By Kevin Lin
Business associate agreements bind entities with access to protected health information (PHI) to HIPAA’s privacy and data security rules. The obligations of entities under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) can be thought of as links in a chain of liability. At the highest level, HIPAA’s privacy rules apply to “covered entities,” such as health plan providers, clearinghouses, insurance carriers, and certain healthcare providers, which lie at the top of the chain. The HIPAA privacy rules require covered entities such as medical practices to implement comprehensive privacy and data safeguards to protect personal health information. These requirements generally fall into three categories: (i) administrative safeguards, such as requiring ongoing risk assessments to identify potential vulnerabilities and risks; (ii) physical safeguards, such as requiring physical measures to prevent unauthorized access and protect against environmental hazards; and (iii) technical safeguards, such as requiring technical controls to ensure data security.
Beneath covered entities in the chain of liability are “business associates” and their subcontractors. Under HIPAA, a business associate is a person or entity that uses or processes protected health information (PHI) for a covered entity. Common examples of business associates include providers of billing services, IT and cloud storage, and third-party administrative and benefit management. Apart from the more obvious examples, business associates may also include providers of legal, accounting, or other consulting services depending on their relationships to covered entities and their access to PHI. The HIPAA privacy rule requires covered entities to obtain written assurances from its business associates whereby the business associate promises to safeguard PHI received or created on behalf of the covered entity. Further, the rule extends the same business associate privacy and data security requirements to subcontractors of business associates. Allocating risk and liability to business associates and their subcontractors is intended to reduce potential exposure to PHI as multiple parties assist a covered entity in performing its functions.
Moreover, HIPAA sets forth specific elements that must be in every business associate contract. These elements include: establishing the permitted and required uses and disclosures of PHI by the business associate; requiring the use of appropriate safeguards to prevent use or disclosure of PHI other than as provided for by the contract; and reporting to the covered entity any breaches of unsecured PHI. Compliance is critical, as business associates and their subcontractors may face direct liability under HIPAA for violations of provisions required under these privacy and data security rules.
There are a few exceptions or situations where a business associate contract is not required. For example, a covered entity’s own employees are not considered business associates under the statute. Further, healthcare provider themselves are not business associate while rendering treatment to patients. By way of example, a physician is not required to have a business associate contract with a laboratory as a condition of disclosing PHI for treatment. Finally, disclosure to a health plan sponsor, such as an employer, by a group health plan or health insurance issuer is also exempt. Despite these exceptions, it is important to note that if an entity truly is a business associate as defined under the HIPAA privacy rules, it cannot escape liability by simply avoiding a written business associate agreement. The safest approach to avoid business associate contracts, of course, is to ensure that no PHI is handled by the business associate.
Given the nuanced and fact-specific application of HIPAA’s privacy rules, it is important for all entities who handle PHI to seek an experienced professional to carefully review its application to their particular practice. Above all, healthcare professionals and other covered entities should identify and review all vendor contracts outside of the scope of their active medical practices (such as contracts for ancillary office services). For example, medical professionals should ask, “Do I have a business associate agreement in place with my IT vendor? Does it meet HIPAA privacy requirements?” Not only are such agreements required, in the event of a breach, covered entities must take steps to cure the breach or terminate the business associate contract. Therefore, knowing and monitoring your business associates is critical to protecting the integrity, security and reputation of your practice.