The HIPAA Omnibus Final Rule brought with it several key changes to the landscape of HIPAA compliance. As part of these changes, business associates were more clearly defined, and their obligations under HIPAA’s Security and Privacy Rules were specifically set. This post will take a detailed look at “business associates” (BAs), explaining what types of organizations are considered to be BAs, and to what elements of HIPAA they must adhere.
Business Associate Definition
Here’s the formal BA definition straight from the Act:
(1) Except as provided in paragraph (4) of this definition, business associate means, with respect to a covered entity, a person who:
(i) On behalf of such covered entity or of an organized health care arrangement (as defined in this section) in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or arrangement, creates, receives, maintains, or transmits protected health information for a function or activity regulated by this subchapter, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities listed at 42 CFR 3.20, billing, benefit management, practice management, and repricing; or
(ii) Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation (as defined in §164.501 of this subchapter), management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of protected health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.
(2) A covered entity may be a business associate of another covered entity.
(3) Business associate includes:
(i) A Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires access on a routine basis to such protected health information.
(ii) A person that offers a personal health record to one or more individuals on behalf of a covered entity.
(iii) A subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.
(4) Business associate does not include:
(i) A health care provider, with respect to disclosures by a covered entity to the health care provider concerning the treatment of the individual.
(ii) A plan sponsor, with respect to disclosures by a group health plan (or by a health insurance issuer or HMO with respect to a group health plan) to the plan sponsor, to the extent that the requirements of §164.504(f) of this subchapter apply and are met.
(iii) A government agency, with respect to determining eligibility for, or enrollment in, a government health plan that provides public benefits and is administered by another government agency, or collecting protected health information for such purposes, to the extent such activities are authorized by law.
(iv) A covered entity participating in an organized health care arrangement that performs a function or activity as described by paragraph (1)(i) of this definition for or on behalf of such organized health care arrangement, or that provides a service as described in paragraph (1)(ii) of this definition to or for such organized health care arrangement by virtue of such activities or services.
Okay, lots of info in there. What’s this definition mean in practice? It means that any company that creates, receives, maintains, handles, or transmits PHI on behalf of a covered entity is considered a business associate. The definition also includes those organizations that handle PHI on behalf of a covered entity’s business associate – so a BA of a BA is considered by law to be a HIPAA business associate. You can see how this downstream approach could include a long chain of BAs, thereby substantially increasing the HIPAA compliance obligations of each link. Examples of BAs include:
- Health Information Organizations
- Third party claims administrators
- Professionals (CPAs, attorneys, consultants)
- Data transmission service providers
- Subcontractors that require access to PHI
- Document and data destruction organizations
- Document storage companies
- Data storage companies
- Data conversion and analysis service providers
Once a determination of being a business associate is made, the next step is determining what obligations arise.
Business Associates’ HIPAA Compliance Obligations
HIPAA compliance can be roughly broken into 3 primary Rules: Security Rule; Privacy Rule; and Breach Notification Rule. Let’s address each in turn.
The Security Rule
The Security Rule sets forth a set of requirements designed to protect the confidentiality, integrity, and availability of ePHI. Its comprised of Administrative, Physical, and Technical Safeguards. BAs (and their downstream contractors) must comply with all of the requirements as if it were a covered entity. That means, in turn, that if a BA is found to be non-compliant it is subject to the penalties of the Enforcement Rule. Basically, if an organization is a BA, it has no reprieve from complying with the full set of Security Rule requirements.
The Privacy Rule
The Privacy Rule dictates how an organization uses and discloses an individual’s personal information. Some uses and disclosures are required, some permitted, and some authorized. Every other use or disclosure is prohibited. After the Omnibus Rule, BAs must now comply with the use and disclosure requirements of the Privacy Rule and are subject to liability for improper uses and disclosures. Additionally, a BA must provide breach notification to the covered entity it services, and must abide by the Privacy Rule’s “minimum necessary” principle (for more information on these topics, read this and this).
The Breach Notification Rule
The Breach Notification Rule (BNR) creates detailed procedures that must be taken in the event of a data breach. As mentioned above under the Privacy Rule section, BAs have to comply with the BNR, which means they have to have procedures in place to deal with data breaches (including identifying, handling, reporting, and resolution of breaches). In the event of the breach, however, BAs notify the covered entity with which they’ve contracted, who in turn, provides the notice(s) as needed to the individuals (and to HHS and the media, as necessary). Said differently, BAs don’t have direct-to-individual notice responsibilities.
In the post-Omnibus compliance world a business associate is subject to more stringent compliance obligations. A BA can be (severely) fined for its non-compliance, is subject to the Security and Privacy Rules as if it were a covered entity, and must perform breach notification activities in the event of data loss. Further, the contractors of BAs are on the hook, too – these downstream entities can be subject to HIPAA obligations and fines as if they were covered entities. Needless to say, now is the time to ensure your organization’s HIPAA compliance. Contact us to learn more about what you need to do.