Business Associate Requirements
HIPAA also allows CEs to share PHI with business associates. Generally, a business associate is a person or organization, other than a member of a covered entity’s workforce, performing certain functions or services on the covered entity’s behalf that involve the use or disclosure of individually identifiable health information. It is possible for one CE to be the business associate of another CE.71 The functions or activities that a business associate can perform on the CE’s behalf include claims processing, data analysis, utilization review, and billing. The services that a business associate may provide for a CE are limited to legal, actuarial, accounting, consultation, data aggregation, management, administrative, accreditation, or financial services.72
In 2009, HITECH designated health information exchanges and other organizations that transmit PHI to a covered entity (or its business associate) and require routine access to PHI as business associates that must enter into business associate contracts with the covered entity.73 In particular, this modification will affect Health Information Organizations (HIOs) and personal health record (PHR) vendors that transmit PHI to covered entities and require routine access.74 In the recent Proposed Rule implementing the HITECH amendments, HHS also proposed to expand the business associate definition by adding patient safety activities to the list of functions and services a person or organization may undertake on a covered entity’s behalf to give rise to a business associate relationship.75 As such, when Patient Safety Organizations76 conduct quality analysis with PHI, they will be treated as business associates.
Generally, a business associate is required to sign a business associate agreement (contract), comply with the HIPAA Privacy Rule and the HIPAA Security Rule, and assume other liabilities. Since HITECH, business associates are directly liable under HIPAA, which means that enforcement action can be taken against them and not just through the covered entity. HHS is also seeking to include a business associate’s subcontractor in the definition of business associate.77
The Privacy Rule requires a CE to obtain satisfactory assurances from its business associates (in the form of a contract or other written agreement) that the business associate will appropriately safeguard any PHI it receives or creates on the covered entity’s behalf.
Footnotes
- 71. 45 C.F.R. § 160.103.
- 72. Id.
- 73. ARRA, Pub. L. No. 111-5, Div. A, Title XIII, § 13408, 123 Stat. 270 (2009).
- 74. HHS specifically stated that the proposed business associate definition would apply to these types of organizations. See Modifications to the HIPAA Privacy, Security, and Enforcement Rules, 75 Fed. Reg. at 40,912 (to be codified at 45 C.F.R. §160.103).
- 75. Id.
- 76. 42 C.F.R. § 3.20 (2010) (defining patient safety activities and patient safety organizations).
- 77. Modifications to the HIPAA Privacy, Security, and Enforcement Rules, 75 Fed. Reg. at 40,873.
.png)