A series of recent enforcement actions confirms just how serious the government is about assessing monetary penalties against covered entities who disclose protected health information (PHI) to business associates without written business associate agreements (BAAs) in place.
In one of the largest HIPAA settlements to date, Illinois-based Advocate Health agreed in August 2016 to pay $5.5 million to resolve multiple potential HIPAA Privacy and Security Rule violations, including allegations that it had disclosed the ePHI of over 2,000 individuals to a billing services vendor without first entering into a BAA with the vendor.
Another sizable settlement earlier in 2016 had North Memorial Health Care of Minnesota paying the government $1.55 million to resolve allegations that it violated HIPAA by, among other things, failing to execute a BAA before sharing the PHI of nearly 290,000 patients with a vendor that performed certain payment and healthcare operations functions.
Other enforcement actions include a Rhode Island hospital that paid $400,000 in September 2016 to resolve allegations it had disclosed PHI to a business associate and had allowed the business associate to create, receive, maintain, or transmit PHI on its behalf without a BAA, and a small pediatric subspecialty practice in Illinois that in April 2017 paid $31,000 and entered into a corrective action plan to resolve potential HIPAA Privacy Rule violations stemming from its failure to enter into a BAA prior to disclosing PHI to a medical records storage company.
As these cases make clear, it is imperative that covered entities understand when persons or entities come within the definition of a business associate, thereby triggering the need for a BAA. Covered entities must also understand when a person or entity is not a business associate so that they avoid unnecessarily entering into BAAs and assuming contractual obligations that they are not otherwise required to undertake.
Who is a Business Associate?
A wide range of persons and entities who provide services to or perform functions on behalf of healthcare providers and other covered entities are business associates and thus must comply with HIPAA’s Security Rule and certain provisions of its Privacy and Breach Notification Rules. As amended by 2013’s Omnibus Rule, HIPAA defines a business associate as any person, other than a member of the covered entity’s workforce, or entity who:
- On behalf of a covered entity, creates, receives, maintains, or transmits PHI for a function or activity regulated under HIPAA;
- Provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for a covered entity, if the service involves the disclosure of PHI.
Common examples of business associates include: a third-party administrator that assists a health plan with claims processing; a CPA firm whose accounting services to a healthcare provider involve access to PHI; an attorney whose legal services involve access to PHI; a consultant who performs utilization reviews for a hospital; an independent medical transcriptionist who provides transcription services to a physician; and a pharmacy benefits manager that manages a health plan’s pharmacist network.
Importantly, companies that simply maintain PHI for covered entities are considered business associates, regardless of whether they access the PHI. Thus, a storage or cloud computing vendor is a business associate because it “maintains” PHI on behalf of the covered entity, even if it never actually views the PHI or views it only on a random or infrequent basis.
HIPAA business associates also include the following persons/entities:
- Subcontractor(s). A business associate subcontractor is a person (or entity) who is not part of the business associate’s workforce and to whom a business associate delegates a function, activity, or service that involves the creation, receipt, maintenance, or transmission of PHI on behalf of the business associate. A subcontractor’s compliance obligations and direct liability under HIPAA mirror those of the business associate itself. The inclusion of subcontractors within the business associate definition thus means that all downstream vendors are subject to the same requirements and obligations to which a covered entity’s direct contract business associates are subject. A business associate’s disclosure of PHI for its ownmanagement and administration or legal responsibilities does not, however, create a business associate subcontractor relationship with the recipient of the PHI.
- PHR Vendors. A company that offers a personal health record (PHR) to one or more individuals on behalf of a covered entity is a business associate. In determining whether a PHR vendor is a business associate with whom a BAA is required, the critical inquiry is whether the PHR vendor is offering personal health records directly to individuals or offering personal health records on behalf of the covered entity. If the covered entity hires the vendor to provide and manage a PHR service that the covered entity offers its patients, and, in furtherance of that service, provides the vendor with access to PHI, the PHR vendor is acting as a business associate. HHS has also clarified that a PHR vendor that offers a personal health record to a patient on behalf of a CE is not acting merely as a conduit since the PHR vendor is maintaining PHI on behalf of the covered entity, (for the benefit of the individual), even if the PHR vendor never actually accesses the PHI.
