Covered Entities & Business Associates
With business associates and business associate agreements (BAAs) coming under increased scrutiny in the latest round of HIPAA audits, some covered entities are wondering how to identify which vendors are considered business associates, and therefore require a BAA, and which vendors are not.
According to the Privacy Rule, a business associate is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information (PHI) on behalf of, or provides services to, a covered entity (CE).
Business associate functions and activities include the following:
● Claims processing or administration;
● Data analysis;
● Processing or administration;
● Utilization review;
● Quality assurance;
● Benefit management;
● Practice management; and
Additionally, any entity that provides any of the following services involving the disclosure of PHI by a CE, is a business associate:
● Data aggregation;
● Accreditation; or
In addition, the Omnibus Rule includes a new definition of a business associate. A business associate is also defined as an individual or organization that creates, receives, maintains, or transmits PHI on behalf of a CE. In addition, four new categories were added to the definition:
● Health Information Exchanges;
● E-prescribing gateways;
● Data transmission services; and
● Entities that offer a personal health record to individuals on behalf of a CE.
The following is a list of sample business associates a CE may have. A BAA would need to be initiated for all of these vendors. Examples include
● IT companies that support health care providers;
● Electronic Health Record (EHR) system providers;
● Data centers, online backup companies, cloud service providers, even if they do not access data;
● Shredding companies;
● Insurance agents;
● A CPA firm whose accounting services to a health care provider involve access to PHI;
● An attorney whose legal services to a health plan or provider involve access to PHI;
● Any person or entity providing services to a business associate that requires access to PHI; and
● Data centers, online backup companies, cloud service providers, providing services to a business associate, even if they do not access data.
The Privacy rule also outlines situations where it is not necessary to enter into a BAA. Some examples of when a BAA is not required are the following:
● When a health care provider discloses PHI to a health plan for payment purposes, or when the health care provider simply accepts a discounted rate to participate in the health plan’s network.
● With persons or organizations (e.g., janitorial service or electrician) whose functions or services do not involve the use or disclosure of PHI, and where any access to PHI by such persons would be incidental, if at all.
● Among CEs who participate in an organized health care arrangement (OHCA) to make disclosures that relate to the joint health care activities of the OHCA.
● Where a group health plan purchases insurance from a health insurance issuer or HMO.
● Where one CE purchases a health plan product or other insurance, for example, reinsurance, from an insurer.
● With a person or organization that acts merely as a conduit for PHI, for example, the US Postal Service, certain private couriers, and their electronic equivalents.
● To disclose PHI to a researcher for research purposes, either with patient authorization, pursuant to a waiver, or as a limited data set.
● When a financial institution processes consumer-conducted financial transactions by debit, credit, or other payment card, clears checks, initiates or processes electronic funds transfers, or conducts any other activity that directly facilitates or affects the transfer of funds for payment for health care or health plan premiums.
Also included are the following exceptions to the business associate standard. In these situations, a CE is not required to have a BAA or other written agreement in place before PHI may be disclosed to the person or entity.
● Disclosures by a covered entity to a health care provider for treatment of the individual;
● Disclosures to a health plan sponsor, such as an employer, by a group health plan, or by the health insurance issuer or HMO that provides the health insurance benefits or coverage for the group health plan, provided that the group health plan’s documents have been amended to limit the disclosures or one of the exceptions at 45 CFR 164.504(f) have been met;
● The collection and sharing of PHI by a health plan that is a public benefits program, such as Medicare, and an agency other than the agency administering the health plan, such as the Social Security Administration, that collects PHI to determine eligibility or enrollment, or determines eligibility or enrollment, for the government program, where the joint activities are authorized by law; and
● Patient safety organizations.