Not everybody who comes in contact with PHI is a Business Associate. So whether a Business Associate Agreement with a third party is needed depends solely on whether the third party is a person or entity performing Business Associate activities.
Typical examples of entities often not considered Business Associates include:
- Cleaning Company – Unless the cleaning company is using, storing, or otherwise making use of PHI on the Covered Entity's behalf, the routine cleaning and disposal of the garbage in a medical office does not involve Business Associate activities requiring a Business Associate Agreement. The Covered Entity has some duty to encrypt, shred, or otherwise make discarded PHI secure from interception by the cleaning crew or others who might access it. It is a good idea to discuss with the cleaning company to ensure that its workers understand what they should do in the event they come in contact with PHI. In short, the Covered Entity should be notified that PHI has been left in an unsecure area. For instance, should they find PHI sensitive information in the trash and un-shredded, they must alert the practice.
- Laboratories – Pathology or reference labs are considered health care providers, which makes them Covered Entities. Typically, they are not Business Associates.
- Physician Referrals –Patient referrals often contain PHI. When sent to specialists, other physicians, or other health care providers, they are considered disclosures to other Covered Entities (not Business Associates) for treatment.
- Telecommunications Relay Service Providers – These companies are often necessary for physicians and other health care providers to communicate with patients or parents with hearing or speech impairments. Under the Privacy Rule, a Covered Entity such as a doctor can contact a patient via a Telecommunications Relay Service, without the need for a business associate contract.
The Omnibus Rule expanded the definition of "business associates" to include data storage companies, entities that provide data transmission services if they require routine access to PHI, and subcontractors of business associates.
New Provisions for Business Associates Under HITECH
When HIPAA was originally enacted and the first set of regulations published, the statutory language specified that only certain Covered Entities would be required to abide by the law: health care providers, health insurance plans, and specialty health data entities known as health care clearinghouses. That left many entities with regular access to medical information, such as billing companies, accountants, lawyers, pharmacy benefit management companies, and other healthcare entities and vendors, outside the scope of the law. Collectively, they are classified as Business Associates.
Although HIPAA now applies directly to business associates, HIPAA still requires covered entities to execute "business associate agreements" (BAAs) with their business associates before disclosing PHI to them.
The HITECH Act provisions making Business Associates directly liable for most HIPAA requirements, do not negate the requirements for Covered Entities to have BAAs. Because the HITECH Act only imposed some obligations on Business Associates, and because a Business Associate's obligations need to be closely tailored to the Covered Entity for which it works, BAAs are still necessary. More importantly, they need to be updated to comply with the HITECH Act and the Omnibus Rule regulations implementing it.
Here are some examples of how BAAs need to be amended to address HITECH Act and related regulations.
- Add a definition of HITECH and the Omnibus Rule, and consider whether to include them in the definition of HIPAA.
- Where the BAA describes the Business Associate as an entity receiving data from the Covered Entity or producing it for the Covered Entity, include the words "creates, receives, maintains or transmits." That is the new language defining the roles that a third party vendor can play to become a Business Associate, and it is useful to include the same language.
- Specifically note that the Business Associate must notify the Covered Entity of any "breach" as defined in HIPAA. This can be included in the "reporting of disclosures" section or some similar location. Remember to include a relatively short reporting period (3-5 days, usually), so that the Covered Entity will be able to meet its own timing requirements if the breach must be reported. A Covered Entity has up to 60 days to report a breach, but that is an outside limit; the obligation is to report "without unreasonable delay," and if the Business Associate delays in reporting, the Covered Entity may not be able to meet its own timing constraints.
- Add to the "accounting of disclosures" section a statement specifying that, if the Business Associate maintains records in electronic form, it will account for ALL disclosures for at least a 3-year period. This is different from the original accounting requirement, which excludes many disclosures but lasts for 6 years.
- Specifically note that the Business Associate has obligations under the HITECH Act, and require the Business Associate to acknowledge and agree to abide by those requirements.
- Add a provision noting that the Business Associate will abide by requirements not to disclose data to insurers and other health plans if the patient pays for the service in full and requests confidentiality. The Covered Entity will likely have to notify the Business Associate that a patient has requested such secrecy.
- The BAA should already give the Covered Entity the right to terminate if the Business Associate violates the BAA. However, the Covered Entity should add a provision allowing the Business Associate to terminate the BAA if the Covered Entity fails to meet its HIPAA obligations. This is not mentioned in the Omnibus Rule, but was specifically noted in the HITECH Act.
- The Omnibus Rule added some language to the BAA regulations that was not otherwise mentioned in the HITECH Act. If the Business Associate carries out one of the Covered Entity's obligations under the Privacy Rule, the BAA must require that the Business Associate agree to abide by that Privacy Rule provision. While this is covered conceptually in almost every BAA already, it can't hurt to include specific language to this effect.
If they have not done so recently, Covered Entities should identify their business associates and ensure appropriate agreements are executed with them.
A sample Business Associates Agreement and more information on Business Associates can be found in the Academy's HIPAA Privacy Compliance Manual.
Disclaimer: This information is general in scope and educational in nature. It is not intended as legal advice. If you require legal advice, contact an attorney.
The recommendations in this publication do not indicate an exclusive course of treatment or serve as a standard of medical care. Variations, taking into account individual circumstances, may be appropriate. This content is for informational purposes only. It is not intended to constitute financial or legal advice. A financial advisor or attorney should be consulted if financial or legal advice is desired.