Click here to access our January 2017 white paper for updated information on who is a HIPAA business associate.
A wide range of vendors and contractors that perform services or other functions for health care providers or health plans face substantial new obligations and potential liabilities as business associates under the final Omnibus Rule issued on January 17, 2013 by the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS). Therefore, it is crucial for covered entities, as well as anyone performing services involving Protected Health Information (PHI) for covered entities or business associates, to identify all of their business associate relationships so they can take appropriate actions to comply with the new regulations. As discussed below, whether a service provider is a business associate under the revised regulations will depend on the relationship of the parties, the nature of the services and whether the activities involve the use, disclosure, transmission, or maintenance of PHI.
|All parties to any contract or other arrangement involving PHI in connection with the performance of services or functions by anyone (other than the covered entity’s workforce) should review their arrangements to determine whether a business associate relationship has been or will be created.
|Covered entities and business associates should review their business associate agreements and determine whether the agreements qualify for grandfathered status, identify revisions that are needed in order to satisfy the new regulations and enter into new business associate agreements by the September 23, 2013 compliance date, or the extended deadline if applicable.
|Business associates (as well as covered entities) need to take appropriate steps to comply with the Privacy, Security and Breach Notification Rules by the compliance date.
The Privacy and Security Rules issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) allow covered entities to disclose PHI to business associates, and allow business associates to create and receive PHI on behalf of the covered entity, subject to the terms of a business associate agreement between the parties. PHI is defined broadly to encompass individually identifiable health information relating to the health of an individual or to the provision of, or payment for, health care services. For purposes of HIPAA, a “covered entity” is a health care provider (such as a hospital, physician practice or pharmacy) that transmits health information in electronic form, a health plan or a health care clearinghouse (such as certain medical billing companies that process and submit claims to health plans).
In general, an individual (other than a member of the covered entity’s workforce) or organization that performs or furnishes any function, activity or service, for or on behalf of a covered entity involving the use or disclosure of PHI, has been characterized as a business associate since the Privacy Rule took effect in 2003. The HIPAA rules define a covered entity’s workforce as employees, volunteers, trainees, and others acting under the covered entity’s direct control, regardless of whether they are paid. Historically, business associates were contractually required to maintain the privacy, and protect the security, of PHI as provided in their business associate agreements (that is, if they entered into a business associate agreement), but were not subject to sanctions under the HIPAA rules for noncompliance with their business associate agreements or HIPAA rules.
On February 17, 2009, President Obama signed into law the American Recovery and Reinvestment Act of 2009, including the Health Information Technology for Economic and Clinical Health Act (known as the “HITECH Act” or “HITECH”), which expanded the HIPAA obligations and exposure of business associates by applying various HIPAA rules directly to business associates, requiring business associates to comply with breach notification requirements and subjecting business associates to civil and criminal penalties for HIPAA violations.
The Omnibus Rule
The Omnibus Rule amends the Privacy, Security, Breach Notification, and Enforcement Rules that were previously issued under HIPAA and the HITECH Act.
Click here to view the Omnibus Rule
For an overview of the Omnibus Rule, which was published in the Federal Register on January 25, 2013, see our January 2013 Alert, Final Rule Implements HITECH revisions to Privacy and Security Rules, available here.
In addition to implementing various provisions of the HITECH Act by applying the Security Rule and a number of Privacy Rule obligations directly to business associates, the Omnibus Rule extends the business associate definitions and related HIPAA obligations to new categories of business associates, including subcontractors of business associates and companies that store or transmit PHI. The Omnibus Rule also requires business associate agreements be amended to incorporate the new standards and expands the potential liability of covered entities to include exposure for the acts and omissions of a business associate if the business associate is deemed to be an agent of the covered entity and the acts or omissions are within the scope of the agency.
The Omnibus Rule took effect on March 26, 2013, with a compliance date of September 23, 2013. Covered entities and business associates, including subcontractors, must comply with the Omnibus Rule by September 23, 2013, although transition provisions allow covered entities and business associates to continue to operate under existing business associate agreements for up to one year beyond the compliance date (until September 22, 2014) if the business associate agreement:
- Is in writing
- Was in place prior to January 25, 2013 (the publication date of the Omnibus Rule)
- Complies with the Privacy and Security Rules as in effect immediately prior to January 25, 2013, and
- Is not modified or renewed
Expanded business associate definition
The Omnibus Rule defines business associate as any individual (other than a member of the covered entity’s workforce) or organization that either:
- Creates, receives, maintains, or transmits PHI on behalf of a covered entity or an Organized Health Care Arrangement (OHCA) for a function or activity regulated under the HIPAA administrative simplification rules, such as claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities, billing, benefit management, practice management, or repricing; or
- Provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for a covered entity, if the service involves the disclosure of PHI.
