Support Center

Any person or business in United States or its territories that is a Covered Entity or Business Associate is required to have a HIPAA compliance program.

Covered Entities are generally all direct healthcare providers (for example: doctors; physical therapists; occupational therapists; nurse practitioners; physician assistants; psychologists; dentists; oral surgeons; speech therapists; and chiropractors), healthcare facilities (for example: hospitals; clinics; nursing homes; surgery centers; imaging centers; pharmacies; urgent care centers; skilled nursing facilities; and rehabilitation centers) and health insurance related businesses (for example: health plans and healthcare clearinghouses: health insurance companies; health maintenance organizations (HMOs); company health plans; and government healthcare programs - Medicare, Medicaid, Military and Veterans Administration).

Business Associates are healthcare service and related businesses that come in contact with protected healthcare information during the course of their business and in dealing with Covered Entities (for example: practice management companies and consultants; medical billing services; benefits management companies; transcriptionists; attorneys; accountants, bookkeepers and certified public accountants (CPAs); data management firms; data analysts; accreditation services; financial services providers; electronic health record (EHR) providers; practice management software companies; medical and durable medical equipment (DME) suppliers; server farms; and data storage facilities).

There must be a signed Business Associate Agreement (BAA) between a Covered Entity and a Business Associate.

If you are a Business Associate (as defined by the Omnibus Rule), and a Covered Entity who you are in business with sent your organization a BAA, you, as an authorized representative of your company, must sign the BAA.

In the same manner, if a Business Associate initiated a BAA with the Covered Entity, then the latter must sign the BAA.

Not sure if you are a Business Associate? Click here.

Signing a Business Associate Agreement is but the first step in terms of what you have to do. Under the Omnibus Rule, a Covered Entity must obtain assurances that a Business Associate, and any subcontractor of them that have access to the Protected Health Information (PHI), is meeting the requirements of HIPAA.

In other words, the signed BAA serves as a guarantee that the Business Associate will appropriately safeguard PHI. The BAA also serves to clarify and limit, the permissible uses and disclosures of PHI by the Business Associate.

The law requires a Business Associate Agreement.

In most cases, the lack of a Business Associate Agreement is the first indication that your IT company may be overstating their capabilities and services.

We recommend a simple test to see if they are in fact in compliance with HIPAA - have them complete our Business Associate Attestation Form _HIPAA Security_.pdf (located in EPICompliance Customer Console > Forms and Policies > HIPAA Security > PDF Forms).

This form will provide you the necessary assurances to recognize if they are following HIPAA regulations.

If this cannot be done, we recommend the following:

1. Sign a HIPAA compliant agreement, or
2. Cancel the contract and look for another subcontractor.

Regardless of the decision, EPI Compliance is here to support and assist you.