Publications
Special HIPAA Business Associate Issues For Health Care Contractors
Businesses that contract with health care organizations are encountering a new wave of legal and practical issues associated with the Health Insurance Portability and Accountability Act’s “business associate” requirements following the privacy rule’s April 14, 2003, compliance date. 1 The business associate requirements raise a variety of issues involving interpretation of the HIPAA privacy and security regulations and practical considerations for implementation. These issues affect companies that provide services and supplies to health care providers, health plans, health care clearinghouses and persons responsible for health benefits plans.
Although the volume and complexity of the HIPAA regulations can seem overwhelming at times, vendors that are required to sign their customers’ business associate contracts should have a clear understanding of how the contractual obligations will affect their companies’ functioning. This article offers guidance based on the authors’ experience counseling covered entities and business associates on these issues. 2
I. Determining Business Associate Status
Congress provided that only health plans, health care clearinghouses and health care providers that conduct certain electronic transactions are “covered entities” subject to HIPAA. The act’s “privacy rule” effectively expanded the reach of HIPAA by requiring that a covered entity obtain “satisfactory assurances” (in other words, a written contract) that its business associates will protect certain health information that passes from the covered entity to the business associate.
In addition, the HIPAA “security rule” requires covered entities to obtain satisfactory assurances that business associates will safeguard electronic information received from the covered entity. In practice, these requirements indirectly regulate vendors that contract with health care organizations, or “business associates,” as well as their subcontractors, through mandated contractual obligations.
A. What Is a ‘Business Associate’
“Business associates” are persons or organizations to which a covered entity discloses protected health information (PHI) so that the business associate can carry out or assist with the performance of a function or activity for the covered entity. PHI is individually identifiable health information maintained or transmitted in any form or medium, including electronic, written or oral information. Common business associate functions or activities include claims processing or ad ministration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management and repricing.
Business associates typically include a broad range of contractors and other persons who receive PHI on a covered entity’s behalf, such as consultants, health care clearinghouses, data aggregation services, billing firms, computer maintenance services, medical directors, accreditation organizations, auditors, lawyers, telephone answering services and others.
B. Determining Whether Your Customers Are Covered Entities
Your organization is not a business associate unless the health care organization with which it contracts is a “covered entity” under HIPAA. Unfortunately, it may not be readily apparent whether or not your customers are covered entities. In this situation, the most efficient strategy may be to ask the customer whether it considers itself a covered entity under HIPAA, document its response and design your compliance efforts accordingly.
C. Entities That Typically Are Not Business Associates
Members of a covered entity’s workforce (employees, independent contractors, volunteers, etc.) are not considered business associates of the covered entity. Covered entities that engage in joint activities under an “organized health care arrangement” 3 are not generally required to have business associate contracts with each other.
Janitors, plumbers, electricians, copy machine service technicians, U.S. Postal Service workers and private couriers generally are not business associates because any disclosure of PHI to them in the performance of their duties is “incidental.” In other words, the use or disclosure is not central to the contracted function, is limited in nature and cannot be reasonably prevented.
Photography services often offer to photograph a newborn in the hospital and provide copies of the pictures to the newborn’s family. To provide these services, a photographer typically learns information that is likely to be considered PHI, such as the newborn’s name, date of birth and observable health information (for example, intravenous therapy), as well as the mother’s name and contact information. A commercial photographer is not generally considered a business associate of the hospital, since the photographer is not performing a function on behalf of the hospital. However, the newborn’s mother should sign a HIPAA-compliant authorization before allowing for any disclosures of PHI to the photographer.
D. Health Care Providers as Covered Entities And Business Associates
A health care provider may receive PHI from a covered entity for treatment purposes without a business associate contract. However, a health care provider may also have a business associate relationship with another covered entity if it receives PHI on behalf of the covered entity for some other purpose.
For example, a hospital may enlist the services of another health care provider, such as a neurology practice, to assist in the hospital’s training of medical students, for which patient PHI is disclosed. Because the purpose of this relationship is not for treatment, the neurology practice would be a business associate of the hospital and would require a business associate contract .
E. Examples of Business Associates
Databases and Benchmarking Services
Covered entities have historically shared patient information with a variety of organizations that maintain databases of the information for research, public-health and quality-review purposes. Such a database or data analysis service is a business associate if it receives PHI from the covered entity to perform a function such as data analysis, processing or administration, or quality assurance on behalf of the covered entity. However, if the database service receives PHI for research purposes only, the database service is not a business associate, even if the covered entity has hired the researcher to perform research on the covered entity’s behalf.
