By Kelly Thompson, Foley & Lardner, LLP
As in-house counsel, it is important to understand whether a given contractual relationship between a covered entity and a vendor or contractor requires a business associate agreement. In this Quick Counsel, I will briefly discuss who business associates are, required elements of a business associate agreement, and managing risks of business associate agreements.
Who are Business Associates?
Under the Health Insurance Portability and Accountability Act of 1996 and implementing regulations (“HIPAA”), covered entities and business associates are required to comply with HIPAA. A covered entity includes health care providers that transmit information in an electronic form in connection with a transaction covered under HIPAA, health plans, and health care clearinghouses. Specifically, if a health care provider furnishes, bills, or receives payment for health care services, and transmits those transactions electronically, the provider is a covered entity under HIPAA.
A business associate is a person or entity (other than a member of the covered entity’s workforce) that creates, receives, maintains, or transmits protected health information for a covered entity. Examples of business associate activities include claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities, billing, benefit management, practice management, and repricing. Additionally, business associates are required to enter into subcontractor business associate agreements with a business associate that creates, receives, maintains, or transmits protected health information on behalf of another business associate. A subcontractor business associate must comply with the same requirements which apply to contracts or other arrangements between a covered entity and business associate.
Many vendors and contractors that provide services to covered entities in which protected health information is involved will fit within the definition of a business associate. Common business associates include billing companies, electronic health record companies, accounting firms, law firms, and cloud storage companies. Business associates do not include, among other things, a health care provider, with respect to disclosures by a covered entity concerning the treatment of the individual, such as when a hospital refers a patient to a specialist and transmits the patient’s medical chart for treatment purposes, or when a physician sends a patient’s protected health information to a laboratory, because that disclosure is made for the treatment of the individual. A business associate agreement is not required for the disclosure of protected health information to health plans and insurers for payment purposes. Other persons, such as a janitor or electrician, whose access to protected health information would only be incidental, if at all, are not considered business associates. Additionally, HIPAA has provided a conduit exception, which provides that random access by a data transmission entity does not necessarily make the entity a HIPAA business associate. For example, a pure internet service provider typically is a conduit, as they determine whether protected health information being transmitted over its network is arriving to its intended destination, but do not access or store the data. Disclosures made throughout the covered entities’ workforce are also exempted from the business associate definition.
However, in some instances, it is not as clear when a business associate agreement is or is not required. For example, a covered entity, that is already required to comply with HIPAA, can act as a business associate for another covered entity, and therefore, must enter into a business associate agreement. This is common when a covered entity provides management services for another provider. As such, medical directors are often considered business associates because of the provision of non-treatment related services, including the administrative and management services provided by the medical director. Alternatively, if the medical director is treated as a member of the covered entity’s workforce, then a business associate agreement may not be required because it fits within the workforce exclusion.
Once a determination of your business associates has been made, you must enter into a HIPAA-compliant business associate agreement. The following section outlines the required terms which must be included in a business associate agreement.
Business Associate Agreement Requirements
Following the 2013 update to HIPAA, business associates became directly subject to HIPAA’s privacy and security rule regulations, such as adopting physical, technical, and administrative safeguards under the Security Rule, as well as complying with provisions of the Privacy Rule and breach notification requirements. Not only are business associates required to implement certain policies and procedures to protect patient’s health information, a business associate may use or disclose protected health information only as permitted or required by its business associate contract or as required by law. Most importantly, business associates may not use or disclose protected health information in a manner that would violate HIPAA if done by the covered entity.
A covered entity may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity's behalf only if the covered entity obtains satisfactory assurances, through a business associate agreement, that the business associate will appropriately safeguard the information. A business associate agreement must contain the elements specified at 45 CFR 164.504(e) and listed below:
Establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate HIPAA;
Provide that the business associate will:
o Not use or further disclose the information other than as permitted or required by the contract or as required by law;
o Use appropriate safeguards and comply, where applicable, with the
Security Rule requirements with respect to electronic protected health information;
o Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware, including breaches of unsecured protected health information as required by §164.410;
o Ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such information;
o Make access available to an individual for their protected health information;
Make available protected health information for amendment and incorporate any amendments to protected health information;
o Make available the information required to provide an accounting of disclosures;
o To the extent the business associate is to carry out a covered entity's obligation under HIPPA, comply with the requirements that apply to the covered entity in the performance of such obligation;
o Make its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, the covered entity available to the Secretary for purposes of determining the covered entity's compliance with this subpart.
Address the termination of the contract and, if feasible, return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity that the business associate still maintains in any form and retain no copies of such information or, if such return or destruction is not feasible, extend the protections of the contract to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible; and
Authorize termination of the contract by the covered entity, if the covered entity determines that the business associate has violated a material term of the contract.
HIPAA permits the inclusion of additional rights of a business associate, such as permitting the business associate to use and disclose protected health information for the proper management and administration of the business associate, and to provide data aggregation services relating to the health care operations of the covered entity.
Managing Risks of Business Associates Agreements
One of the most recent enforcement trends from the Office of Civil Regulations (“OCR”), the agency that enforces HIPAA, is ensuring that covered entities have entered into HIPAA-compliant business associate agreements. In 2017, a covered entity was fined $31,000 for failing to enter into a business associate agreement with one of their identified business associates. Not only must covered entities enter into HIPAA-compliant business associate agreements, they must also conduct proper due diligence on those entities. Reviewing a business associate’s security risk audits and HIPAA policies and procedures is a good way to evaluate a business associate’s HIPAA compliance program. In addition to conducting due diligence on your business associates, it is important to negotiate business associate agreement terms to provide covered entities protections under the arrangement. Additional terms that are often added include indemnification language, choice of law provisions, no third party beneficiaries, no right to assign rights under the agreement, rights to terminate the agreement, timelines and requirements related to reporting breaches and notifying individuals, and insurance requirements, among other things.
Although business associates are directly liable under HIPAA, if a business associate breaches your patient’s information, much of the risk and liability will remain with you as the provider. Additionally, the public scrutiny that comes with breaches of patient information is not something a provider wants. Therefore, it is important to ensure your business associates have all been identified, vetted, and have entered into HIPAA -compliant business associate agreements. Health regulatory counsel familiar with HIPAA and business associate agreements can provide additional assistance when issues have been identified or other concerns about the laws arise.