by Kim Stanger, Holland & Hart LLP
The HIPAA privacy rules now apply to both covered entities (e.g., healthcare providers and health plans) and their business associates. A “business associate” is generally a person or entity who “creates, receives, maintains or transmits” protected health information (“PHI”) in the course of performing services on behalf of the covered entity (e.g., consultants; management, billing, coding, transcription or marketing companies; information technology contractors; data storage or document destruction companies; data transmission companies or vendors who routinely access PHI; third party administrators; personal health record vendors; lawyers; accountants; malpractice insurers; etc.) (See 45 CFR 160.103). “A covered entity may be a business associate of another covered entity.” (Id.). Also, with very limited exceptions, a subcontractor or other entity that creates, receives, maintains or transmits PHI on behalf of a business associate is also a business associate. (Id.; 78 FR 5572). To determine if an entity is a business associate, see the attached Business Associate Decision Tree.
Business Associate Requirements. In general, an entity that is a “business associate” under HIPAA must do the following:
1. Perform and document a security risk assessment of its information systems containing electronic PHI. (45 CFR 164.308).
2. Implement specified administrative, technical and physical safeguards to protect the integrity, confidentiality, and availability of electronic PHI (e.g., establish access controls; use firewalls, virus protections, and encryption; backup data; implement appropriate security policies and procedures; etc.). (45 CFR 164.300 et seq.).
3. Execute and perform according to written business associate agreements with covered entities that essentially require the business associate to maintain the privacy of PHI; limit the business associate’s use or disclosure of PHI to those purposes authorized by the covered entity; and assist covered entities in responding to patient requests concerning their PHI. (45 CFR 164.308(b), 164.314(a), 164.502(e), and 164.504(e)). For more information about business associate agreements, see the attached Checklist for HIPAA Business Associate Agreements. If the covered entity discloses only a “limited data set” to the business associate, the parties may execute a data use agreement instead of a full business associate agreement. (45 CFR 164.514(e)).
4. Report security incidents and privacy breaches to the covered entity. (45 CFR 164.314(a), 164.410, and 164.502(e)).
5. If the business associate uses subcontractors or other entities to provide any services for the covered entity involving PHI, execute business associate agreements with the subcontractors. (45 CFR 164.314(a) and 164.504(e)).
Business associates who violate HIPAA may be subject to penalties of $100 to over $50,000 per violation. (45 CFR 160.404). If the violation resulted from willful neglect, the Office of Civil Rights (“OCR”) must impose a penalty of at least $10,000 per violation. (Id.). If the business associate acted with willful neglect and fails to correct the violation within thirty (30) days, the OCR must impose a penalty of at least $50,000 per violation. (Id.). A single breach may result in numerous violations. For example, the loss of a laptop containing hundreds of patients’ PHI may constitute hundreds of violations. Similarly, each day that a covered entity or business associate fails to implement a required policy constitutes a separate violation. (45 CFR 160.406). In addition to regulatory penalties, business associates who fail to comply with business associate agreements may also be liable for contract damages and/or indemnification requirements set forth in the business associate agreement.
Avoiding Business Associate Requirements. Given the cost of compliance and penalties for noncompliance, entities may want to avoid becoming a “business associate” or executing business associate agreements if possible. The following are not business associates and may properly decline to execute a business associate agreement:
1. Entities that do not create, receive, maintain, or transmit PHI. If you want to avoid business associate obligations, the safest course is to ensure that you do not handle PHI on behalf of either a covered entity or a business associate of a covered entity. Accidental receipt of or incidental access to PHI outside your contracted job duties does not trigger business associate obligations. The OCR has stated:
A business associate contract is not required with persons or organizations whose functions, activities, or services do not involve the use or disclosure of [PHI], and where any access to [PHI] by such persons would be incidental, if at all. [For example], janitorial services that clean the offices or facilities of a covered entity are not business associates because the work they perform for covered entities does not involve the use or disclosure of [PHI], and any disclosure of [PHI] to janitorial personnel that occurs in the performance of their duties (such as may occur while emptying trash cans) is limited in nature, occurs as a by-product of their janitorial duties, and could not be reasonably prevented.