If the covered entity discloses only “de-identified” information to a database or other contractor, no business associate relationship is formed. 4 Similarly, if the covered entity only discloses certain limited information in a defined “limited data set” for certain research or public-health purposes, a data use agreement is required but a business associate contract is not required. 5
Medical Device Companies
A medical device company that is simply sponsoring research or selling a product to a covered entity, such as a hospital, and does not receive PHI from the covered entity is not a business associate. A medical device company is a business associate if it creates or receives PHI from a covered entity to engage in specific services on behalf of the covered entity, such as training, technical and support services, or customization of its products for individual patients. However, if the medical device company is acting as a health care provider and receiving the PHI solely for treatment purposes in certa in cases, no business associate contract may be required.6
Sales Representatives in the Field
A sales representative in the field who does not receive PHI from a covered entity is not a business associate. For example, a pharmaceutical company sales rep who visits physicians in a hospital to provide information and samples of a drug product but does not receive PHI to perform a function on behalf of the hospital is not a business associate. However, a pharmaceutical company sales rep who uses a patient’s PHI to customize a product for the patient’s use is a business associate if the customization is performed on behalf of the hospital .
Software Vendors
A software vendor is a business associate if it needs access to the covered entity’s PHI to provide the service (for example, if it hosts the software containing PHI on its own server or accesses PHI when troubleshooting the software). However, a software vendor is not a business associate if it merely sells or provides software to a covered entity but does not have access to the covered entity’s PHI.
In addition, a software vendor that provides its employee to the covered entity as part of an outsourcing arrangement (for example, the employee is primarily stationed on site at the covered entity and the covered entity treats the employee as a member of its own workforce) may not be a business associate if access to PHI is limited to the outsourced on-site employee.
Subcontractors Funded by State Agencies
In some states, one or more state health care agencies (such as the state mental health or children’s services agencies) have determined that they are HIPAA-covered entities and that organizations funded by the state agencies to provide services to patients or clients are business associates. In these states, organizations that might not otherwise be subject to HIPAA (because, for example, they do not perform electronic billing) are required to sign business associate contracts with the state and become compliant with the HIPAA business associate requirements.
Third-Party Health Benefits Administrators
A third-party health benefits administrator that creates or receives PHI for claims management (for example, claims processing, utilization review or benefits management activities) on behalf of a group health plan is a business associate of the group health plan. A third-party administrator that provides group health insurance will also be considered a covered entity. Many self-insured health plans do not have their own mechanisms to carry out HIPAA compliance and will need to engage their third-party administrator to do so.
For example, if a group health plan does not employ staff members who can respond to a patient’s request to access his or her records, the third-party administrator may be needed to handle that request. A third-party administrator that discloses PHI to subcontractors (for example, a pharmacy benefits manager) must also ensure that the subcontractor agrees to comply with the business associate obligations.
II. Business Associate Obligations in Practice
A. Contractual Obligations
The privacy rule specifies the terms that must be included in a business associate contract. A business associate contract restricts the business associate from using or disclosing PHI in a manner that would violate the privacy rule if the use or disclosure was made by the covered entity. For example, a covered entity must limit the amount of PHI to the “minimum necessary” for most uses, disclosures or requests for PHI; the business associate contract requires business associates to do the same.
Similarly, the contract limits the business associate’s uses and disclosures of PHI to those permitted or required by the contract or required by law. The contract requires the business associate to use appropriate information safeguards, report any privacy violations, and ensure that its agents and subcontractors agree to the same restrictions and conditions to which it has agreed in the contract.
To the extent relevant, the business associate is required to comply with a patient’s right to access and request amendments to the designated record set (medical and billing records) and a patient’s right to obtain an accounting of disclosures of PHI maintained by the business associate. The contract also requires the business associate to open its internal books to the U.S. Department of Health and Human Services upon request for compliance purposes and to return or destroy PHI (if feasible) at the termination of the contract.
B. Differences Between Covered Entities’ And Business Associates’ Obligations
The business associate’s obligations under the required contract provisions can be so extensive that the question arises whether it is essentially covered by the HIPAA privacy rule as if it were a covered entity. Some differences between the covered entity’s obligations under the privacy rule and the business associate’s obligations under the business associate contract are readily apparent. For instance, HIPAA’s civil monetary penalties apply only to covered entities and not to business associates. The privacy rule expressly requires covered entities, but not business associates, to provide a notice of privacy practices, appoint a privacy officer, and develop numerous policies and procedures concerning the use and disclosure of PHI.
