Understanding HIPAA and Business Associate Agreements

As healthcare organizations continue to rely on and work with different vendors, it becomes vital that they understand when persons or entities fall within the definition of a “business associate,” thereby triggering the need for a business associate agreement (BAA). Maintaining compliance is important because failure to maintain a proper BAA could mean costly HIPAA violations for a practice.


Recommended Actions

A series of recent enforcement actions confirms just how serious the government is about assessing monetary penalties against covered entities who disclose protected health information (PHI) to business associates without written business associate agreements (BAAs) in place.

In one of the largest HIPAA settlements to date, Illinois-based Advocate Health agreed to pay $5.5 million to resolve multiple potential HIPAA Privacy and Security Rule violations, including allegations that it had disclosed the ePHI of more than 2,000 individuals to a billing services vendor without first entering into a BAA with the vendor.

In another sizable settlement, North Memorial Health Care of Minnesota paid the government $1.55 million to resolve allegations that it violated HIPAA by, among other things, failing to execute a BAA before sharing the PHI of nearly 290,000 patients with a vendor that performed certain payment and healthcare operations functions.

As those cases make clear, it is imperative that covered entities understand when persons or entities come within the definition of a business associate, thereby triggering the need for a BAA. Covered entities must also understand when a person or entity is not a business associate so that they avoid unnecessarily entering into BAAs and assuming contractual obligations that they are not otherwise required to undertake.

Definition of a Business Associate

A wide range of persons and entities that provide services to or perform functions on behalf of healthcare providers and other covered entities are business associates and must comply with HIPAA’s Security Rule and certain provisions of its Privacy and Breach Notification Rules. HIPAA defines a business associate as any person, other than a member of the covered entity’s workforce, or entity who:

  1. On behalf of a covered entity, creates, receives, maintains or transmits PHI for a function or activity regulated under HIPAA.
  2. Provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation or financial services to or for a covered entity, if the service involves the disclosure of PHI.

Common examples of business associates include: a third-party administrator that assists a health plan with claims processing; a CPA firm whose accounting services to a healthcare provider involve access to PHI; an attorney whose legal services involve access to PHI; a consultant who performs utilization reviews for a hospital; an independent medical transcriptionist who provides transcription services to a physician; and a pharmacy benefits manager that manages a health plan’s pharmacist network.

Companies that simply maintain PHI for covered entities also are considered business associates, regardless of whether they access the PHI. Thus, a storage or cloud computing vendor is a business associate because it maintains PHI on behalf of the covered entity, even if it never actually views the PHI or views it only on a random or infrequent basis.


HIPAA business associates also include the following persons/entities:


Subcontractors

A business associate subcontractor is a person (or entity) who is not part of the business associate’s workforce and to whom a business associate delegates a function, activity, or service that involves the creation, receipt, maintenance or transmission of PHI on behalf of the business associate.
A subcontractor’s compliance obligations and direct liability under HIPAA mirror those of the business associate itself. The inclusion of subcontractors within the business associate definition thus means all downstream vendors are subject to the same requirements and obligations to which a covered entity’s direct contract business associates are subject. A business associate’s disclosure of PHI for its own management and administration or legal responsibilities does not, however, create a business associate subcontractor relationship with the recipient of the PHI.


PHR vendors

A company that offers a personal health record (PHR) to one or more individuals on behalf of a covered entity is a business associate. In determining whether a PHR vendor is a business associate requiring a BAA, the critical question is whether the PHR vendor is offering personal health records directly to individuals or offering personal health records on behalf of the covered entity.

If the covered entity hires the vendor to provide and manage a PHR service that the covered entity offers its patients, and, in furtherance of that service, provides the vendor with access to PHI, the PHR vendor is acting as a business associate. The US Department of Health and Human Services (HHS) has also clarified that a PHR vendor that offers a personal health record to a patient on behalf of a covered entity is not acting merely as a conduit since the PHR vendor is maintaining PHI on behalf of the covered entity, for the benefit of the individual, even if the PHR vendor never actually accesses the PHI.

