Business associates are not required to give individuals direct access to their protected health information (PHI). However, they must assist the covered entity in providing access when an individual requests. The covered entity is ultimately responsible for ensuring individuals can access their PHI.
Patient rights under HIPAA
Under the HIPAA Privacy Rule, individuals have several rights concerning their PHI, including:
- Right to access: Individuals have the right to access their PHI held by covered entities, which allows them to request copies of their health records.
- Right to amend: Patients can request changes to their PHI if they believe it is inaccurate or incomplete.
- Right to an accounting of disclosures: Individuals have the right to know who has accessed their PHI and for what purpose.
These rights empower patients and promote transparency within the healthcare system.
Go deeper: What are patient rights under HIPAA?
The role of business associates
While business associates manage PHI, they are not directly responsible for providing individuals access to their health information. Instead, their obligations primarily revolve around supporting the covered entity in fulfilling its responsibilities under HIPAA.
Read also: What does it mean to be a business associate?
Accessing PHI
According to the HHS, “The Privacy Rule regulates covered entities, not business associates... Covered entities are responsible for fulfilling Privacy Rule requirements with respect to individual rights, including the rights of access.”
Although business associates are not required to give individuals direct access to their PHI, they must assist the covered entity in doing so. When a patient requests access to their health records, the covered entity must respond to that request. If the records are held by a business associate, the covered entity will rely on the associate to provide the necessary information.
See also: HIPAA Compliant Email: The Definitive Guide
FAQs
What is a business associate under HIPAA?
A business associate is any person or entity that performs functions or activities on behalf of a covered entity (like a healthcare provider or health plan) that involves the use or disclosure of PHI. Examples include billing companies, data storage services, and cloud computing providers.
What should a patient do if they want access to their health records?
Patients should contact their healthcare provider or the covered entity directly to request access to their health records. The provider will then work with any business associates to ensure the request is fulfilled.
Can business associates disclose PHI without the covered entity's consent?
Business associates can only disclose PHI in accordance with the terms of their BAA and HIPAA regulations. They cannot disclose PHI without the covered entity's consent, except in specific circumstances allowed by HIPAA, such as for public health activities or legal requirements.
Read also: What is PHI disclosure?
Tshedimoso Makhene
