Checklist for Classifying Business Associates
Overview
An important first step in managing third-party risk in healthcare is to decide whether HIPAA applies to an organization and its business relationships. In this
assignment you will create a tool to determine the applicability of HIPAA rules in different scenarios. The tool will be a spreadsheet, checklist, or other
resource that can be used to determine if a third-party contractor of a covered entity is a business associate and if their business practices meet HIPAA
requirements for securing protected healthcare information.
Instructions
Preparation: Examine the examples listed in the Resources that show several tools used to determine if an organization qualifies under HIPAA as a business
associate of a covered entity. Another Resource (“Covered Entity Charts”) will help you understand how to determine if an organization is a covered entity
under HIPAA.
After you have examined the resources, create your own similar tool for determining if an organization is a covered entity and/or a business associate. List
the questions that need to be asked about an organization to make this determination and the criteria found in the law that are needed to classify the
organization in one of these categories.
Once you have created your tool, apply it to the cases and analyze them. Submit the following in your assignment:
• Your tool and an explanation of how to use it.
• An analysis of each case that shows the details of the case, evidence of the tool’s application, and a rationale for your conclusions about the scenario.
Case 1: A popular grocery store chain requires its pharmacy customers to sign into a logbook that is publically accessible on its counter. Each customer is to
provide their name, phone number, address, and doctor’s name. It does this statewide at each of its 156 stores.
• Is this chain a covered entity?
• Is it a business associate?
• Is it HIPAA compliant?
• Explain the rationale behind your answers.
Case 2: A medical billing service provider contracts with small doctors’ offices statewide to process their patient’s billing. The doctors send their patient’s
information to the provider in both hardcopy via standard fax and electronically over a VPN. The information includes PHI.
• Is this provider a covered entity?
• Is it a business associate?
• Is it HIPAA compliant?
• Explain the rationale behind your answers.
Criteria for paper:
Creates a tool used to distinguish if an organization is a covered entity or a business associate; illustrates clear decision-making criteria, using visual or other
criteria.
Develops a tool appropriate for professional communication in a healthcare organization; tool demonstrates industry standards and a clear, original
organizational scheme.
Explains the definitions of business associates and covered entities; provides criteria for determining the categories.
Analyzes the application of a tool to determine if an organization is a business associate under HIPAA.
Analyzes the application of HIPAA requirements to real-world scenarios; explain how the application is unique in the given situation.