Regulation of Medicine
Understanding Business Associate Relationships Key to Avoiding Liability
By Emma Cecil, JD
April 26, 2018
A series of recent enforcement actions confirms just how serious the government is about assessing monetary penalties against covered entities who disclose protected health information (PHI) to business associates without written business associate agreements (BAAs) in place.
In one of the largest HIPAA settlements to date, Illinois-based Advocate Health agreed in August 2016 to pay $5.5 million to resolve multiple potential HIPAA Privacy and Security Rule violations, including allegations that it had disclosed the ePHI of over 2,000 individuals to a billing services vendor without first entering into a BAA with the vendor.
Another sizable settlement earlier in 2016 had North Memorial Health Care of Minnesota paying the government $1.55 million to resolve allegations that it violated HIPAA by, among other things, failing to execute a BAA before sharing the PHI of nearly 290,000 patients with a vendor that performed certain payment and healthcare operations functions.
Other enforcement actions include a Rhode Island hospital that paid $400,000 in September 2016 to resolve allegations it had disclosed PHI to a business associate and had allowed the business associate to create, receive, maintain, or transmit PHI on its behalf without a BAA, and a small pediatric subspecialty practice in Illinois that in April 2017 paid $31,000 and entered into a corrective action plan to resolve potential HIPAA Privacy Rule violations stemming from its failure to enter into a BAA prior to disclosing PHI to a medical records storage company.
As these cases make clear, it is imperative that covered entities understand when persons or entities come within the definition of a business associate, thereby triggering the need for a BAA. Covered entities must also understand when a person or entity is not a business associate so that they avoid unnecessarily entering into BAAs and assuming contractual obligations that they are not otherwise required to undertake.
Who is a Business Associate?
A wide range of persons and entities who provide services to or perform functions on behalf of healthcare providers and other covered entities are business associates and thus must comply with HIPAA’s Security Rule and certain provisions of its Privacy and Breach Notification Rules. As amended by 2013’s Omnibus Rule, HIPAA defines a business associate as any person, other than a member of the covered entity’s workforce, or entity who:
- On behalf of a covered entity, creates, receives, maintains, or transmits PHI for a function or activity regulated under HIPAA;
- Provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for a covered entity, if the service involves the disclosure of PHI.
Common examples of business associates include: a third-party administrator that assists a health plan with claims processing; a CPA firm whose accounting services to a healthcare provider involve access to PHI; an attorney whose legal services involve access to PHI; a consultant who performs utilization reviews for a hospital; an independent medical transcriptionist who provides transcription services to a physician; and a pharmacy benefits manager that manages a health plan’s pharmacist network.
Importantly, companies that simply maintain PHI for covered entities are considered business associates, regardless of whether they access the PHI. Thus, a storage or cloud computing vendor is a business associate because it “maintains” PHI on behalf of the covered entity, even if it never actually views the PHI or views it only on a random or infrequent basis.
HIPAA business associates also include the following persons/entities:
- Subcontractor(s). A business associate subcontractor is a person (or entity) who is not part of the business associate’s workforce and to whom a business associate delegates a function, activity, or service that involves the creation, receipt, maintenance, or transmission of PHI on behalf of the business associate. A subcontractor’s compliance obligations and direct liability under HIPAA mirror those of the business associate itself. The inclusion of subcontractors within the business associate definition thus means that all downstream vendors are subject to the same requirements and obligations to which a covered entity’s direct contract business associates are subject. A business associate’s disclosure of PHI for its own management and administration or legal responsibilities does not, however, create a business associate subcontractor relationship with the recipient of the PHI.
- PHR Vendors. A company that offers a personal health record (PHR) to one or more individuals on behalf of a covered entity is a business associate. In determining whether a PHR vendor is a business associate with whom a BAA is required, the critical inquiry is whether the PHR vendor is offering personal health records directly to individuals or offering personal health records on behalf of the covered entity. If the covered entity hires the vendor to provide and manage a PHR service that the covered entity offers its patients, and, in furtherance of that service, provides the vendor with access to PHI, the PHR vendor is acting as a business associate. HHS has also clarified that a PHR vendor that offers a personal health record to a patient on behalf of a CE is not acting merely as a conduit since the PHR vendor is maintaining PHI on behalf of the covered entity, (for the benefit of the individual), even if the PHR vendor never actually accesses the PHI.
- Health information organizations, E-prescribing gateways, or other persons or entities that provide data transmission services with respect to PHI to a covered entity and that require routine access to such PHI. Whether a person or entity requires “routine access” to PHI to perform the data transmission services depends on the nature of the services and the extent to which the entity needs access to PHI to perform the service. Those who require routine access to PHI are contrasted with true courier entities (e.g., UPS, USPS) that provide merely limited transmission services and that have only sporadic opportunities to access the PHI.
