Identifying Business Associates

WHY IT MATTERS
BAs1 Must Fully Comply With HIPAA to Avoid Costly Penalties and liability BAs are directly liable under HIPAA for, among other things, impermissible uses and disclosures of protected health information (PHI), failure to provide breach notifications, failure to provide access to ePHI to either the Covered Entity2 (CE) or patient, and failure to comply with the security rules.

HIPAA affirmatively requires, among other things and with certain exceptions for research, that BAs enter written Business Associate Agreements (BAAs); develop, implement and enforce written security policies and procedures; designate a security officer; carefully safeguard all PHI; and obtain BAAs from their subcontractors and confidentiality agreements and assurances from others. Violations subject BAs to civil penalties, which can total millions of dollars.

CEs may also be liable under HIPAA if BAs are not compliant.

Incorrect Determinations That Persons or Entities Are or Are Not BAs May Lead to Liability for CEs and Those With Whom They Contract CEs often require that companies and persons who
perform services for them enter into BAAs, regardless of whether such companies and persons are actually BAs under HIPAA. By entering into such agreements, CEs may be incorrectly assuming they are protected and creating agency

1
The term “BA” herein includes “Subcontractors” or “Sub-
BAs,” explained infra.
2
“Covered Entities” include:
• Health care providers sharing PHI electronically;
• Health plans;
• Health care clearinghouses.Utilization review, quality assurance, and
benefit management

 Billing, accounting, and other financial services
 Legal (yes, outside law firms are BAs)
 An entity that requires access to PHI in order to perform a service for a CE or BA such as a record locator service is a BA even if the entity is not an agent of the CE or BA.
 The term “BA” as used herein includes “Subcontractors” or “Sub-BAs.” These “Subs” answer to BAs just as BAs answer to CEs. A “sub-contracted” relationship develops when a BA delegates a function, activity, or service to the “Sub-BA” that the BA has agreed to perform for a CE involving PHI. The “Sub-BA” that undertakes such a function steps into the shoes of the BA and must be bound to the same restrictions and conditions to which the BA is bound under its BAA with the CE. In this situation, the BA and “Sub-BA” must enter a “Sub-BAA” or, in some cases, a similar arrangement.
Persons or Entities Who Perform Functions or Activities on Behalf of a CE or Another BA.
 Agency is determined by the manner or method of control. Look to whether the CE can dictate the time, place, purpose and course of the vendor’s conduct. lf so, the vendor is probably a BA.
 A person may believe she is not a BA if she did not agree to perform listed CE functions, but if she is an agent of a CE and has access to PHI, she is probably a BA unless an exception applies.
Beliefs, labels and contract terms will not govern determinations on agency, which are fact-based, but it is worth stating your intent in the BAA and then expressing it in your dealings. All oral and written interactions should evidence whether an agency relationship exists.
 If the CE delegates a duty it would otherwise perform to a vendor, the vendor is likely an agent, whereas if the vendor is hired to provide unique expertise, the vendor probably is not an agent.
 In crafting your agreements, consider who wants what.
 BAs may want BAAs to recite that they are agents of CEs so that CEs can be forced to help cover potential liabilities.

relationships that would not otherwise exist, unnecessarily increasing the CE’s potential liability. Such companies and persons, and all those who hold themselves out as “HIPAA compliant,” must fully
comply with all applicable HIPAA regulations. BAs who enter BAAs when they are not compliant may not only be subject to penalties under HIPAA and liable for breach of the BAAs, they may also be liable for fraud, and the BAAs they enter may be invalid, requiring the return of all monies received thereunder.

OCR may determine that a company or person providing services to or for a CE is a BA even if neither the CE nor the party providing services considers that party to be a BA. lf the parties erroneously decide that a company or individual is not a BA, civil penalties may be imposed against all involved for failure to comply with HIPAA, including the failure to enter a written BAA.

Accordingly, CEs and companies and individuals performing work for them, must give full and thoughtful consideration to whether they should enter BAAs. Considering the right factors, described generally below, is critical.

BUSINESS ASSOCIATES
Persons or Entities Who Provide Services to a CE or Another BA
 BAs create, receive, use, maintain, transmit or disclose PHI and have a persistent opportunity to access it, as opposed to a transient one (without regard to whether such BA randomly, infrequently
or ever actually views the information). BAs usually perform CE functions, including:
 Claims processing and administration
 Data management, processing, aggregation, and analysis

NOT BUSINESS ASSOCIATES
Conduits

 Those with a transient opportunity to view PHI and/or those who do not access PHI other than on a random or infrequent bases as necessary to perform the transportation service are not BAs.
That is, transmission services (digital or hard copy) that provide mere courier / transmission services, e.g. USPS and its electronic equivalents, such as Internet service providers (ISPs), or that temporarily store transmitted PHI, are not BAs even if they sneak a peek at it orreview the data transmitted to ensure the PHI is arriving at its intended destination. BA Delegates
 Persons or entities outside the BA’s workforce to whom BAs delegate a function, activity or service that does not involve the creation, receipt, maintenance or transmission of PHI. Those with Limited and Incidental Access
 Janitors, painters and others who have “incidental” access to PHI and/or spaces where PHI is stored or occasionally overhear discussions with patients by virtue of the services they provide.
 Those who may see computer screens with visible patient information on a limited basis who do not have systems access.
 Financial Institutions that process consumerconducted financial transactions or conduct any other activity that directly facilitates or effects the transfer of funds for compensation for health care.
Specified Persons or Entities
 Those who undertake patient safety activities.
 Health information organizations and Eprescribing Gateways that do not require routine access to PHI. The above persons / entities BA Delegates should enter written contracts providing satisfactory assurances that they will safeguard PHI and keep it confidential. While one covered entity could become a BA of another covered entity, if the covered entities are disclosing PHI to each other for treatment purposes, they are not acting as BAs, and no BAA is necessary.