Health
care providers, health plans (including Medicaid) and health care
clearinghouses (called “covered entities”) must comply with HIPAA’s rules to
protect the privacy and security of health information and must provide
individuals with certain rights with respect to their health information.
Covered entities may share protected health
information without patient authorization for the purposes of treatment,
payment and certain health care operations.
If a covered entity engages a “business associate”
to help it carry out its health care activities and functions, the covered
entity must have a written business associate contract that establishes specifically what the business associate has been
engaged to do. This agreement requires them to comply with certain aspects of HIPAA regulations to
protect the privacy and security of protected health information.
Medicaid pays for some non-medical services
(such as chore services, respite care, homemaker services and personal care
services). Because the information we share with these providers about
members is protected health information, these
providers are business associates and must sign a business associate contract.
The enrollment checklist will tell you if you need to sign a Business Associate
Addendum.