It is critical to remember that because an entity (or person) is a business associate if it meets the definition of a business associate, the absence of a BAA does not mean the absence of a business associate relationship. As long as the person or entity is not a member of the covered entity’s workforce and is performing functions on behalf of, or providing services to, the covered entity that involve the creation, receipt, maintenance, or transmission of PHI, the person or entity is a business associate and a BAA is required.
Who is not a Business Associate?
HIPAA regulations specifically remove from the definition of business associate the following persons and entities:
- A healthcare provider to whom a covered entity discloses PHI for purposes of treatment of the individual;
- A plan sponsor to whom a group health plan (or health insurance issuer or HMO) discloses PHI;
- A government agency to whom PHI is disclosed for purposes of the agency determining eligibility for, or enrollment in, a government health plan that provides public benefits and is administered by another government agency; and
- A covered entity participating in an organized healthcare arrangement that performs a function or activity for or on behalf of such organized healthcare arrangement involving the creation, receipt, maintenance, or transmission of PHI, or that provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for such organized healthcare arrangement.
In addition to these express exclusions, HIPAA’s business associate definition – insofar as it encompasses only those persons or entities who, on behalf of a covered entity, perform services or functions requiring the creation, receipt, maintenance, or transmission of PHI – necessarily excludes those persons or entities who access PHI for their own purposes, and those whose job functions do not require them to use or access PHI.
Examples of persons or entities who access PHI for their own purposes and thus are not business associates include:
- An external researcher of a covered entity by virtue of its research activities, even if the covered entity has hired the researcher to perform the research;
- An external or independent Institutional Review Board by virtue of its performing research review, approval, and continuing oversight functions; and,
- Banking and financial institutions with respect to certain payment processing activities (e.g., cashing a check, conducting a funds transfer, authorizing, processing, clearing, settling, billing, transferring, reconciling, or collecting payments for healthcare or health plan premiums). Note that a banking or financial institution may become a business associate if it performs functions above and beyond these payment processing activities on behalf of a covered entity, such as performing accounts receivable functions on behalf of a healthcare provider.
Examples of persons or entities whose functions or services do not require access to PHI include janitors, plumbers, electricians, and maintenance workers. Because HIPAA permits incidental disclosures of PHI so long as reasonable safeguards are in place to protect the privacy of the PHI, these persons and entities are not business associates, even though the performance of their job duties might entail access to areas where PHI is maintained or involve some other limited exposure to PHI. Another common example is the pharmaceutical sales representative who visits a physician’s office for the purpose of providing drug samples and product information. Because the representative does not require access to PHI in order to carry out these activities, and her contact with PHI is merely incidental and limited, she is not a business associate of the physician and a BAA is not required.
Similarly, those who are conduits for PHI, such as the postal service, UPS, and private couriers, are excluded from the business associate definition because they merely transport information, whether digitally or in hard copy, but do not access it other than on a random or infrequent basis as necessary to perform the transportation service or as required by law. HHS has noted that what separates a mere conduit from a business associate is the transient, versus persistent, nature of the conduit’s opportunity to access PHI during the performance of its functions or provision of its services.
Covered entities who contract with vendors who are not business associate should consider confidentiality agreements, particularly if the person or entity has access to the facility at times when the covered entity is not present (for example, a landlord or cleaning service.
Covered Entity Liability for Business Associate Violations
Along with being able to identify which persons and entities are business associates with whom BAAs are required, healthcare providers and other covered entities should understand their obligations and liabilities vis-à-vis their business associates and how their business associates’ actions can negatively impact them.
While covered entities are not required to monitor their business associates’ actions or to ensure that their business associate are HIPAA-compliant, covered entities who receive credible information that a business associate is engaging in a pattern of activity or practice that constitutes a material breach or violation of the business associate’s obligations under the BAA are required to take reasonable steps to cure the breach or end the violation (or, if such steps were taken but were unsuccessful, to terminate the BAA). In other words, a covered entity who fails to take appropriate action in the face of a business associate’s known noncompliance has itself violated HIPAA.
Of course, HIPAA also requires covered entities to notify affected individuals of breaches of PHI by their business associates, and to mitigate, to the extent practicable, any harmful effects of security incidents or Privacy Rule violations that are known to the covered entity. In short, a business associate’s non-compliance with HIPAA’s Privacy and Security Rules can result in significant costs to the covered entity, even though business associate are directly liable to HHS for their own HIPAA violations.
