Business associates

A wide range of entities that provide services to or perform functions on behalf of health care providers and other covered entities are “business associates” subject to the requirements of HIPAA’s Privacy, Security, and Breach Notification Rules. A business associate is defined as any person, other than a member of the covered entity’s workforce, or entity that:

• On behalf of a covered entity (or on behalf of an organized health care arrangement in which the covered entity participates), creates, receives, maintains, or transmits protected health information for a function or activity regulated under the HIPAA administrative simplification rules, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities, billing, benefit management, practice management, and repricing; or
• Provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for a covered entity, if the service involves the disclosure of PHI.

Common examples of business associates thus include:

• A third party administrator that assists a health plan with claims processing
• A CPA firm whose accounting services to a health care provider involve access to PHI
• An attorney whose legal services involve access to PHI; a consultant who performs utilization reviews for a hospital
• An independent medical transcriptionist who provides transcription services to a physician
• A pharmacy benefits manager that manages a health plan’s pharmacist network
• An entity that performs patient safety activities on behalf of a CE (e.g., a Patient Safety Organization)

Importantly, entities that simply maintain PHI for a covered entity are considered business associates, even if they do not actually view the PHI, or even if they view it only on a random or infrequent basis. Thus, a storage or cloud-computing entity is a business associate because it “maintains” PHI on behalf of the covered entity, regardless of whether it ever actually accesses the PHI.

The definition of “business associate” also includes the following persons/entities:

• Subcontractor(s). A business associate subcontractor is a person or entity who is not part of the business associate’s workforce and to whom a business associate delegates a function, activity, or service that involves the creation, receipt, maintenance, or transmission of PHI on behalf of the business associate. A subcontractor’s compliance obligations and direct liability under HIPAA mirror those of the business associate itself. The inclusion of subcontractors within the business associate definition thus means that all downstream vendors are subject to the same requirements and obligations to which a covered entity’s direct contract business associates are subject. A business associate’s disclosure of PHI for its own management and administration or legal responsibilities does not, however, create a business associate subcontractor relationship with the recipient of the PHI.
• PHR Vendors. A company that offers a personal health record (PHR) to one or more individuals on behalf of a covered entity is a business associate. In determining whether a PHR vendor is a business associate with whom a BAA is required, the critical inquiry is whether the PHR vendor is offering personal health records directly to individuals or offering personal health records on behalf of the covered entity. If the covered entity hires the vendor to provide and manage a PHR service that the covered entity offers its patients, and, in furtherance of that services, provides the vendor with access to PHI, the PHR vendor is acting as a business associate. 
• Health information organizations, e-prescribing gateways, or other persons or entities that provide data transmission services with respect to PHI to a covered entity and that require routine access to such PHI. Whether a person or entity requires “routine access” to PHI to perform the data transmission services depends on the nature of the services and the extent to which the entity needs access to PHI to perform the service. Those who require routine access to PHI are contrasted with true courier entities or “conduits," such as the U.S. Postal Service, UPS, FedEx, private couriers, etc., that provide merely limited transmission services and that have only sporadic opportunities to access the PHI. 

HIPAA regulations specifically remove from the definition of “business associate” the following persons and entities:

• A health care provider to whom a covered entity discloses PHI for purposes of treatment of the individual;
• A plan sponsor to whom a group health plan (or health insurance issuer or HMO) discloses PHI;
• A government agency to whom PHI is disclosed for purposes of the agency determining eligibility for, or enrollment in, a government health plan that provides public benefits and is administered by another government agency; and
• A covered entity participating in an organized health care arrangement that performs a function or activity for or on behalf of such organized health care arrangement involving the creation, receipt, maintenance, or transmission of PHI, or that provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for such organized health care arrangement.

In addition to these express exclusions, HIPAA’s business associate definition, insofar as it encompasses only those persons or entities who on behalf of a covered entity perform services or functions requiring the creation, receipt, maintenance, or transmission of PHI, necessarily excludes those persons or entities who access PHI for their own purposes, and those whose job functions do not require them to use or access PHI.

Examples of persons or entities who access PHI for their own purposes and thus are not business associates include:

• An external researcher of a covered entity by virtue of its research activities, even if the covered entity has hired the researcher to perform the research;
• An external or independent Institutional Review Board by virtue of its performing research review, approval, and continuing oversight functions; and
• Banking and financial institutions with respect to certain payment processing activities (e.g., cashing a check, conducting a funds transfer, authorizing, processing, clearing, settling, billing, transferring, reconciling, or collecting payments for health care or health plan premiums). Note that a banking or financial institution may become a business associate if it performs functions above and beyond these payment processing activities on behalf of a covered entity, such as performing accounts receivable functions on behalf of a health care provider.

Examples of persons or entities whose functions or services do not require access to PHI and thus are not business associate include:

• Janitors
• Plumbers
• Electricians
• Maintenance workers

These persons and entities are not business associates, even though the performance of their job duties might entail access to areas where PHI is maintained or involve some other limited exposure to PHI. This is because HIPAA permits incidental disclosures of PHI, so long as reasonable safeguards are in place to protect the privacy of the PHI.

