The original HIPAA Privacy Rule of 2003 included provisions for Covered Entities (health care providers, health insurance issuers, and health care clearinghouses) to share protected health information on behalf of the covered entities with “business associates”.
In this Article …
- What is the definition of a Business Associate?
- Who is not a Business Associate?
- What are examples of Business Associate organizations?
- What is a Business Associate Contract?
- What are other Business Associate Contract Requirements?
- Can I avoid a Business Associate Agreement?
- How did the HITECH Act of 2009 affect Business Associates?
- Business Associates and HIPAA Breaches
What is the definition of a Business Associate?
The formal definition of a business associate is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information (PHI) on behalf of the covered entity.
Business associate functions include services such as:
- Claims processing or claims administration,
- Data analysis, data processing or data transmission services,
- Utilization review,
- Quality assurance,
- Billing, including claims submission or claims reprocessing,
- Benefit program management, and
- Practice management.
Types of services that may be provided by business associates include:
- Legal services,
- Actuarial services,
- Accounting services,
- Consulting services,
- Data analysis or data aggregation,
- Management services,
- Administrative services,
- Accreditation services, and
- Financial services.
Download a FREE copy of our PDF fillable Business Associate Agreement Template.
Who is not a Business Associate?
Understanding who is not considered a Business Associate under HIPAA rules can be just as crucial as knowing who is. To clear up any confusion, let’s examine some instances where entities or individuals are not deemed Business Associates.
- Members of a covered entity’s workforce are not business associates.
- Health care providers who share protected health information as a part of the treatment of an individual are not business associates of each other. Examples include physicians treating patients in a hospital or referring patients to laboratory or imaging services.
- An employer who sponsors a group health plan is not a business associate of a health insurance issuer or a health maintenance organization who provides health insurance benefits.
- Providers who participate in an organized health care arrangement are not business associates of each other.
What are examples of Business Associate organizations?
There are numerous examples of organizations that are business associates of covered entities:
- A third-party administrator that performs claims processing functions,
- A CPA firm, a consultant, or an attorney performing services for a covered entity that involve access to protected health information,
- A health care clearinghouse that receives protected health information from a covered health care provider and transmits it to payers,
- A pharmacy benefits manager that manages a health plan’s pharmacist network.
What is a Business Associate Contract?
Business associate contracts are also referred to as business associate agreements.
A Business associate contract is required whenever a covered entity transmits protected health information to another entity whose service involves receiving, storing or processing the PHI. A HIPAA business associate agreement must include several provisions:
- The permitted and required uses of the PHI or electronic protected health information by the business associate.
- Require that the business associate not use or further disclose protected health information other than as permitted or required by the business associate contract or by law.
- Require the business associate to use appropriate safeguards to prevent the use or disclosure of protected health information other than as provided for by the contract.
What are other Business Associate Contract Requirements?
A written business associate agreement should also require other activities by the business associate in order for the covered entity to be assured the business associate is complying with HIPAA rules.
- Business associates should agree to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement.
- Business associates should agree to report to the covered entity any use or disclosure of such Protected Health Information not provided for in the business associate agreement of which it becomes aware, including breaches of unsecured PHI, and any Security Incident of which it becomes aware.
- Business associates should agree to ensure that any agent, including a subcontractor, to whom it provides PHI received from, or created or received by the business associate on behalf of the covered entity, agrees to the same restrictions and conditions that apply through the business associate agreement to the business associate.
- Business associates should agree to provide access, at the request of the covered entity, and in the time and manner designated by the covered entity, to PHI in a Designated Record Set, to the covered entity or, as directed by the covered entity, to an individual authorized to receive the PHI.
- Business associates should agree to make any amendment(s) to PHI in a Designated Record Set that the covered entity directs or agrees to at the request of the covered entity or an individual, and in the time and manner designated by the covered entity.
- Business associates should agree to document disclosures of PHI and information related to such disclosures as would be required for a covered entity to respond to a request by an individual for an accounting of disclosures of PHI. They should also respond in a timely manner to covered entities requesting information to respond to a request for an accounting of disclosures of PHI.
- The provisions of the HITECH Act that apply to business associates should also be incorporated in the business associate agreement.
- Business associates who receive or transmit protected health information electronically should be required to carry cyber liability insurance.
Can I avoid a Business Associate Agreement?
If a covered entity transmits ePHI to an independent medical transcriptionist but doesn’t sign a business associate agreement with them, is the transcriptionist still a business associate?
Yes! A business associate relationship is a function of the PHI shared and the business associate services provided. Several covered entities have found out the hard way during an investigation of a breach of PHI at a business associate that the lack of a business associate agreement with an organization receiving the covered entity’s PHI does not protect the covered entity – or the erstwhile business associate – from penalties under HIPAA. Organizations receiving, transmitting, or storing PHI from a covered entity are considered business associates, even if no business associate agreement is in place.
How did the HITECH Act of 2009 affect Business Associates?
The HITECH Act made business associates directly liable for compliance with several provisions of the HIPAA Privacy, Security, Breach Notifications and Enforcement Rules. Some of the most important of these potential violations include:
Failure to provide the Secretary with records and compliance reports; cooperate with complaint investigations and compliance reviews; and permit access by the Secretary to information, including protected health information (PHI), pertinent to determining compliance.
- Taking any retaliatory action against any individual or other person for filing a HIPAA complaint, participating in an investigation or other enforcement process, or opposing an act or practice that is unlawful under the HIPAA Rules.
- Failure to comply with the requirements of the HIPAA Security Rule.
- Failure to provide breach notification to a covered entity or another business associate.
- Impermissible uses and disclosures of PHI.
- Failure to disclose a copy of electronic PHI (ePHI) to either (a) the covered entity or (b) the individual or the individual’s designee (whichever is specified in the business associate agreement) to satisfy a covered entity’s obligations under 45 CFR 164.524(c)(2)(ii) and 3(ii), respectively, with respect to an individual’s request for an electronic copy of PHI.
- Failure to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
- Failure, in certain circumstances, to provide an accounting of disclosures.
- Failure to enter into business associate agreements with subcontractors that create or receive PHI on their behalf, and failure to comply with the implementation specifications for such agreements.
- Failure to take reasonable steps to address a material breach or violation of the subcontractor’s business associate agreement.
The HITECH Act does not permit the U.S. Health and Human Services Department Office for Civil Rights (OCR) to take action against a business associate for charging an unreasonable fee for access to protected health information held by the business associate. But the OCR can still take action against the covered entity using the business associate in those circumstances.
Business Associates and HIPAA Breaches
Business associates are not necessarily more vulnerable to unauthorized disclosures of PHI, but the scope of unauthorized disclosures can be very large when the business associate’s services involve large volumes of ePHI. Hacking incidents have already resulted in the unauthorized disclosure of 1.5 million ePHI records in the first half of 2023 alone, according to reports in the OCR’s Breach Portal, aka, the “HIPAA Wall of Shame.”
Although the HITECH Act clarified many of the issues related to business associates and the need for a business associate agreement, there are still many nuances to the requirements for business associate agreements with certain health care providers. For more questions, a valuable resource can be found in the FAQ section on Business Associates on the HHS website regarding HIPAA.