Under HIPAA, which one of the following statements is true regarding the release of
PHI by covered entities to business associates?
A. Covered entities are responsible for the use of PHI made by business associates.
B. Covered entities aren’t allowed to release PHI (identifiable or de-identified) to
business entities.
C. Covered entities must require adequate assurances in writing that business
associates will adequately safeguard PHI.
D. Once a covered entity releases information to a business associate, the associate
may disclose that information to other entities.
B
I think B is correct.
anser is c
C
Department of Health and Human services site.
To find the answer to this question, we need to understand the role of covered entities and business associates under HIPAA (Health Insurance Portability and Accountability Act) and the rules regarding the release of PHI (Protected Health Information).
HIPAA defines covered entities as healthcare providers, health plans, and healthcare clearinghouses that handle protected health information. Business associates, on the other hand, are individuals or organizations that provide services to covered entities involving the use or disclosure of PHI. Examples of business associates include billing companies, law firms, and IT vendors.
Now let's analyze the statements:
A. Covered entities are responsible for the use of PHI made by business associates.
It is true that covered entities are responsible for the use of PHI made by their business associates. However, this is not specific to the release of PHI but rather the overall responsibility of covered entities for the actions of their business associates. So, this statement is not the correct answer.
B. Covered entities aren't allowed to release PHI (identifiable or de-identified) to business entities.
This statement is not true. Covered entities are permitted to release PHI to business associates, but there are certain requirements and safeguards that must be followed to protect the privacy and security of the PHI. So, this statement is not the correct answer.
C. Covered entities must require adequate assurances in writing that business associates will adequately safeguard PHI.
This statement is true. Under HIPAA, covered entities are required to have a written agreement with their business associates, known as a Business Associate Agreement (BAA). The BAA must include provisions and assurances that the business associate will appropriately safeguard the PHI and comply with HIPAA regulations. So, this statement is the correct answer.
D. Once a covered entity releases information to a business associate, the associate may disclose that information to other entities.
This statement is not true. Once a covered entity releases PHI to a business associate, the business associate is not allowed to further disclose that information to other entities without the explicit permission or authorization from the covered entity. So, this statement is not the correct answer.
Therefore, the correct answer is C. Covered entities must require adequate assurances in writing that business associates will adequately safeguard PHI.