Another common example is the pharmaceutical sales representative who visits a physician’s office for the purpose of providing drug samples and product information. Because the representative does not require access to PHI in order to carry out these activities, and her contact with PHI is merely incidental and limited, he or she is not a business associate of the physician and a BAA is not required.

Similarly, those who are conduits for PHI, such as the postal service, UPS, and private couriers, are also excluded from the business associate definition because they merely transport PHI, whether digitally or in hard copy, but do not access it other than on a random or infrequent basis as necessary to perform the transportation service or as required by law. HHS has noted that what separates a mere conduit from a business associate is the transient, versus persistent, nature of the conduit’s opportunity to access PHI during the performance of its functions or provision of its services.  

While HIPAA does not require covered entities to enter into confidentiality agreements with vendors who are not business associates, such agreements should be considered, particularly if the person or entity has access to the facility at times when the covered entity is not present (e.g., a landlord or cleaning service).

A BAA is a legal contract through which a business associate gives a covered entity satisfactory written assurances that it will safeguard PHI. These assurances enable a covered entity to share PHI with its business associates.  

Although covered entities and business associates are required to enter into BAAs, the existence of a BAA is not determinative of the business associate relationship. In other words, if a person or entity creates, receives, maintains, or transmits PHI on a covered entity's behalf, that person or entity is a business associate, regardless of whether a business associate agreement exists. 

Sample Business Associate Policy.

A BAA is required whenever a covered entity uses an outside person or entity to provide services to or perform functions on behalf of the covered entity, the provision or performance of which involve the creation, receipt, use, maintenance, or transfer of PHI.

All BAAs must include provisions that do the following:

• Establish the permitted and required uses and disclosures of PHI by the business associate
• Prohibit the business associate from using or further disclosing the PHI other than as permitted or required by the BAA or as required by law
• Require the business associate to use appropriate safeguards to comply with HIPAA’s Security Rule to prevent use or disclosure of electronic protected health information other than as provided for by the BAA
• Require the business associate to report to the covered entity any unauthorized use or disclosure of PHI which it becomes aware, including breaches of unsecured protected health information
• Require the business associate to ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such information
• Require the business associate to make available protected health information in accordance with an individual’s right to access his or her own PHI
• Require the business associate to make available for amendment protected health information and to incorporate any amendments to protected health information, in accordance with an individual’s right to have a covered entity amend protected health information or a record about the individual in a designated record set
• Require the business associate to make available the information required to provide an accounting of disclosures
• Require the business associate to comply with the requirements of the Privacy Rule to the same extent that the covered entity would have to comply if the covered entity were carrying out the obligations assigned to the business associate.
• Require the business associate to make its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by, the business associate on behalf of the covered entity available to HHS for purposes of determining the covered entity's compliance with the Privacy Rule
• Require the business associate, if feasible, to return or destroy all PHI upon termination of the BAA and, if return or destruction is not feasible, to protect and limit further uses and disclosures of the PHI
• Authorize termination of the contract by the covered entity, if the covered entity determines that the business associate has violated a material term of the contract.

Click here for a Sample Business Associate Agreement. 

Disclosing PHI to a BAA without first executing a valid BAA is a violation of HIPAA and can subject the covered entity to HIPAA penalties ranging from $112 to $55,910 per violation. 

Business associates are directly liable for their own HIPAA violations. However, HIPAA also makes covered entities and business associates liable for the acts and omissions of their business associates (and subcontractors) in accordance with the federal common law of agency.  In other words, a covered entity may be liable for its business associate's violations (and a business associate for its subcontractor's violations) if the business associate or subcontractor is acting as the covered entity's "agent."  A business associate will be deemed the covered entity’s “agent” only when/if it is (1) the covered entity has the right or authority to control the business associate’s conduct in the course of providing the service or performing the function on behalf of the covered entity. and (2) acting within the scope of its duties (i.e., it is providing a service to or performing a function on behalf of the covered entity). If the covered entity has the right to control the business associate's course of conduct, it will be liable for the business associate's acts and omissions, regardless of what the business associate agreement might say.

Even if a covered entity is not vicariously liable for its business associates' conduct, a business associate's HIPAA violations can trigger important obligations on the part of the covered entity. For example, covered entities who receive credible information that a business associate is engaging in a pattern of activity or practice that constitutes a material breach or violation of the business associate’s obligations under the BAA are required to take reasonable steps to cure the breach or end the violation (or, if such steps were taken but were unsuccessful, to terminate the BAA). In other words, a covered entity who fails to take appropriate action in the face of a business associate’s known noncompliance has itself violated HIPAA.  

HIPAA also requires covered entities to notify affected individuals of breaches of PHI by their business associates, and to mitigate, to the extent practicable, any harmful effects of security incidents or Privacy Rule violations that are known to the covered entity. In short, a business associate’s non-compliance with HIPAA’s Privacy and Security Rules can result in significant costs to the covered entity, even though business associates are directly liable to HHS for their own HIPAA violations. 

Sample Data Agreement Policy.