Answer Common HIPAA Questions – Business Associate
What changed in 2013 for business associates?
One of the most significant changes under HIPAA’s final rule, effective September 23, 2013, was that business associates of HIPAA covered entities became directly liable for compliance with certain Privacy and Security Rule requirements. This means that the U.S. Department of Health & Human Services’ (HHS) Office for Civil Rights (OCR), which enforces HIPAA, now has jurisdiction to audit, regulate, and sanction business associates for non-compliance with HIPAA. Previously, OCR’s ability to ensure compliance of the rules extended primarily only to providers, healthcare organizations, and insurance companies. Business associates were bound to compliance with HIPAA only by means of their contract with the covered entity for which they worked.
Note: HIPAA is the Federal Standards for Privacy of Individually Identifiable Health Information and/or the Security Standards for the Protection of Electronic Protected Health Information (45 Code of Federal Regulations [CFR] Parts 160, 162, and 164).
Who or What Is a Business Associate
HIPAA defines a business associate as a person or entity who performs certain functions or activities on behalf of a covered entity that involve the use or disclosure of protected health information (PHI). This includes creating, receiving, maintaining, and transmitting PHI. Typical business associate functions and services include claims processing; data analysis; utilization review; quality assurance; billing; benefit and practice management; and legal, actuarial, consulting, management, and/or financial services.
Under the final rule, HHS clarified and expanded who qualifies as a business associate under HIPAA to include the following types of entities:
- Health Information Exchange Organizations (HIOs) that work to oversee the exchange of health information across different organizations;
- E-prescribing gateways that allow providers to write and send prescriptions to a participating pharmacy electronically;
- Data transmission service providers (for both paper and electronic PHI) who require access to PHI on a routine basis;
- Vendors of personal health records (PHRs) who offer PHRs to individuals on behalf of a covered entity;
- Patient Safety Organizations (PSOs) that receive reports of patient safety events or concerns from providers under the federal Patient Safety Quality Improvement Act of 2005 (PSQIA) (see: 42 U.S.C. 299b-22(i)(1));
- Medical liability insurance companies if they assist with services such as risk management, assessment activities, or legal services for which they require access to PHI; and
- Subcontractors of business associates that create, receive, maintain, or transmit PHI on behalf of the business associate.
This change means even more types of organizations are now considered business associates if they maintain PHI—even if they don’t actually view it. This would include online storage vendors, cloud service providers such as internet-based calendar platforms, and electronic health record (EHR) vendors that are the access point for individuals wanting copies of their medical records.
Who Is Not a Business Associate?
Persons and entities that are part of a covered entity’s workforce are not considered business associates. This may include temporary workers, volunteers, interns, and others who work with or for a covered entity, regardless of who pays them (or even if they are paid). Healthcare providers who receive PHI for the purposes of treating patients aren’t business associates of the other entity, either.
Entities that act merely as conduits for the transport of PHI, that do not access the information other than on a random or infrequent basis, are not business associates. This means that entities such as the U.S. Postal Service, United Parcel Service, Federal Express, internet service providers, or other delivery services for both digital or hard copy PHI, that provide mere courier services, are not considered business associates.
Make Sure Your BA Agreement Is Up to Date
HIPAA permits the disclosure of PHI to business associates, but the assurances of how that information will be appropriately safeguarded must be defined in a contract. This contract is referred to as a business associate agreement (BA agreement), and has been a requirement of HIPAA since 2003.
New responsibilities being passed along to business associates were required to be incorporated into these agreements by September of 2013. Only existing BA agreements that were in compliance with HIPAA prior to the final rule being issued in January 2013, receive a grace period until September of 2014 to ensure that the new responsibilities are incorporated into these written agreements.
What Has Changed in the BA Agreement?
BA agreements have always required that the business associate will implement administrative, physical, and technical safeguards that reasonably and appropriately protect PHI. New written agreement requirements must specify that business associates and their subcontractors:
- Enter into subcontractor agreements with any downstream business associates;
- Comply with applicable requirements in the Privacy and Security Rules;
- Report any use or disclosure of PHI that is not allowed as per the contract to the upstream business associate or covered entity; and
Ensure that each downstream agreement is at least as strict as the original agreement between the CE and BA regarding allowable uses and disclosures of PHI.
Take Action Towards Compliance
If you’re a covered entity, you need to identify all of your business associates—especially those that didn’t fit the definition of a business associate previously, such as data storage companies. Make sure that you have executed proper BA agreements with them.
If you are a business associate, assess who your subcontractors are that handle PHI from your covered entities, and make sure you have entered into appropriate agreements with them to restrict uses and disclosures of that PHI. Remember, these agreements must be at least as stringent as those required of you by your covered entity.
It is not a HIPAA requirement that you need to have your business associates attest to being in compliance with HIPAA and/or audit them; however, taking reasonable steps to ensure that your business associates understand what is required of them under the final rule, such as ensuring they are aware that they can now be audited and fined by the federal government for non-compliance, is advised. Consider a security questionnaire to evaluate a business associate’s ability and desire to appropriately safeguard PHI. How the OCR will enforce violations against business associates in the future remains to be seen, but the floodgates have been opened.