About OAHHS
Member Center
Data Center
Key Issues
Legal Issues
 
     
   
 
 
 
 
 
 
   
   
     
     
 
  Return to HIPAA Main Menu  
     
 
     
 

 

Business Associates: Guidelines to Compliance

 

OAHHS HIPAA Taskforce

Anne. T. Greer, Assistant General Counsel, Legacy Health System

 
 

What is a (who are) Business Associate(s)?

The HIPAA regulations establish two categories of individuals/entities as business associates:

  1. The first category defines a business associate as a person who performs or assists in the performance of a function or activity on behalf of a covered entity and which involves the use or disclosure of protected health information.

    The following are included in (but not limited to) the first category of business associates if protected health information is used or disclosed: claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management and repricing.

  2. The second category defines a business associate as a person who provides the following specified services to the covered entity where the provision of services involves the disclosure of protected health information:

    Legal
    Actuarial
    Accounting
    Consulting
    Data aggregation
    Management
    Administrative
    Accreditation
    Financial

 

Implementation Tip: The second category of business associates is limited to the listed activities; however, the first category is not limited to the listed activities and may be much broader.

 

Implementation Tip: Note that business associates include any agent, contractor, or other person who receives protected health information from the covered entity (or from another business associate of the covered entity) for the purposes described above.

What is the restriction on disclosures to Business Associates?

A covered entity may disclose protected health information to a Business Associate and allow the Business Associate to create or receive protected health information on its behalf only if it obtains “satisfactory assurance” that the Business Associate will appropriately safeguard the protected health information.

Why does HIPAA regulate the relationship between Covered Entities and Business Associates?

The Business Associate provisions of HIPAA were adopted out of concern that Covered Entities routinely disclose protected health information to a wide range of third parties. Because HIPAA applies only to Covered Entities, the Business Associate Rule places restrictions on third parties who perform certain functions or activities for or on behalf of a Covered Entity that involve the disclosure of protected health information. Without restrictions on these disclosures, the protections intended by HIPAA would not cover a significant amount of protected health information that is disclosed to Business Associates.

Who is excluded from the Business Associate Rule?

The Business Associates Rule contains a number of important exclusions to Business Associate status:

  1. Business associates are not members of the covered entity’s workforce (employees, volunteers, trainees or others whose work is under the direct control of the covered entity, regardless of whether they are paid).

  2. Does not apply to medical staff based solely on staff privileges, unless one party is providing services to or for the other (e.g., where a hospital provides billing services for physicians with staff privileges).

  3. Does not apply to covered entities that perform services as part of an Organized Health Care Arrangement (i.e., where covered entities participate in joint arrangements for the financing or delivery of health care).

  4. Does not apply to disclosures by a covered entity to a health care provider concerning the treatment of an individual (e.g., information exchanges between a hospital and physicians for treatment of patients).

  5. Does not apply to disclosure of protected health information to health plans for payment purposes.

  6. Does not apply to disclosure of protected health information to oversight agencies that act to provide oversight of federal programs and the health care system (i.e., HCFA).

  7. Does not apply to disclosures to mere conduits for protected health information (e.g. couriers, U.S. Postal Service).

  8. Does not apply to financial institutions conducting activities that facilitate or effect the transfer of funds for compensation for health care.

 

Special Note:

Covered Entities are not excluded from status as a Business Associate; therefore, a Covered Entity may be a Business Associate of another Covered Entity.

What constitutes “satisfactory assurance”?

“Satisfactory assurance” requires a written contract between the Covered Entity and the Business Associate which contains the following provisions:

  1. Establishes the permitted uses and disclosures of protected information by the Business Associate.

  2. Prohibits further unauthorized disclosures or uses of protected information by the Business Associate.

  3. Establishes safeguards ensuring only permitted uses and disclosures by the Business Associate.

  4. Requires the Business Associate to report any unauthorized uses or disclosures to the Covered Entity.

  5. Requires the Business Associate to obtain the agreement of agents and subcontractors who receive protected health information to the same restrictions and conditions that apply to the Business Associate.

  6. Allows the subject patient access to their own health information that is in the hands of the Business Associate.

  7. Ensures appropriate correction or amendment of records. Establishes procedures by which the subject patient may seek to view and/or request an amendment of or correction to information that is in the hands of the Business Associate and incorporate corrections or amendments to information when notified.

