Do I Need a HIPAA Business Associate Agreement?

by | Apr 5, 2020 | HIPAA, Tools & Resources, Webinars & Education

Identifying Business Associates

A HIPAA “Business Associate” generally is any person, other than a member of the workforce of a Covered Entity, who “creates, receives, maintains or transmits” PHI in the performance of services or functions for or on behalf of a Covered Entity.  Business Associates may generally use and disclose a Covered Entity’s PHI in order to perform and provide services and functions for and on behalf of a Covered Entity.  A Business Associate may not use or disclose PHI in any manner which would violate HIPAA if done by a Covered Entity.

NOT HIPAA Business Associate Activities

            “Treatment” activities do not create a Business Associate relationship, even if the other party receives PHI from a Covered Entity.  Any disclosure made for treatment purposes to (i) a health care provider or (ii) another covered entity, is specifically excepted from the Business Associate standard. For example,

  • A Covered Entity is not required to have a HIPAA Business Associate contract with the specialist to whom it refers a patient and transmits the patient’s medical chart for treatment purposes. 
  • A physician is not required to have a HIPAA Business Associate contract with a laboratory as a condition of disclosing protected health information for the treatment of an individual.
  • A Covered Entity laboratory is not required to have a HIPAA Business Associate contract to disclose protected health information to a reference laboratory for treatment of the individual.  
  • a Covered Entity may disclose protected health information needed for an orthopaedic device manufacturer or its representative to determine and deliver the appropriate range of sizes of a prosthesis for the surgeon to use during a particular patient’s surgery.

“Payment” activities also do not create a Business Associate relationship where a Covered Entity is making the disclosure for its own payment purpose or for the payment purposes of another covered entity.  Therefore, a Covered Entity may disclose PHI to a health plan in order to receive payment for services provided to a health plan’s beneficiary. 

Individuals with “incidental access” to PHI are also not considered Business Associates because they do not require access to or use of PHI in connection with performing their job functions.  Therefore, contractors such as electricians or plumbers, janitors, and security guards are not considered Business Associates even if they may come into contact with PHI. 

Likewise, entities which meet the test of a “conduit” are not Business Associates.  The Office for Civil Rights (“OCR”) and Department of Health and Human Services (“HHS”) have traditionally recognized a limited exception to the business associate relationship for certain entities that simply transport or transmit PHI.  Entities such as the United States Postal Service, couriers, and their electronic equivalents transport but do not have “routine access to PHI other than infrequently or randomly, and disclosure of the PHI to such entity is not intended.  These entities are treated as “conduits” through which PHI is transported, not HIPAA business associates.  

The same conduit exception that applies to couriers, such as USPS and Fed Ex, also applies to their “electronic equivalents”.  As reiterated by the Preamble to the Final HITECH Rule,

The conduit exception is a narrow one and is intended to exclude only those entities providing mere courier services [and their electronic equivalents.]  As we have stated in prior guidance, a conduit transports information, but does not access it other than on a random or infrequent basis as necessary to perform the transportation service or as required by other law.” See 78 Fed Reg. 5571.

Thus, the occasional, random access by certain types of data transmission entity does not make the entity a business associate. The Preamble to the Final HITECH Rule gives the example of a telecommunications company which may have access to PHI when it reviews whether data being transmitted over its network is arriving to its intended destination. See 78 FR 5571-5572.

Conversely, an entity that manages the exchange of PHI through a network, including record locator services and various oversight and governance functions, has more than “random access” and would therefore meet the definition of a business associate. See 78 FR 5571. Furthermore, any entity that “maintains PHI” (i.e., provides data hosting of any kind) is a business associate even if the entity does not actually access the PHI given the persistent nature of that opportunity versus transient only. See 78 FR 5572.

Health Information Organizations (HIOs) and entities that act as health information service providers (“HISPs”) can be treated as “conduits” and not business associates where the only services and functions they provide relate to data transmission or routing of point-to-point encrypted messages.  According to the Direct Project protocols, best practice standards, and related guidance for HISPs and secured health transport, a HISP which provides mere transmission or routing functions is not a business associate.  Likewise, a HISP that transports only data that has already been encrypted by a sender and will remain encrypted until received by the intended recipient will not be a business associate unless it otherwise has access to unencrypted PHI on a routine basis or possess decryption keys or other mechanisms.

Therefore, there is no HIPAA business associate relationship implicated by an HIO, HISP or similar entity simply performing data transmission activities on behalf of a covered entity, akin to an internet cable provider.  A business associate relationship will, however, be found where an HIO, HISP or similar entity performs more than just mere data transmission, such as data aggregation, processing, hosting and transmission (other than as a conduit), encryption/ decryption functions, record locator/querying functions, auditing and other oversight and governance functions, and creating data sets of de-identified information. These activities trigger HIPAA business associate obligations, including compliance with applicable provisions of the HIPAA Security Rule, written security policies and procedures, and written BAAs, among others. 

HIPAA Business Associate Activities

Business Associate Activities include information technology support teams, software vendors and the like who provide support to a Covered Entity’s electronic medical records where they require access to, create, maintain or transmit PHI in order to perform functions and services on behalf of a Covered Entity.  Likewise, a medical malpractice defense law firm, consultants who assist with utilization reviews, or medical transcriptionists, are persons who would be considered Business Associates where they require access to PHI in order to perform functions on behalf of a Covered Entity. Other examples include,

  • Claims processing, billing, data analysis and processing, quality assurance, and practice or benefits management;
  • Legal, accounting, financial, consulting, management, support and accreditation activities;
  • Health IT and similar vendors that provide security support, data hosting and data backup (i.e., electronic medical record vendors) and patient personal health record vendors (PHRs); 
  • Health Information Exchange Organizations that facilitate electronic transmission of PHI and require “routine access” to such information, or which maintain PHI, even if they do not view it.

Business Associate Identification Tool

Subscribe to Member-Only Content for more Tools like this one!

Share this:

If you are not a subscriber to our backend Legal HIE compliance library, download our Table of Contents here to check out all of the tools, checklists, whitepapers, sample policies we make available to our members to help their organizations comply with Information Blocking, HIPAA, 42 CFR Part 2, Data Breaches and more. Ready to subscribe now? Click here to review our subscription options.

Archives