(OCR Frequently Asked Questions (“FAQ”), available at http://www.hhs.gov/ocr/privacy/hipaa/faq/index.html). Similarly, “[t]he mere selling or providing of software to a covered entity does not give rise to a business associate relationship if the vendor does not have access to the [PHI] of the covered entity.” (Id.). Entities seeking to avoid business associate obligations may want to include a provision in their service contracts confirming that they do not require PHI to perform their functions, and that its clients who are covered entities or business associates will not provide PHI (or, as discussed below, unencrypted PHI) to the entity without the entity’s prior agreement.
2. Members of an entity’s own workforce. Members of an entity’s own workforce are not business associates of the entity, including “employees, volunteers, trainees, and other persons whose conduct, in performance of work for a covered entity or business associate, is under the direct control of such entity or business associate, whether or not they are paid by the covered entity or business associate.” (45 CFR 160.103). To avoid business associate obligations, contractors may seek to be classified as members of the covered entity’s workforce. The OCR has stated:
If a service is hired to do work for a covered entity where disclosure of [PHI] is not limited in nature (such as routine handling of records or shredding of documents containing [PHI]), it likely would be a business associate. However, when such work is performed under the direct control of the covered entity (e.g., on the covered entity’s premises), the Privacy Rule permits the covered entity to treat the service as part of its workforce, and the covered entity need not enter into a business associate contract with the service.
(OCR FAQ; see also 78 FR 5574). Similarly,
A software company that hosts the software containing patient information on its own server or accesses patient information when troubleshooting the software function is a business associate of a covered entity. In these examples, a covered entity would be required to enter into a business associate agreement before allowing the software company access to [PHI]. However, when an employee of a contractor, like a software or information technology vendor, has his or her primary duty station on-site at a covered entity, the covered entity may choose to treat the employee of the vendor as a member of the covered entity’s workforce, rather than as a business associate.
(OCR FAQ). Although characterization as a workforce member would help contractors avoid business associate obligations, covered entities may resist classifying contractors as members of their workforce because doing so may indicate that the contractor is acting as the agent of the covered entity, thereby exposing the covered entity to vicarious liability for the contractor’s actions. (See 45 CFR 160.402(c); 78 FR 5581).
3. Members of an organized health care arrangement. Covered entities that participate in an organized health care arrangement (“OHCA”) are not business associates of each other while performing functions on behalf of the OHCA; “thus, they may use and disclose [PHI] for the joint health care activities of the OHCA without entering into a business associate agreement.” (OCR FAQ; see 45 CFR 160.103). An OHCA is (1) “A clinically integrated care setting in which individuals typically receive health care from more than one health care provider” (e.g., a hospital and its medical staff); (2) an organized system of health care in which more than one covered entity participates and in which the participating covered entities engage in joint utilization review, quality improvement, or payment activities (e.g., provider networks); or (3) certain arrangements between group health plans and other insurers. (45 CFR 160.103). The OHCA exception only applies to covered entities (e.g., healthcare providers and health plans) that perform functions for the OHCA; it does not apply to other entities that require PHI to perform functions on behalf of the OHCA.
4. Healthcare providers who receive PHI to treat patients. A healthcare provider is not a business associate of other covered entities while rendering treatment to patients. (See 45 CFR 160.103; see also 65 FR 82476 and 82504). As explained by the OCR:
The HIPAA Privacy Rule explicitly excludes from the business associate requirements disclosures by a covered entity to a health care provider for treatment purposes. See 45 CFR 164.502(e)(1). Therefore, any covered health care provider (or other covered entity) may share [PHI] with a health care provider for treatment purposes without a business associate contract.
(OCR FAQ). For example,
- A hospital is not required to have a business associate contract with the specialist to whom it refers a patient and transmits the patient’s medical chart for treatment purposes.
- A physician is not required to have a business associate contract with a laboratory as a condition of disclosing [PHI] for the treatment of an individual.
- A hospital laboratory is not required to have a business associate contract to disclose [PHI] to a reference laboratory for treatment of the individual.
(OCR Business Associate Guidance, available at http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/businessassociates.html). This exception only applies to the extent that the healthcare provider is using the PHI for treatment purposes; it would not apply if the healthcare provider is using the information to perform other functions on behalf of the covered entity. “For example, a hospital may enlist the services of another health care provider to assist in the hospital’s training of medical students. In this case, a business associate contract would be required before the hospital could allow the health care provider access to [PHI].” (OCR FAQ). Even in that example, however, the hospital and physician would not need a business associate agreement if they were members of an OHCA.