  8. Provides for an accounting of disclosures by the Business Associate upon the patient’s request.

  9. Makes protected information and internal compliance policies and procedures of the Business Associate available to DHHS.

  10. Provides for destruction or return of protected information upon contract termination where feasible. Ensures privacy protections continue after the contract ends for as long as the business associate retains protected information.

  11. Provides for contract termination by the covered entity or notification to DHHS upon material breach by the Business Associate of these provisions.

Special situations:

  • If a Business Associate is required by law to perform a function or activity on behalf of the Covered Entity or to provide a specified service (see category 2 above) to the Covered Entity, the Covered Entity may disclose protected health information to the Business Associate to the extent required by law without meeting the Business Associate contract requirements if 1) the Covered Entity makes a good faith attempt to obtain satisfactory assurances and 2) documents the attempt and the reasons such assurances cannot be obtained.

  • The termination provisions may be omitted from the contract if they are inconsistent with the statutory obligations of the Covered Entity or the Business Associate.

 

Implementation Tip: In addition to the above required provisions, the Covered Entity should consider including the following provisions in its contracts with Business Associates: warranty of non-disclosure/unauthorized use, indemnification of the Covered Entity, adequate insurance coverage (additional named insured), ownership of protected health information by the Covered Entity, designation of privacy officer for the Business Associate, governing law and venue.


 

Implementation Tip: In contemplation of the plethora of Business Associate agreements that will be exchanged between Covered Entities and Business Associates, consider using standard provisions and language where possible. Contract negotiations will become easier as the health care industry and its vendors become familiar with the provisions required by HIPAA and learn to allocate risks. Beware as Business Associates translate perceived increased risk into higher costs to or compensation from Covered Entities.

What liability does the Covered Entity have if the Business Associate violates the contract?

Covered entities are responsible for violations of its business associate if they knew of a pattern of activity or practice that constituted a material breach of the agreement and failed to take reasonable steps to correct or end the violation or terminate the agreement. The standard for whether a Covered Entity “knew” of a violation by its Business Associate is whether it had “substantial or credible evidence” of the violation.

Frequently Asked Questions

  • Am I required to monitor the activities of my business associates for compliance with or violations of the agreement? No. You are not required to actively monitor compliance or investigate the practices of your business associates. Note that this is a change from the proposed regulations. You are required to take action, however, if you know of a pattern of activity or practice that materially violates the agreement.

  • Am I required to name the patient who is the subject of the protected health information being disclosed to the business associate as a third party beneficiary to the contract? No. Under the proposed regulations, this was a requirement. It has been taken out of the final regulations.

  • The specified services category of business associates includes “accreditation” bodies. Does this mean that JCAHO is my business associate under the HIPAA privacy regulations? Probably yes, unless there is further guidance from DHHS that JCAHO is excluded as an oversight agency that acts to provide oversight of federal programs and the health care system. This could also occur in the event that the Office of Civil Rights Division charged with enforcing HIPAA formally appoints JCAHO as its oversight agency overseeing hospital compliance.

  • Would a vendor such as a document shredding company, document storage company, janitorial service or housekeeping service be considered a business associate? There is ongoing debate and disagreement over this issue. Some say these vendors are business associates under HIPAA and some say they are not. Those who say they are business associates reason that the work of these vendors “involves” the disclosure of protected health information because the incidental exposure of protected health information is unavoidable in the work they do. It is not realistic to assume that their work could go on with the eyes of their workforce averted so that they did not see the protected health information being handled as they perform their jobs. Those who say they are not business associates reason that these vendors perform functions for covered entities that involve being in the proximity of protected health information , but not really having “access” in the sense that they would need to read or store it in the course of performing their duties. The inadvertent access they may gain (if a bag of trash tears or a record is left open in an area being cleaned) should be dealt with as an issue of confidentiality, security and training in the regular contract that the covered entity has with these vendors.

  • If I have an existing service agreement with a business associate, is it possible to amend that agreement to add the business associate provisions or am I required to prepare an entirely new agreement? You can do either.

Source: Marilyn Lamar, Esq., McDermott, Will & Emery, Coping With Contracts after the HIPAA Privacy Standards, Business Associates under the HIPAA Privacy Regulations, A Teleconference Presented by the Health Information and Technology SISLC for the American Health Lawyers Association and the Healthcare Information and Management System Society, August 1, 2001

Top

 

Home | Contact Us
© Copyright 2008 OAHHS