Under the Health Insurance Portability and Accountability Act (HIPAA), a covered entity is required to have a written agreement with each of its business associates. The following generally defines a business associate and lays out the necessary steps covered entities must take to ensure HIPAA compliance with their business associates; contact a healthcare attorney to determine whether your arrangements meet the business associate rules under HIPAA.Â
Broadly speaking, a business associate is a person or organization that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of Protected Health Information (PHI). Examples of business associate functions or activities include claims processing, data analysis, utilization review and billing. Business associate services are limited to legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation and financial services. Business associates also include (i) a health information organization, e-prescribing gateway, or other person that provides data transmission services with respect to PHI to a covered entity and that requires access on a routine basis to such PHI; (ii) a person that offers PHI to one or more individuals on behalf of a covered entity; and (iii) a subcontractor that creates, receives, maintains, or transmits PHI on behalf of the business associate. A covered entity may also be a business associate of another covered entity, depending on the services being offered.
Notably, persons or organizations are not considered business associates if their functions, activities or services do not involve the use or disclosure of PHI, and where any access or exposure to PHI would be incidental, if at all. Further, a business associate does not include a covered entity’s employees. Additionally, business associates do not include: (i) a health care provider, with respect to disclosures by a covered entity to the health care provider concerning the treatment of the individual; (ii) a plan sponsor, with respect to disclosures by a group health plan (or by a health insurance issuer or HMO with respect to a group health plan) to the plan sponsor, to the extent that additional regulatory requirements apply and are met; (iii) a government agency, generally with respect to government health plans; and (iv) another covered entity, again depending on the services being offered.
When a covered entity uses a business associate to perform functions, activities or services, HIPAA requires the covered entity to include certain protections for PHI in a separate written contract known as a business associate agreement (BAA). In the BAA, a covered entity must ensure the business associate complies with specific safeguards attributable to the used or disclosed PHI. Moreover, a covered entity may not contractually authorize its business associate to make any use or disclosure of PHI that would violate HIPAA. The terms of a BAA, for the most part, are set by regulations promulgated by the Department of Health and Human Services.
There are also instances where business associates may outsource functions on behalf of a covered entity to another person or organization. In these cases as well, HIPAA requires the business associate to enter into a BAA with those subcontractors for the same purposes.
Matt DeNoncour is the owner of Magis Law Firm, a solo law firm based in Boston, MA, where he provides legal services to the healthcare, biotechnology, and business communities. You can reach Matt at magislawfirm.com, by phone at 857-242-6826 or by email at matt@magislawfirm.com. This post is not meant to be legal advice: learn more here.