5. Entities acting on their own behalf or on behalf of the patient. The business associate requirements only apply to entities who are performing a function involving PHI on behalf of a covered entity or its business associate. Entities that handle PHI for their own purposes are not business associates. For example, “[a] provider that submits a claim to a health plan and a health plan that assesses and pays the claim are each acting on its own behalf as a covered entity, and not as the ‘business associate’ of the other.” (OCR Business Associate Guidance). Similarly, a bank or financial institution is not a business associate of a covered entity when it “processes consumer-conducted financial transactions by debit, credit, or other payment card, clears checks, initiates or processes electronic funds transfers, or conducts any other activity that directly facilitates or effects the transfer of funds for payment for health care or health plan premiums”; in such cases, “the financial institution is providing its normal banking or other financial transaction services to its customers; it is not performing a function or activity for, or on behalf of, the covered entity” and is not a business associate. (Id.; 78 FR 5575; 65 FR 82476). Researchers are not business associates of covered entities even if the researcher is hired by the covered entity to conduct research. (78 FR 5575). “Where a physician or other provider has staff privileges at an institution, neither party to the relationship is a business associate based solely on the staff privileges because neither party is providing functions or activities on behalf of the other.” (65 FR 82476). Covered entities that simply provide PHI for another covered entity’s healthcare operations are not business associates of the other entity. (65 FR 82476). Finally, an entity performing services on behalf of the patient, not on behalf of the healthcare provider, is not a business associate (e.g., an attorney who requests health information to represent the patient, or a company that collects and interprets data on behalf of a patient).
6. Entities performing management or administrative functions for business associates. Covered entities may allow business associates to use PHI for the business associate’s own management and administration or legal responsibilities. (45 CFR 164.504(e)(4)). If so,
[d]isclosures by a business associate … for its own management and administration or legal responsibilities do not create a business associate relationship with the recipient of the [PHI] because such disclosures are made outside of the entity’s role as a business associate…. In contrast, disclosures of [PHI] by the business associate to a person who will assist the business associate in performing a function, activity, or service for a covered entity or another business associate may create a business associate relationship depending on the circumstances.
(78 FR 5574). However, even if no business associate agreement is required because an entity is assisting the business associate in its own management or administration functions, HIPAA still restricts the use or disclosure of PHI by the entity:
for [any] such disclosures that are not required by law, [HIPAA] requires that the business associate obtain reasonable assurances from the person to whom the [PHI] is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person and the person notifies the business associate of any instances of which it is aware that the confidentiality of the information has been breached. See § 164.504(e)(4)(ii)(B).
(78 FR 5574). Such “reasonable assurances” may be obtained through a limited confidentiality agreement; a full-blown business associate agreement is not required.
7. Entities who are mere “conduits” for PHI. Entities that transmit PHI for a covered entity are not business associates if they are not required to access the PHI on a routine basis, i.e., they are merely “conduits” of the PHI (e.g., internet service providers, phone companies, etc.). (45 CFR 160.103; 78 FR 5571; 65 FR 82476).
Regarding what it means to have “access on a routine basis” to [PHI] with respect to determining which types of data transmission services are business associates versus mere conduits, such a determination will be fact specific based on the nature of the services provided and the extent to which the entity needs access to [PHI] to perform the service for the covered entity. The conduit exception is a narrow one and is intended to exclude only those entities providing mere courier services, such as the U.S. Postal Service or United Parcel Service and their electronic equivalents, such as internet service providers (ISPs) providing mere data transmission services. As we have stated in prior guidance, a conduit transports information but does not access it other than on a random or infrequent basis as necessary to perform the transportation service or as required by other law. For example, a telecommunications company may have occasional, random access to [PHI] when it reviews whether the data transmitted over its network is arriving at its intended destination. Such occasional, random access to [PHI] would not qualify the company as a business associate. In contrast, an entity that requires access to [PHI] in order to perform a service for a covered entity, such as a Health Information Organization that manages the exchange of [PHI] through a network on behalf of covered entities through the use of record locator services for its participants (and other services), is not considered a conduit and, thus, is not excluded from the definition of business associate.
(78 FR 5571-72).
