The HIPAA Privacy Rule provides federal protections for Personal Health Information (PHI) held by covered entities, and gives patients an array of rights with respect to that information. In addition, the Privacy Rule is balanced so that it permits the disclosure of PHI needed for patient care and other important purposes.
The HIPAA Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities to use to assure the confidentiality, integrity, and availability of electronic Protected Health Information (ePHI). The HITECH Act, which is an addition to the overall HIPAA mandates, holds business associates responsible for being compliant with the HIPAA Privacy Rule and Security Rule.
The HITECH Act also mandates the Business Associate’s responsibility for holding the covered entity to the Business Associate contract and the HIPAA Privacy Rule and Security Rule. If the Business Associate becomes aware of any non-compliance by the Covered Entity, the business associate must fix the breach, terminate the Business Associate contract, and/or report the non-compliance to the Department of Health and Human Services (HHS).
In order to fulfill HIPAA regulations, Business Associates have to comply with the HIPAA Privacy Rule and Security Rule effective February 17, 2012.
Office Ally is a clearinghouse Covered Entity under HIPAA, providing Business Associate services.
Covered Entities include:
** The HIPAA Privacy and Security Rules require Covered Entities and their Business Associates to maintain the confidentiality and the security of protected health information (“PHI”) and electronic PHI (“ePHI”).
Business Associates are third parties (not employees of a Covered Entity) that create, receive, maintain, or transmit PHI in the course of providing administrative (not health care) services for or on behalf of a Covered Entity. Examples of Business Associate services include:
Accountants, EMR vendors, health care attorneys, health information exchange organizations, medical billing companies, and medical record storage companies are some examples of Business Associates. All of these companies provide services to Covered Entities which require the Covered Entity to disclose PHI to the Business Associate to enable the Business Associate to perform its services.
Office Ally is a health care clearinghouse that acts as a Business Associate when it provides clearinghouse functions to health plans and health care providers. In other situations, if Office Ally stores or de-identifies PHI for a client that is a Covered Entity or a Business Associate, Office Ally is acting as a Business Associate or Business Associate Subcontractor, respectively, of that Covered Entity or Business Associate.
The Business Associate Agreement (BAA) is Office Ally’s contract between the Covered Entity (the User) and the Business Associate (Office Ally) to ensure the protection of privacy and security of the PHI (ePHI) the User sends to Office Ally. The HIPAA Privacy and Security Rule require a contract of this kind.
The user (Covered Entity) must have a fully executed Office Ally Business Associate Agreement (BAA) on file with Office Ally in order to utilize Office Ally services.
The Business Associate Agreement (BAA) stipulates the requirements and limitations on how PHI (ePHI) is handled by Office Ally (Business Associate). Office Ally is a clearinghouse Covered Entity under HIPAA, providing Business Associate services.
Limitations on Use and Disclosures
Implement Safeguards to protect PHI (ePHI)
Reporting a Breach of PHI (ePHI) security
Availability of Information to Covered Entity
The BAA outlines the type of information and the timeframe in which, if requested, Office Ally (Business Associate) must provide to the User (Covered Entity). This could include, but not limited to:
The User (Covered Entity) is responsible for conforming to all HIPAA regulations in their own practice/office/facility, as well as in their dealings with Office Ally (Business Associate). Office Ally is a clearinghouse Covered Entity under HIPAA, providing Business Associate services. Outlined in the BAA, there are multiple notifications the User (Covered Entity) must give Office Ally (Business Associate) if any of the following circumstances apply:
The HIPAA Privacy and Security Rules establish new regulations to protect patients’ privacy, and improve the security surrounding that information. New obligations and responsibilities for Covered Entities and Business Associates help accomplish this. Office Ally strives continuously to ensure the utmost privacy and security for our users, in both the Covered Entity and Business Associate roles.
Send an email to Office Ally’s Compliance Department, Compliance@OfficeAlly.com, with the following information:
If you have questions about Office Ally’s Security and Privacy Policies, would like to report a suspected incident, non-compliance or unethical behaviors, contact Office Ally’s Compliance Department using one of the methods below: