Who is a Business Associate under HIPAA?

Last year’s passing of the new HIPAA requirements signaled the government’s concern that individually identifiable health information needs stronger protection beyond the borders of the healthcare industry. HIPAA already recognized this need by imposing obligations on covered entities and their business associates in prior versions of the rule. In the latest rule update, however, the US Department of Health and Human Services (HHS or Department), among other things, expanded the definition and responsibilities of business associates and now made them directly liable for HIPAA noncompliance.

In technical terms, the Final Omnibus Rule (Final Rule) implemented changes to the HIPAA Privacy, Security, Enforcement and Breach Notification Rules under the HITECH law and established a time frame by which covered entities and business associates had to comply with the new requirements. In summary fashion, the following is what the Final Rule had to say about business associates.

Business Associate

The Final Rule not only expanded the definition of a business associate (BA) but it also made a BA directly liable for civil money penalties for violation of applicable HIPAA provisions.

A BA as now defined is a person or an entity, that is a not a member of the covered entity’s workforce, who creates, receives, maintains, or transmits protected health information (PHI) for a function or activity on behalf of a covered entity (including patient safety activities). Examples include those involved in claims processing or administration, data analysis, processing or administration, utilization review, quality assurances, billing, benefit management, practice management and repricing.

The Final Rule left unchanged previously defined services that may give rise to a business associate relationship if the provision of such services involves the disclosure of PHI from the covered entity to the person. Such services include actuarial, accounting, legal, consulting, data aggregation, management, administrative, accreditation, and financial.

Examples of business associates expressly identified in the Final Rule include: a) a health information organization, E-prescribing Gateway, or other person or entity that provides data transmission services with respect to PHI to a covered entity and that requires routine access to such PHI; or b) a person who offers a personal health record to one or more individuals on behalf of a covered entity.

What constitutes “access on a routine basis” when determining whether data transmission services gives rise to a business associate relationship (and therefor must comply with HIPAA) or are “mere conduits” (and are exempt from HIPAA), is a fact-specific inquiry. Factors evaluated include the nature of the services provided and the extent to which the entity needs access to PHI to perform the service for the covered entity.

Conduit Exception Is Narrow

Historically, HIPAA did not require a covered entity to enter into a business associate agreement with a person or organization that acts merely as a conduit for PHI (e.g., the US Postal Service, certain private couriers and their electronic equivalents). A conduit was viewed as an entity that transports information but does not access it other than on a random or infrequent basis as may be necessary for the performance of the transportation service, or as required by law. In the comments to the HIPAA rule published in late December 2000, the HHS explained that “[s]ince no disclosure is intended by the covered entity and the probability of exposure of any particular protected health information to a conduit is very small, we do not consider a conduit to be a business associate of the covered entity.”

In the Final Rule, the Department warned that the “conduit exception” is “a narrow one and is intended to exclude only those entities providing mere courier services, such as US Postal Service or United Parcel Service and their electronic equivalents, such as internet service providers.”

The Department further explained that the conduit exception, which is limited to transmission services (whether digital or hard copy), also includes any temporary storage of transmitted data incident to such transmission. However, an entity that maintains PHI for a covered entity, such as, for example, a data or document storage company, on behalf of a covered entity, is a business associate and not a conduit, even if it does not actually view the PHI. Marking the distinction the Department commented as follows,

We recognize that in both situations, the entity providing the service to the covered entity has the opportunity to access the protected health information. However, the difference between the two situations is the transient versus persistent nature of that opportunity.

Subcontractors Are Business Associates

To ensure that privacy and security protections for PHI do not lapse as information and services move downstream from a covered entity to a BA and beyond the Final Rule brought subcontractors into the fold of the HIPAA/HITECH privacy and security standards. As a result, subcontractors that are not part of the BAs workforce and that create, receive, maintain or transmit PHI on behalf of a BA are business associates and must comply with applicable HIPAA Privacy and Security Rule provisions or incur liability for noncompliance. In other words, business associates can have business associates of their own. A covered entity is not required to enter into a contract with a subcontractor.

Contract Requirements and Penalties for Non-Compliance

While the Final Rule still requires a business associate agreement between a covered entity and a BA, the Final Rule now makes BAs directly liable for HIPAA violations irrespective of whether a business associate agreement exists with a covered entity. BAs must also have business associate agreements with subcontractors and the contract must be as rigorous as the contract between a covered entity and the business associate.

Who is Not a Business Associate

The Final Rule excludes certain entities from the definition of a business associate. A health care provider is not a BA where disclosure by a covered entity to the health care provider concerns the treatment of the individual. As such, a hospital is not required to have a business associate agreement with the specialist to whom it refers a patient and transmits the patient’s medical chart for treatment purposes.

Government agencies determining eligibility for or enrollment in a government health plan that provides public benefits and is administered by another government agency, or collects PHI for such purposes, are excluded to the extent such activities are authorized by law.

A BA does not include a health plan sponsor (e.g., an employer), with respect to certain disclosures by a group health plan to the plan sponsor, provided that the requirements of the Privacy Rule are met.

In the Final rule comments the Department provided that, in general, the HIPAA rules, including business associate rules, do not apply to banking and financial institutions with respect to payment processing activities such as cashing a check or conducting a funds transfer. However, if the banking or financial institutions performs activities on behalf of covered entities that go beyond payment processing, such as, for example, performing accounts receivable functions, then such institutions may be a BA.

Time Frame for Compliance

The Final Rule became effective March 26, 2013. Covered entities and business associates had to comply with the applicable requirements of the Final Rule by September 26, 2013. Contracts in existence prior to the publication of the Final Rule (January 25, 2013) that complied with the prior HIPAA provisions and not renewed or modified between March 26, 2013 and September 23, 2013, have up to one additional year from September 23, 2013 to come into compliance, i.e., until September 23, 2014.

If you need assistance with business associate agreements, have questions about HIPAA and HITECH laws, or have any other concerns about your healthcare practice or business, you may contact us here.