The Omnibus Rule adds the following new categories of business associates:
- Those who store or otherwise maintain PHI
- Health Information Organizations (HIOs), e-prescribing gateways and others who provide data transmission services to a covered entity and require routine access to PHI
- Anyone who offers a personal health record to individuals on behalf of a covered entity
- Subcontractors of business associates, if the business associate delegates to the subcontractor a function, activity or service that the business associate has agreed to perform for the covered entity, or for another business associate and any of the delegated functions, activities or services involve the creation, receipt, maintenance, or transmission of PHI.
Though covered entities and business associates are required to enter into business associate agreements, anyone who performs services or functions that fit within the definition of business associate will be subject to the business associate obligations under the HIPAA rules, even if no business associate agreement is signed. Therefore, business associates now have a proactive obligation to identify their business associate relationships and satisfy the HIPAA rules in connection with those relationships.
There are bound to be some disagreements between covered entities and service providers on the issue of whether a particular arrangement triggers business associate status and therefore the need for a business associate agreement and compliance with the expanded business associate obligations. Such disputes are likely to arise with increasing frequency due to the expanded business associate obligations and potential liabilities under the HIPAA rules, as well as uncertainties regarding how to apply the new business associate definition to some categories of service providers as noted below.
Subcontractor business associates
The expansion of business associate obligations to subcontractors is intended to avoid the lapse of privacy and security protections when business associates share PHI with their subcontractors. Anyone, other than a member of a covered entity's or business associate’s workforce, who assists a business associate in performing a function, activity or service involving PHI for a covered entity may potentially become subject to the HIPAA rules as a subcontractor business associate. Commentary in the preamble to the Omnibus Rule indicates that a subcontractor may be deemed a business associate if at least part of a delegated task is within the business associate’s responsibilities to the covered entity, but that not all those who access PHI in providing services for a business associate will become business associates. As an example, the commentary notes that a business associate’s disclosure of PHI for its (and not the covered entity’s) management and administration would not create a subcontractor business associate relationship, although the Privacy Rule would still require reasonable assurances that the PHI will be held confidentially and will not be disclosed except as required by law or for the purposes of the disclosure, and agreement to notify the business associate if the recipient of the PHI becomes aware that confidentiality of the PHI has been breached.
HIPAA obligations and potential liability can now extend to subcontractors who have no direct connection or relationship with any covered entity, no matter how far the PHI flows down the chain from business associate to subcontractors and how little the subcontractor knows about the relationship with the covered entity. For example, if business associate A engages subcontractor B to perform part of business associate A’s responsibilities involving the covered entity’s PHI, subcontractor B in turn delegates some of its responsibilities involving the PHI to subcontractor C, and subcontractor C delegates part of its responsibilities to subcontractor D, then subcontractors B, C and D (as well as business associate A) would all be considered business associates of the covered entity and the HIPAA business associate obligations would extend down the chain from business associate A to subcontractors B, C and D.
In addition, business associate agreements would be required between:
- The covered entity and business associate A
- Business associate A and subcontractor B
- Subcontractor B and subcontractor C and
- Subcontractor C and subcontractor D
The extension of business associate status to subcontractors is bound to ensnare many unsuspecting individuals and organizations that were previously untouched by the HIPAA rules and may not be aware that they are performing functions for covered entities or dealing with PHI. In light of uncertainties regarding how to determine who is a business associate under the new subcontractor standards, additional guidance is expected from OCR on this important issue.
Data transmission and storage
The Omnibus Rule adds maintenance of PHI to the functions that trigger business associate status. For example, OCR’s commentary characterizes a data storage company that has access to PHI in either hard copy or digital form as a business associate even if the storage company never views the PHI or does so only on a random or infrequent basis. OCR had previously indicated that a document storage company would not be considered a business associate when the PHI is maintained in closed and sealed containers and the document storage company does not access the PHI, other than incidental access, such as when a box becomes damaged and needs to be repackaged. For example, a medical practice that has been storing old medical records in an off-site location will now need a business associate agreement with the storage company.
