Everything you ever wanted to know about HIPAA-covered Business Associates
Let’s answer some questions about Business Associates and their role in HIPAA Compliance.
The Two HIPAA-Responsible Groups: Covered Entities and Business Associates
There are two groups responsible for HIPAA compliance: Covered Entities and Business Associates. Most Covered Entities* have direct contact with patients. Business Associates don’t see patients, but they maintain or have access to Protected Health Information (PHI).
Question: Define “Business Associate.”
Answer: Business associates are vendors (to a covered entity) that “create, receive, maintain or transmit” protected health information (PHI), while performing a service involving the PHI.
Some examples of Business Associates:
- Collections agency
- Billing or coding company
- IT consultant
- Practice management services
- Medical transcriptionist
- Answering service
- E-prescribing services
- Law office or accounting firm
- Medical device maker
- Subcontractor providing remote backup services of patient information for an IT contractor – business associate
Note: If a business associate delegates an activity to another entity, then that entity is considered a subcontractor business associate – all the same rules apply.
A member of the covered entity’s workforce is NOT a business associate, nor is someone who may encounter patient information by chance (like a janitor service or an electrician).
Why are Business Associates so Important?
Business associates under HIPAA are making headlines, and not in a good way. The worst HIPAA news so far this year was the breach of 20 million patients’ information caused by a business associate. If you’re a covered entity you should know who your business associates are, and if you’re a business associate, you should learn what you need to do. The costs of non-compliance can be staggering.
A collection firm, American Medical Collection Agency (AMCA), caused a breach exposing information of 20 million patients of Quest and LabCorp. Now multiple class action lawsuits have been filed across the country, and AMCA is filing for bankruptcy. This is only the latest in a long list of business associate HIPAA violations. And although AMCA is in the hot seat right now, Quest and LabCorp may also be in trouble, depending on their contracts with AMCA, including their business associate agreement.**
Just How Significant Are Business Associates in the Healthcare Ecosystem?
There are many more business associates than there are covered entities in healthcare. The size and complexity of healthcare operations means that PHI is located in lots of places, maintained on and off site, transmitted to and from addresses, electronically and through regular mail. One hospital, one health plan or one medical practice has multiple vendors who help them provide services. The healthcare industry relies on outsourcing key parts of the business, from billing, to collections and data storage.
Business Associates Face Intense Scrutiny
As healthcare grew more complicated and electronic records became more common, the Office for Civil Rights (OCR), the HIPAA enforcement agency, realized business associates needed stricter rules. Since 2009, business associates have been separately liable for HIPAA compliance – they can be audited, investigated and fined just like covered entities. And with the passage of the Hi-Tech Act in 2013, the rules for business associates have been explicit.
Just before the AMCA disaster was announced in early June, OCR published a Fact Sheet about business associate compliance to underline how important business associates are to help maintain patient privacy across the healthcare industry. OCR continues to enforce the issue because of the huge amount of information business associates handle and the sizes of potential breaches.
What is a Covered Entity’s Responsibility When It Comes To Business Associates?
HIPAA law requires covered entities to
1) identify their business associates
2) evaluate whether the business associates comply with HIPAA
3) enter into a HIPAA-compliant business associate agreement with each business associate.
Word of caution: if a covered entity wants to avoid being liable for the actions of its business associate, the business associate agreement should not give too much control to the covered entity, creating a possible “agency” relationship.
Google is a HIPAA Business Associate
Question: Our physician practice uses data backup by Google Cloud Storage [or Amazon Web Service]. They say they are HIPAA compliant. Do we still need a business associate agreement with Google [or AWS]?
What about Contractors and Cleaners?
Question: We have a regular weekly cleaning service that comes into our office and their crew might observe patients in the waiting room, or even accidentally see patient information on the desk or in the trash. Are they a business associate?
Answer: No. A vendor whose work is not integral to your healthcare services and who may encounter PHI incidentally is not a business associate. But you should be sure to follow your own policies to maintain patient privacy and security – use “safeguards” like locking drawers, covering screens and shredding paper information to minimize accidental disclosures.
PHI Defines the Business Associate
Question: I have an answering system business and we never hear medical information, only the name and number of a patient for a callback. Doesn’t that mean we are not receiving protected health information, and so we’re not a business associate, just a regular vendor?
Answer: No, you are a business associate because PHI is more than a medical diagnosis (or complaint). A name alone, or a phone number alone, in connection with a request for healthcare is PHI, and by answering the phone for a healthcare provider you are “receiving” PHI.
Question: We are a billing and coding company for a health clinic, and one of our employees accidentally clicked on a ransomware email – I’m not sure if any information was stolen. Can we just investigate internally and not tell the clinic as long as no breach occurred?
Answer: Always look at your business associate agreement first to decide next steps because the notice requirements there might be shorter than HIPAA law. But also NOTE – “ransomware” is presumed to be a breach under HIPAA unless you can prove it isn’t. And HIPAA requires that you let the covered entity know about a breach promptly, but no later than 60 days after discovery.
A Financial Institution that Only Processes Payment Information is Not a Business Associate
Question: We use a vendor that processes credit card and electronic funds payments for our practice. Are they a business associate?
Answer: No, financial institutions like banks, credit card issuers and credit unions are exempt from HIPAA Rules for Business Associates if the only services they provide are restricted to payment processing.
Even Offshore Contractors Can be Business Associates
Question: If we use a business associate offshore, are they required to follow HIPAA? Are we even allowed to use someone in another country?
Answer: Offshore business associates are permitted under HIPAA and the law applies to them in the same way it applies to ones located within the U.S. As a covered entity, you will want your business associate agreement to require them to agree to the jurisdiction of U.S. courts.
Good news for Business Associates!
The HIPAA E-Tool® has answers for both covered entities and business associates. For covered entities, learn how to identify business associates, see guidance on how to evaluate them, and use a HIPAA compliant business associate agreement tailored to your organization.
For business associates, the Business Associate Edition of The HIPAA E-Tool® guides you through your responsibilities under HIPAA and provides HIPAA compliant agreements for your use.
If you have a question about business associate compliance, let us know at firstname.lastname@example.org.
* Under HIPAA “covered entity” means: (1) A Health Plan. (2) A Health Care Clearinghouse. (3) A Health Care Provider who transmits any Health Information in electronic form in connection with a transaction covered by the Privacy, Security, Breach Notification and Enforcement Rules.
** Although AMCA is liable for its own actions, if Quest or LabCorp made AMCA their “agent” in their contracts, inadvertently or on purpose, they may also be liable under the federal common law of agency.