However, in practice, the differences between the covered entity’s obligations and the business associate ‘s obligations can be less clear. The business associate contract requires business associates to demonstrate practices that mirror many of the covered entity’s obligations under the privacy rule. The practical impact will depend on how extensively the business associate uses and maintains PHI.
For business associates that regularly disclose PHI on behalf of the covered entity, obligations for compliance with the patients’ rights requirements could be significant. For example, the contract requires that a business associate make PHI and other information available to respond to a patient’s request to receive an accounting for disclosures for the prior six years. The accounting must include many of the oral, written and electronic disclosures of PHI during the six years prior to the request.
In practical terms, how will such a business associate comply with this and other HIPAA requirements unless it has procedures in place to track disclosures of PHI A business associate that handles or discloses a very small amount of PHI may be able to conduct a manual or electronic search of its records for the prior six years to capture the necessary data. However, a business associate that handles a greater volume of PHI may encounter difficulty with this method of compiling data on a retrospective basis and thus, may need to have policies and procedures in place to track information on an ongoing basis.
C. Structuring and Documenting Compliance
Business associates have a wide range of options for structuring their compliance with HIPAA since they are not directly regulated by the HIPAA statute and regulations. An organized strategy for complying with the business associate requirements will streamline the administrative burden of compliance, improve efficiencies and ensure consistency. The immediate focus for structuring compliance with the HIPAA business associate requirements is compliance with applicable privacy rule requirements since the general privacy rule compliance date was April 14, 2003. 7
First, assess how much PHI your organization is receiving and maintaining, and determine whether all of the PHI is necessary for your organization’s operations. Second, obtain HIPAA resources (tailored for business associates, if available), such as implementation guides, model policies and procedures, and learn the major HIPAA requirements.
Business associates that handle substantial amounts of PHI should consider taking the same approach to privacy compliance as is recommended for covered entities: obtain HIPAA resources that divide the privacy rule requirements into manageable projects, and then consider for each HIPAA requirement whether each covered entity obligation applies to your organization (as a business associate). This will require you to know how PHI is accessed, used, disclosed, stored and secured in each department of your organization (for example, administration, customer service, information technology, medical records, sales and marketing).
Next, assign tasks, including the development of necessary policies and forms, to specific personnel and agree upon a reasonable time frame for completion. You may wish to identify your high-risk and most public activities for immediate implementation (for example, updating authorization forms and assessing marketing activities). Finally, implement and train your workforce on the new policies and procedures.
D. When Do the Business Associate Obligations Commence
Business associates are bound to abide by the terms of the business associate contract as of the contract’s ef fective date once the contract has been executed. However, not all covered entities have finalized HIPAA-compliant business associate contracts with all of their vendors. Covered entities may take up to April 14, 2004 (an additional year after the privacy rule’s compliance date), to amend existing written contracts to incorporate the business associate requirements, as long as the existing contracts were not renewed or amended after Oct. 15, 2002. 8
Existing written contracts must be amended to comply with the business associate requirements by the earlier of when the contract is amended or renewed, or April 14, 2004. Contracts that automatically renew (“evergreen contracts”) are eligible for the extension as long as they automatically renew without any action by the parties to the agreement.
Regardless of whether the extension applies, covered entities are still required as of April 14, 2003, to ensure that business associates comply with the privacy rule’s patients’ rights provisions. As a result, even if a covered entity has business associate arrangements that qualify for the extension, it must be prepared to give patients access to records held by these business associates, provide an accounting of certain disclosures by the business associates and process any requests for amendment of PHI held by the business associate on the covered entity’s behalf. For this reason, many covered entities have chosen to amend existing contracts before April 14, 2004, to include terms that meet the HIPAA business associate requirements.
III. Potential Liability Issues For Health Care Contractors
Business associates that have signed business associat e contracts should not be lulled into complacency now that the privacy rule’s April 14, 2003, deadline has come and gone. Efforts must be made as described above to ensure compliance with the business associate requirements. The covered entity can terminate the business associate contract if the business associate breaches a material term of the contract.
