Skip to Main Content.
Show
*This article was originally published by OneTrust DataGuidance in January 2020. The Health Insurance Portability and Accountability
Act of 1996 (HIPAA) Privacy Rule applies only to covered entities – health plans, health care clearinghouses, and certain health care providers. However, most health care providers and health plans do not carry out all of their health care activities and functions by themselves. Instead, they often use the services of a variety of other persons or businesses which are known as “business associates.” Business associates are subject to HIPAA, and this article outlines what a business associate is,
what a business associate’s obligations are, how a business associate can be liable for HIPAA violations, and tips to avoid such liability. The HIPAA Privacy Rule allows covered providers and health plans to disclose protected health information (PHI) to certain individuals and entities known as “business associates” if certain conditions are met, as discussed below. A “business associate,” defined at
45 CFR 160.103, is a person or entity that performs certain functions or activities that involve the use or disclosure of PHI on behalf of, or provides services to, a covered entity. A member of the covered entity’s workforce is not a business associate. A covered health care provider, health plan, or health care clearinghouse can be a business associate of another
covered entity. Business associate functions and activities include: (a) claims processing or administration; (b) data analysis, processing or administration; (c) utilization review; (d) quality assurance; (e) billing; (f) benefit management; (g) practice management; and (h) repricing. Business associate services are: (1) legal; (2) actuarial; (3) accounting; (4) consulting; (5) data aggregation; (6) management; (7) administrative;
(8) accreditation; and (9) financial. Covered entities may disclose PHI to an entity in its role as a business associate only to help the covered entity carry out its health care functions – not for the business associate’s independent use or purposes, except as needed for the proper management and administration of the business associate. Covered entities may disclose PHI to business associates if the covered entities
obtain “satisfactory assurances,” as described in 45 CFR 164.502(e)(1), that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the HIPAA Privacy Rule. The satisfactory
assurances must be in writing, whether in the form of a contract or other agreement between the covered entity and the business associate. This is the reason for the existence of the “business associate agreement,” which sometimes can be overlooked or agreed to as a mere formality by entities or individuals who are going to receive PHI from a covered entity; however, it is an important legal document outlining the covered entity’s and business associate’s regulatory obligations under HIPAA when
handling such PHI, as well as the obligations of a subcontractor business associatewhen PHI is shared between a business associate and its subcontractor. . A business associate agreement must contain the elements specified at 45 CFR 164.504(e). For example, the agreement must: (a) describe the permitted and required uses of PHI by the business associate; (b) provide that the business associate will not use or further disclose the PHI other than as permitted or required by the contract or as required by law; and (c) require the business associate to use appropriate safeguards to prevent a use or disclosure of the PHI other than as provided for by the agreement. Direct Liability of Business AssociatesIn 2009, Congress enacted the Health Information Technology for Economic and Clinical Health (HITECH) Act, making business associates of covered entities directly liable for compliance with certain requirements of HIPAA. Consistent with the HITECH Act, the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) issued a final rule in 2013 to modify HIPAA by identifying provisions of HIPAA that apply directly to business associates and for which business associates are directly liable. 78 Fed. Reg. 5566 (January 25, 2013). As set forth in the HITECH Act and OCR’s 2013 final rule, OCR has authority to take enforcement action against business associates for the following:
Resolution Agreements Between HHS and Business AssociatesThe HHS OCR database provides a list of the resolution agreements entered into between HHS and a covered entity or business associate following notification to HHS that either the covered entity or business associate may have violated HIPAA. This is a great resource to learn what the government deems to be non-compliance with HIPAA and can be instructive for any organization dealing HIPAA. A resolution agreement is a settlement agreement signed by a covered entity or business associate. Importantly, by their entrance into a resolution agreement, the covered entity or business associate is not admitting liability with respect to the purported HIPAA violations, and HHS releases the parties from any actions it may have against it for the conduct at issue. Under the terms of the resolution agreement, the covered entity or business associate agrees to perform certain obligations and make reports to HHS, generally for a period of three years. During this period, HHS monitors their compliance with their obligations and may include the payment of a resolution amount. If HHS cannot reach a satisfactory resolution through the covered entity’s or business associate’s demonstrated compliance or corrective action through other informal means, including a resolution agreement, civil money penalties (CMPs) may be imposed for noncompliance against them. The following is a list of resolution agreements between HHS and business associates after potential HIPAA violations:
CHSPSC, LLC agreed to pay $2,300,000 to the OCR and to adopt a corrective action plan to settle potential violations of the HIPAA Privacy and HIPAA Security Rules related to a breach affecting over six million people. In April 2014, the Federal Bureau of Investigation notified CHSPSC, a business associate that provides services to hospitals and clinics, that it had traced a cyber-hacking group’s advanced persistent threat to CHSPSC’s information system. Despite this notice, the hackers continued to access and exfiltrate the PHI of 6,121,158 individuals until August 2014. The hackers used compromised administrative credentials to remotely access CHSPSC’s information system through its virtual private network. The OCR’s investigation found longstanding, systemic noncompliance with the HIPAA Security Rule, including failure to conduct a risk analysis and failures to implement information system activity review, security incident procedures, and access controls. Specifically, the OCR’s investigation indicated potential violations of the following provisions:
Catholic Health Care Services (CHCS) of the Archdiocese of Philadelphia agreed to settle potential violations of the HIPAA Security Rule after the theft of a CHCS mobile device compromised the PHI of hundreds of nursing home residents. CHCS provided management and information technology services as a business associate to six skilled nursing facilities. The total number of individuals affected by the combined breaches was 412. The settlement includes a monetary payment of $650,000 and a corrective action plan. The OCR initiated its investigation on April 17, 2014, after receiving notification that CHCS had experienced a breach of PHI involving the theft of a CHCS-issued employee iPhone. The iPhone was unencrypted and was not password protected. The information on the iPhone was extensive and included social security numbers, information regarding diagnosis and treatment, medical procedures, names of family members and legal guardians, and medication information. At the time of the incident, CHCS had no policies addressing the removal of mobile devices containing PHI from its facility or what to do in the event of a security incident; OCR also determined that CHCS had no risk analysis or risk management plan. Specifically, HHS’s investigation indicated potential violations of the following provisions:
Tips to Avoid Liability as a Business Associate
HIPAA is complicated; knowing the HIPAA rules and how they apply to your operation is key to compliance. For more information about HIPAA compliance, visit our Health Law Matters blog. Which of the following describes a business associate according to Hipaa?What Is a “Business Associate?” A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.
What are the obligations of a business associate?The following are key compliance actions that business associates should take.. Determine whether business associate rules apply. ... . Execute and comply with valid business associate agreements. ... . Execute valid subcontractor agreements. ... . Comply with privacy rules. ... . Perform a Security Rule risk analysis.. What kinds of businesses may be required to comply with Hipaa?Answer:. Health plans.. Health care clearinghouses.. Health care providers who conduct certain financial and administrative transactions electronically. These electronic transactions are those for which standards have been adopted by the Secretary under HIPAA, such as electronic billing and fund transfers.. Which of the following is a covered entity under the Hipaa Privacy Rule?Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.
|