8. Maybe entities who maintain encrypted PHI. In contrast to entities that transmit PHI, entities that maintain PHI (e.g., data storage companies) are generally considered business associates. (45 CFR 160.103; 78 FR 5572). As HHS explained:
an entity that maintains [PHI] on behalf of a covered entity is a business associate and not a conduit, even if the entity does not actually view the [PHI]. We recognize that in both situations, the entity providing the service to the covered entity has the opportunity to access the [PHI]. However, the difference between the two situations is the transient versus persistent nature of that opportunity. For example, a data storage company that has access to [PHI] (whether digital or hard copy) qualifies as a business associate, even if the entity does not view the information or only does so on a random or infrequent basis. Thus, document storage companies maintaining [PHI] on behalf of covered entities are considered business associates, regardless of whether they actually view the information they hold.
(78 FR 5572, emphasis added). Note that the foregoing analysis applies to data storage companies that “have access to” the PHI. Unless and until we receive contrary guidance from HHS, there is a fairly strong argument that business associate requirements do not and should not apply to entities that maintain encrypted PHI if the entity does not have the encryption key. HHS’s breach notification rule assumes that encrypted data is secure. (See OCR Guidance at http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html). Accordingly, it would be consistent to assume that maintenance of encrypted data without the key should not trigger business associate obligations.
Avoiding Unnecessary Business Associate Agreements. Unfortunately, out of ignorance or an abundance of caution, many covered entities or business associates are requesting business associate agreements even when such agreements are not technically required. Entities should avoid executing unnecessary business associate agreements; doing so may subject them to contractual liabilities they would not have but for the agreement, including the costs of complying with regulations that do not otherwise apply; limits on the use of disclosure of information; and damages for failure to comply. In addition, by executing unnecessary business associate agreements, the entity may be inappropriately admitting that it is a business associate, thereby exposing itself to HIPAA penalties for noncompliance. To avoid such situations, entities who are asked to execute unnecessary business associate agreements might consider responding as follows:
1. Explain the limits on business associate obligations discussed above. Hopefully, the covered entity will recognize that a business associate agreement is not required, and will be willing to forego the agreement.
2. Explain the limits on the covered entity’s liability. Some covered entities or business associates insist on business associate agreements because they mistakenly assume that they are vicariously liable for the contractor’s HIPAA violations. HIPAA clearly states that covered entities or business associates are only liable for their business associates’ or subcontractors’ actions if the business associate or subcontractor is acting as an agent of the covered entity, i.e., that the covered entity had the right to control the business associate’s or subcontractor’s actions. (45 CFR 160.402(c); 78 FR 5581). The parties may avoid vicarious liability by ensuring that any contract between them clearly identifies the business associate or subcontractor as an independent contractor, not an agent, and that the covered entity does not control the actions or operations of the business associate or contractor. (78 FR 5581). To that end, an overly restrictive business associate agreement may actually work against the covered entity because it may suggest an agency relationship or give the covered entity greater control over the actions of the contractor.
3. Offer to execute an appropriate confidentiality agreement. In lieu of a business associate agreement, the business associate or subcontractor might offer to enter an appropriate confidentiality agreement that protects the covered entity while avoiding the full responsibilities or regulatory liabilities of a business associate agreement.
4. Condition the business associate agreement. Finally, if the covered entity still insists on a business associate agreement, the business associate or subcontractor might minimize its exposure by conditioning a business associate agreement on the entity’s status as a business associate, i.e., the entity undertakes the responsibilities if and to the extent that it is a business associate as defined by HIPAA. Although an imperfect solution, it might at least allow the entity to avoid regulatory penalties if it truly is not a business associate.
Conclusion and Caution. Hopefully, the foregoing will allow entities which truly are not “business associates” under HIPAA to avoid business associate status and associated liabilities. On the other hand, if an entity is truly a “business associate” under the regulations, it cannot escape regulatory liability by avoiding a business associate agreement. “[A] person or an entity is a business associate if the person or entity meets the definition of ”business associate,” even if a covered entity, or business associate with respect to a subcontractor, fails to enter into the required business associate contract with the person or entity.” (78 FR 5574).
For questions regarding this update, please contact
Kim C. Stanger
Holland & Hart, U.S. Bank Plaza, 101 S. Capitol Boulevard, Suite 1400, Boise, ID 83702-7714
email: kcstanger@hollandhart.com, phone: 208-383-3913
This publication is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal or financial advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author. This publication is not intended to create an attorney-client relationship between you and Holland & Hart LLP. Substantive changes in the law subsequent to the date of this publication might affect the analysis or commentary. Similarly, the analysis may differ depending on the jurisdiction or circumstances. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.