The Department of Health and Human Services is not authorized to impose civil monetary penalties on a business associate for breach of a business associate contract unless the business associate itself is a covered entity. However, health care contractors potentially face other significant business and legal risks if a HIPAA-compliant business associate contract is not in place or its terms are not followed. 9
Termination of a business associate contract may jeopardize the underlying contract between the business associate and the covered entity if the underlying contract depends upon the business associate’s access to PHI. Without a valid business associate contract in place, the covered entity would be prohibited from disclosing PHI to the business associate.
Vendors that refuse to enter into business associate contracts may find that covered entities take their business elsewhere. Because HIPAA has arguably set the industry standard for health information privacy and security, contractors will have little bargaining power if they refuse to agree and adhere to the terms of a standard business associate contract.
Although HHS initially proposed that business associate contracts include language making patients third-party beneficiaries of the business associate contract, these proposed regulations were not adopted. Nevertheless, a business associate may wish to minimize the risk of third-party-beneficiary claims by including in the busine ss associate contract a provision stating that the contract does not create any third-party-beneficiary rights.
IV. Conclusion
The legal and practical issues raised by HIPAA’s busine ss associate requirements necessitate a thoughtful analysis of relationships between health care providers and plans and the vendors that provide services and supplies to them. If your organization is likely to be considered a business associate or has been asked to sign a business associate contract, you must gain an understanding of a business associate’s practical obligations and may need to develop an appropriate compliance program.
HIPAA resources and legal counsel may assist you in structuring and implementing this effort. Ultimately, an organized and informed approach to complying with the business associate requirements is the most efficient way to minimize the risks of violations and associated liability.
Footnotes
Notes 1 The Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, authorized an expansive approach for regulating the privacy and security of personal health information and the electronic exchange of health information. The HIPAA privacy and security regulations are codified at 45 C.F.R. pts. 160 and 164.
2 This article does not constitute legal advice, but rather is intended as guidance to help health care contractors consider special issues for business associates in the context of HIPAA implementation. You should consult legal counsel knowledgeable about HIPAA for specific advice concerning the statute and issues arising in your company’s implementation process.
3 An example of an organized health care arrangement is a hospital or nursing home setting where the facility and physicians with staff privileges share PHI to collectively provide treatmen t to a patient.
4 “De-identified” information has been stripped of certain identifiers and meets the other requirements of 45 C.F.R. § 164.514(b) and, thus, may be disclosed without violating the privacy rule.
5 A limited data set has been stripped of certain identifiers, meets the other requirements of 45 C.F.R. § 164.514(e), and may be disclosed for research, public-health or health care operations purposes under a data use agreement.
6 Note that if a medical device company provides “health care” and transmits health information in electronic form in connection with a standard HIPAA electronic transaction, the company is a covered entity under HIPAA and must be fully HIPAA-compliant. See OCR Letter to AdvaMed (March 13, 2003) (posted at https://www.wiggin.com).
7 The deadline for covered entities to comply with the security rule is April 20, 2005 (except for small health plans, which have an additional year).
8 Small health plans have until April 14, 2004, to amend written contracts to come into compliance with the business associate requirements regardless of when the contracts were last amended or renewed.
9 Some organizations, such as the National Committee for Quality Assurance, offer “certification” for HIPAA business associates that meet certain standards. However, any such certification by a third party does not exempt the business associate from compliance with the business associate requirements or the potential liability issues discussed here.
By Jeanette C. Schreiber, Esq., and Amanda Littell, Esq.;
Jeanette C. Schreiber, JD, MSW, is a partner in Wiggin & Dana’s health care department, chair of the firm’s health information technology group and leader of the firm’s HIPAA team. Ms. Schreiber has practiced health care law for more than 20 years and represents a variety of health care clients including home care and hospice agencies, hospitals, mental health providers, and physicians as well as several health care provider associations. Ms. Schreiber and other members of Wiggin & Dana’s HIPAA team are working extensively with health care providers and provider associations to assist in HIPAA compliance.
Amanda Littell, JD, MPH is an associate at Wiggin & Dana and a member of the firm’s HIPAA team. She co-authored, with the Wiggin & Dana HIPAA team and Simione Consultants, “HIPAAPassport Long-Term Care,” a HIPAA resource for long-term-care providers. She also co-authored “HIPAA: A Guide to Health Care Privacy and Security Law,” a HIPAA resource published by Aspen Law & Business in 2002. Ms. Littell is a member of the American and Connecticut Bar Associations and the American and Connecticut Health Lawyers Associations. Wiggin & Dana is located in New Haven, Conn.