Health information organizations, e-prescribing gateways, or other persons or entities that provide data transmission services with respect to PHI to a covered entity and that require routine access to such PHI. Whether a person or entity requires “routine access” to PHI to perform the data transmission services depends on the nature of the services and the extent to which the entity needs access to PHI to perform the service. Those who require routine access to PHI are contrasted with true courier entities (e.g., UPS, USPS) that provide merely limited transmission services and that have only sporadic opportunities to access the PHI.

It is critical to remember that if an entity (or person) is a business associate because it meets the applicable definition, the absence of a BAA does not equate to the absence of a business associate relationship. As long as the person or entity is not a member of the covered entity’s workforce and is performing functions on behalf of, or providing services to, the covered entity that involve the creation, receipt, maintenance or transmission of PHI, the person or entity is a business associate and a BAA is required.


Covered Entity Liability for Business Associate Violations

Along with being able to identify which persons and entities are business associates with whom BAAs are required, healthcare providers and other covered entities should understand their obligations and liabilities vis-à-vis their business associates and how their business associates’ actions can negatively impact them.

While covered entities are not required to monitor their business associates’ actions or to ensure that their business associates are HIPAA-compliant, covered entities who receive credible information that a business associate is engaging in a pattern of activity or practice that constitutes a material breach or violation of the business associate’s obligations under the BAA are required to take reasonable steps to cure the breach or end the violation (or, if such steps were taken but were unsuccessful, to terminate the BAA). In other words, a covered entity that fails to take appropriate action in the face of a business associate’s known noncompliance has itself violated HIPAA.

Of course, HIPAA also requires covered entities to notify affected individuals of breaches of PHI by their business associates, and to mitigate, to the extent practical, any harmful effects of security incidents or Privacy Rule violations that are known to the covered entity. In short, a business associate’s non-compliance with HIPAA’s Privacy and Security Rules can result in significant costs to the covered entity, even though business associates are directly liable to HHS for their own HIPAA violations.

A more complex question involves a covered entity’s liability to HHS for its business associates’ HIPAA violations. The HIPAA Omnibus Final Rule clarified that a covered entity can be held liable under the federal common law of agency for the acts or omissions of its business associate if the business associate is the covered entity’s agent and if the business associate is acting within the scope of the agency when it engages in the conduct to be imputed to the covered entity.


Key Takeaways
  1. Given the potential for HIPAA fines and penalties, covered entities must understand who qualifies as a business associate and must ensure that HIPAA-compliant business associate agreements are in place before they disclose any PHI to the business associate.
  2. Because HHS can hold covered entities liable for their business associate’s HIPAA violations, care should be taken to avoid an agency relationship. To that end, BAAs should not prescribe or specify how the business associate will provide the contracted services, nor should they contain language giving the covered entity the right or authority to control the conduct of the business associate.
    However, because the terms, statements or labels given to parties (e.g., an independent contractor) do not control whether an agency relationship exists, a carefully drafted BAA will not insulate the covered entity that actually controls the business associate during the business associate’s provision of services to or performance of functions on behalf of the covered entity.
  3. Finally, covered entities should vet business associates before allowing them to access PHI. Risk assessments, password policies, staff HIPAA training, workstation security and encryption are all fair topics to explore. Covered entities should not engage business associates without a high level of comfort that the business associates are in active compliance with their obligations to protect the privacy and security of PHI.

Lessons Learned:
Potential Damages

Covered entities that disclose protected health information to business associates without written BAAs in place face the potential for costly HIPAA fines and penalties. Although the penalties for a violation can be serious, the frequency of such violations is relatively low.

Quiz

1 . If I receive information that my business associate is breaching obligations under the BAA, I must take steps to ensure the breach is cured. Otherwise, I could be liable for a HIPAA violation.

2 . If I get notice that my business associate has been involved in a breach of PHI, I must notify the affected patients.