- Health information organizations, E-prescribing gateways, or other persons or entities that provide data transmission services with respect to PHI to a covered entity and that require routine access to such PHI. Whether a person or entity requires “routine access” to PHI to perform the data transmission services depends on the nature of the services and the extent to which the entity needs access to PHI to perform the service. Those who require routine access to PHI are contrasted with true courier entities (e.g., UPS, USPS) that provide merely limited transmission services and that have only sporadic opportunities to access the PHI.
It is critical to remember that because an entity (or person) is a business associate if it meets the definition of a business associate, the absence of a BAA does not mean the absence of a business associate relationship. As long as the person or entity is not a member of the covered entity’s workforce and is performing functions on behalf of, or providing services to, the covered entity that involve the creation, receipt, maintenance, or transmission of PHI, the person or entity is a business associate and a BAA is required.
Who is not a Business Associate?
HIPAA regulations specifically remove from the definition of business associate the following persons and entities:
- A healthcare provider to whom a covered entity discloses PHI for purposes of treatment of the individual;
- A plan sponsor to whom a group health plan (or health insurance issuer or HMO) discloses PHI;
- A government agency to whom PHI is disclosed for purposes of the agency determining eligibility for, or enrollment in, a government health plan that provides public benefits and is administered by another government agency; and
- A covered entity participating in an organized healthcare arrangement that performs a function or activity for or on behalf of such organized healthcare arrangement involving the creation, receipt, maintenance, or transmission of PHI, or that provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for such organized healthcare arrangement.
In addition to these express exclusions, HIPAA’s business associate definition – insofar as it encompasses only those persons or entities who, on behalf of a covered entity, perform services or functions requiring the creation, receipt, maintenance, or transmission of PHI – necessarily excludes those persons or entities who access PHI for their own purposes, and those whose job functions do not require them to use or access PHI.
Examples of persons or entities who access PHI for their own purposes and thus are not business associates include:
- An external researcher of a covered entity by virtue of its research activities, even if the covered entity has hired the researcher to perform the research;
- An external or independent Institutional Review Board by virtue of its performing research review, approval, and continuing oversight functions; and,
- Banking and financial institutions with respect to certain payment processing activities (e.g., cashing a check, conducting a funds transfer, authorizing, processing, clearing, settling, billing, transferring, reconciling, or collecting payments for healthcare or health plan premiums). Note that a banking or financial institution may become a business associate if it performs functions above and beyond these payment processing activities on behalf of a covered entity, such as performing accounts receivable functions on behalf of a healthcare provider.
Examples of persons or entities whose functions or services do not require access to PHI include janitors, plumbers, electricians, and maintenance workers. Because HIPAA permits incidental disclosures of PHI so long as reasonable safeguards are in place to protect the privacy of the PHI, these persons and entities are not business associates, even though the performance of their job duties might entail access to areas where PHI is maintained or involve some other limited exposure to PHI. Another common example is the pharmaceutical sales representative who visits a physician’s office for the purpose of providing drug samples and product information. Because the representative does not require access to PHI in order to carry out these activities, and her contact with PHI is merely incidental and limited, she is not a business associate of the physician and a BAA is not required.
Similarly, those who are conduits for PHI, such as the postal service, UPS, and private couriers, are excluded from the business associate definition because they merely transport information, whether digitally or in hard copy, but do not access it other than on a random or infrequent basis as necessary to perform the transportation service or as required by law. HHS has noted that what separates a mere conduit from a business associate is the transient, versus persistent, nature of the conduit’s opportunity to access PHI during the performance of its functions or provision of its services.
Covered entities who contract with vendors who are not business associate should consider confidentiality agreements, particularly if the person or entity has access to the facility at times when the covered entity is not present (for example, a landlord or cleaning service.
To find out more about business associate relationship and our key takeaways click below.