With regard to data transmission services that trigger business associate status, the Omnibus Rule specifies two types of service providers: HIOs (i.e., organizations such as health information exchanges that oversee and govern the exchange of health-related information among organizations) and e-prescribing gateways. The definition also includes others who provide data transmission services to covered entities relating to PHI and require access to PHI on a routine basis. This catch-all provision creates uncertainty regarding how far business associate status extends with respect to data transmission organizations.
OCR draws a distinction between data transmission services that require access to PHI “on a routine basis” and are therefore deemed to be business associates, and “conduits,” which are not business associates. OCR notes in the preamble that this is a fact specific determination based on the nature of the services provided and the extent to which the service provider needs access to PHI to perform its data transmission services for the covered entity.
Since 2000, OCR has recognized that businesses functioning as mere conduits are not business associates, although OCR’s commentary indicates that various service providers, such as some cloud vendors, application service providers (ASPs), and perhaps even internet service providers (ISPs) that were generally viewed as conduits prior to the Omnibus Rule, may now be considered business associates. OCR interprets the conduit exception narrowly and limits it to mere courier services, such as the U.S. Postal Service, UPS and their electronic equivalents, such as ISPs that provide mere data transmission services.
The Omnibus Rule preamble explains that a conduit transports information, but does not access it except on a random or infrequent basis as necessary to perform the transportation service or as required by law. As an example of access that is consistent with conduit (rather than business associate) status, the commentary notes that a telecommunications company may have occasional, random access to PHI when reviewing whether the data transmitted over its network arrives at its intended destination. In contrast, an organization that requires access to PHI in order to perform a service for a covered entity, such as an HIO that manages the exchange of PHI through the use of a record locator service, does not qualify as a conduit and is therefore, a business associate. OCR’s commentary indicates that transmission services temporarily storing transmitted data can fit within the conduit exception, but suggests that organizations maintaining PHI on a persistent basis are business associates rather than conduits.
In light of the catch-all data transmission provision, the addition of maintenance of PHI as a business associate function and the preamble commentary, the business associate definition now casts a wider net that can include service providers, such as cloud vendors, ISPs, ASPs and document storage companies that previously were not commonly regarded as business associates. Determining whether service providers (other than HIOs and e-prescribing gateways, which are expressly included within the regulatory definition) that transmit or store PHI are business associates will present challenges due to uncertainties regarding the standards under the Omnibus Rule for distinguishing between a business associate and a conduit. It may be possible for a cloud vendor or other data transmission service to avoid business associate status by ensuring that all covered entity PHI that it stores or transmits is encrypted, although there is a lack of guidance on this issue. OCR has indicated that it intends to issue further guidance on conduits. In the meantime, data transmission and storage companies, as well as covered entities that utilize their services, need to take action based on the existing guidance and the text of the Omnibus Rule.
Exceptions (who is not a business associate)
Examples of businesses and individuals that are typically not considered business associates:
- An individual who performs services as part of the workforce of a covered entity
- A health care provider, to the extent that disclosures of PHI by another covered entity concern the treatment of the individual
- A plan sponsor (such as an employer), with respect to various disclosures from its group health plan
- Financial and banking institutions when performing only payment processing activities
- A janitorial service performing traditional functions
- Maintenance and repair personnel (other than working on systems holding PHI)
- Conduits (e.g., U.S. Postal Service and its electronic equivalents)
- Researchers (unless engaged to perform activities regulated by the HIPAA rules)
Typically a business associate
Examples of service providers that are typically business associates when accessing PHI, except when acting as members of the workforce of the covered entity or of another business associate:
- Medical transcription companies
- Answering services
- Document storage or disposal (shredding) companies
- Patient safety or accreditation organizations
- Companies involved in claims processing, repricing or collections (e.g., medical billing companies)
- Health information exchanges (HIEs), e-prescribing gateways and other HIOs
- Third party administrators and pharmacy benefit managers
- Data conversion, de-identification and data analysis service providers
- Utilization review and management companies
Sometimes a business associate
The following are examples of service providers that are sometimes business associates, depending on the underlying relationships, whether they access PHI and the functions involved:
- Accounting firms
- Law firms
- Consulting firms
- Software vendors and consultants
- Financial institutions (if engaging in accounts receivable or other functions extending beyond payment processing)
- ISPs, ASPs and cloud vendors
- Companies providing personal health records (business associate if providing personal health records on behalf of a covered entity)
- Researchers (if performing HIPAA functions for a covered entity)