of PHI was reported to the Privacy Officer of the business associate of the covered entity.
Given the above, which of the following statements are true?
Answer explanation:
An impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity demonstrates that there is a “low probability” that the PHI has been compromised.
The severity of improper use or disclosure of PHI must be made by assessing whether the use or disclosure meets HIPAA’s “low probability of compromise” threshold. A 4-factor test should be used which evaluates:
• The nature and extent of the PHI involved, including the types of identifiers
• The unauthorized person who accessed or used the PHI, or to whom the disclosure was made
• Whether the PHI was acquired or viewed
• The extent to which the risk to the PHI has been mitigated
If, after an evaluation is made of whether the PHI has been compromised, and a covered entity or business associate reasonably determines that the probability of such compromise is low, breach notification is not required.
Physical security measures should immediately be put in place to prevent non-staff members from accessing the area with PHI, and computer/monitor shutoff should be activated before staff moves away from the workstation.
Crissy’s Coding is a billing and coding company for a healthcare clinic. She just learned that one of her employees accidentally clicked on a ransomware email and no one is sure if any information was stolen.
Which of the following statements are true?
Answer explanation:
Always look at your business associate agreement first to decide the next steps because the notice requirements there might be shorter than HIPAA law and may require notice even if it’s proven that it wasn’t ransomware.
Ransomware is presumed to be a breach under HIPAA unless you can prove it isn’t. HIPAA requires that you let the covered entity know about a breach promptly, but no later than 60 days after discovery.
To evaluate the extent of the breach and determine the “low probability” of PHI compromise, four factors have to be assessed according to HIPAA:
• The nature and extent of the PHI involved, including the types of identifiers
• The unauthorized person who accessed or used the PHI, or to whom the disclosure was made
• Whether the PHI was acquired or viewed
• The extent to which the risk to the PHI has been mitigated
The process of determining low probability has to be thorough. Covered entities and their business associates must also sufficiently document their analysis to meet the burden of proof regarding the breach assessment.
Purging medical records containing PHI in accordance with HIPAA is often the duty of a business associate. During the transport of encrypted records from a medical office, the business associate’s transport van was stolen.
Which of the following statements is true?
Answer explanation:
HIPAA only requires breach notification for unsecured PHI (e.g., unencrypted PHI). As such, physicians are encouraged to use appropriate encryption and destruction techniques for PHI, which render PHI unusable, unreadable or indecipherable to unauthorized individuals. Best practices and often BAA’s would require that the originating medical office be notified
A covered entity may hire an outside vendor to pick up PHI in paper records or electronic media from its premises, to shred, burn, pulp, or pulverize the PHI, or purge or destroy the electronic media, and deposit the deconstructed material in a landfill or other appropriate area.
The HIPAA Privacy Rule requires a business associate to provide individuals with access to their protected health information (PHI) or an accounting of disclosures, or an opportunity to amend protected health information (PHI).
As it pertains to the above, which of the following statements are true?
Answer explanation:
The Privacy Rule regulates covered entities, not business associates.
However, the Privacy Rule requires that a covered entity obtain satisfactory assurances from its business associate that the business associate will appropriately safeguard the protected health information (PHI) it receives or creates on behalf of the covered entity. These satisfactory assurances must be in writing, in the form of a contract or other agreement between the covered entity and the business associate.
The business associate is required to appropriately safeguard the protected health information (PHI) that it creates, receives, maintains, or transmits for the covered entity or business associate per HIPAA Rules.
There is also direct liability for failing to safeguard ePHI under the Security Rule and for impermissible uses or disclosures of the PHI.
HIPAA audits performed by a business associate must be shared with the covered entity _____________.
Answer explanation:
The HIPAA Rules do not expressly require that a business associate provide documentation of its security practice, or otherwise allow a customer to audit its security practices.
However, covered entities may require through the BAA, service level agreement, or other documentation additional assurances of protections for the PHI. This may include documentation of safeguards or audits based on their risk analysis and risk management or other compliance activities.
There is a direct liability for business associates who fail to safeguard ePHI under the Security Rule and for impermissible uses or disclosures of the PHI.
Business associates have a schedule of best practices created for them by an appointed HIPAA Officer. They include entering into subcontractor business associate agreements with any subcontractors to which PHI will be sent.
When PHI sent to the subcontractor is impermissibly used or disclosed, the first step of the business associate should be to consult the business associate agreement to determine all obligations at that point.
Additional steps that should be taken by the business associate include which of the following?
Answer explanation:
Some best practices for business associates include the following:
• Adopt and operationalize HIPAA policies and procedures that comply with the HIPAA Rules
• Distribute the HIPAA Policies and Procedures to members of your workforce.
• Conduct a risk analysis
• Make sure to enter into business associate agreements with any covered entities that will send you PHI.
• When any PHI you have is impermissibly used or disclosed, consult your business associate agreement to see what your obligations are at that point.