A more complex question involves a covered entity’s liability to HHS for its business associates’ HIPAA violations. Prior to the Final Rule, covered entities were not vicariously liable for the acts of their business associates who were agents of the covered entity so long as a valid BAA was in place. The Final Rule eliminated this exception and in its place added a provision clarifying that a covered entity can be held liable under the federal common law of agency for the acts or omissions of its business associate if the business associate is the covered entity’s “agent” and if the business associate is acting within the scope of the agency when it engages in the conduct to be imputed to the covered entity.
Does an Agency Relationship Exist?
The essential factor in determining whether a business associate is an “agent” of a covered entity is the covered entity’s right or authority to control the business associate in the performance of services on behalf of the covered entity. If the covered entity has the right or authority to control the business associate’s conduct, then the business associate is an agent, regardless of whether the BAA disavows an agency relationship, and regardless of whether the covered entity ever actually exercises the right or authority to control.
HHS has stated that a covered entity’s authority to give interim instructions or directions is the type of control that can create an agency relationship. On the other hand, if the covered entity’s only means of control is to amend the terms of the BAA or sue for breach of contract, then the Business Associate is not an agent. To clarify this point, HHS provides the example of a BAA that contains language obligating the business associate to make PHI available “based on the instructions to be provided by or under the direction of the covered entity,” noting that such a provision would create an agency relationship for this particular activity because the covered entity has a right to give interim instructions and direction during the course of the relationship. As this example demonstrates, an agency relationship can exist even if the covered entity does not have the right or authority to control each and every aspect of its business associate’s activities.
Providers should remember that whether a business associate is a covered entity’s “agent” is fact-specific and will depend on each particular arrangement. Other factors relevant to the existence of an agency relationship include whether the covered entity contracts out or delegates a particular obligation under HIPAA to its business associate; the type of service and skill level required to perform the service; and whether the covered entity is legally or otherwise prevented from performing the service or activity performed by its business associate. As a general rule, the more discretion and autonomy a business associate has in the performance of its duties, the less likely it is the business associate is an agent.
Is the Business Associate Acting within the Scope of the Agency?
In addition to the existence of a principal/agent relationship, the business associate must be acting within the scope of the agency at the time it engages in the conduct in order for the covered entity to be liable for that conduct. A business associate’s conduct is generally within the scope of the agency when it occurs during the performance of (or incident to) the assigned work, regardless of whether the work was done carelessly or the business associate disregarded the covered entity’s specific instructions. Factors relevant to whether the business associate’s conduct was within the scope of the agency include:
- Where, when, and why the business associate was engaging in the conduct at issue;
- Whether the business associate engaged in a course of conduct subject to the covered entity’s control;
- Whether the conduct is of the kind commonly performed by a business associate in order to accomplish the service performed on behalf of a covered entity; and
- Whether or not the covered entity reasonably expected that the business associate would engage in the conduct in question.
Importantly, conduct that deviates from the terms of a BAA is not by definition outside the scope of the agency. For example, a business associate who discloses more than the minimum necessary information to a health plan for purposes of payment is still acting within the scope of the agency, even if the disclosure is contrary to clear instructions of the covered entity. Conversely, conduct that is solely for the business associate’s own benefit or that does not further any purpose of the covered entity is outside the scope of the agency.
- Given the potential for HIPAA fines and penalties, covered entities must understand who qualifies as a business associate and must ensure that HIPAA-compliant business associate agreements are in place before they disclose any PHI to the business associate. BAAs entered into before the Final Omnibus Rule went into effect must be updated to reflect the requirements of the Final Rule.
- Because HHS can hold covered entities liable for their business associate’s HIPAA violations, care should be taken to avoid an agency relationship. To that end, BAAs should not prescribe or specify how the business associate will provide the contracted services, nor should they contain language giving the covered entity the right or authority to control the conduct of the business associate. However, because the terms, statements, or labels given to parties (e.g., an independent contractor) do not control whether an agency relationship exists, a carefully drafted BAA will not insulate the covered entity who actually controls the business associate during the business associate’s provision of services to or performance of functions on behalf of the covered entity.
- Finally, covered entities should vet business associates before allowing them to access PHI. Questions to ask of potential business associates include, for example, whether they have completed a risk assessment, whether they have password policies, whether their staff is HIPAA trained, whether they secure work stations, and whether they encrypt devices. Covered entities should not engage business associates without a high level of comfort that the business associates are in active compliance with their obligations to protect the privacy and security of PHI.
The information provided in this resource does not constitute legal, medical or any other professional advice, nor does it establish a standard of care. This resource has been created as an aid to you in your practice. The ultimate decision on how to use the information provided rests solely with you, the PolicyOwner.