HIPAA Business Associates
Software providers, whose solutions interact with systems that contain ePHI, are considered business associates, as are cloud service providers, cloud platforms, document storage companies (physical and electronic storage), collection agencies, medical billing companies, asset and document recycling companies, answering services, attorneys, actuaries, consultants, medical device manufacturers, transcription companies, CPA firms, third party administrators, medical couriers, and marketing firms. Business associates of covered entities must also comply with HIPAA Rules and can be fined directly by regulators for non-compliance.
Business associates of HIPAA-covered entities must sign a contract with the covered entity, termed a business associate agreement or BAA, that outlines the responsibilities of the business associate and explains that the business associate is required to comply with HIPAA Rules.
While a business associate must agree to comply with HIPAA Rules and is responsible for ensuring the confidentiality, integrity, and availability of PHI in its possession, it is the responsibility of a covered entity to ensure that all business associates are complying with HIPAA Rules. If a business associate fails to comply with HIPAA Rules, it is the responsibility of the covered entity to take action to ensure noncompliance is corrected or the contract with the business associate is terminated.
It is the responsibility of a business associate to ensure that if any subcontractors are used, they too agree to comply with HIPAA Rules and sign a BAA. Information on when a business associate agreement is not required are detailed below.
- When one covered entity purchases a health plan product or other insurance from an insurer, such as reinsurance. When the covered entity purchases the insurance benefits and when the covered entity submits a claim to the insurer and the insurer pays the claim, each entity is acting on its own behalf.
- With individuals or organisations (e.g. janitorial service or electrician) whose functions or services do not include the use or disclosure of protected health information, and where such individuals’ access to protected health information would be incidental, if at all.
- With a person or organisation that just functions as a channel for protected health information, such as the United States Postal Service, certain private couriers, and their electronic equivalents.
- To disclose protected health information to a researcher for research purposes, either with patient permission or as a limited data collection. Because the researcher is not performing a function or activity governed by the Administrative Simplification Rules, such as payment or health care operations, or providing one of the services listed in the definition of “business associate,” the researcher is not a covered entity’s business associate, and no business associate agreement is required.
- When a financial institution clears checks, initiates or processes electronic funds transfers, or engages in any other activity that directly facilitates or causes the transfer of funds for payment of health care or health plan premiums. When the financial institution performs these activities, it is providing its customers with typical banking or other financial transaction services; it is not executing a function or activity for or on behalf of the covered entity.
- When a health care provider provides protected health information to a health plan for payment considerations, or merely accepts a cheaper rate to participate in the health plan’s network. A provider who files a claim to a health plan and a health plan that assesses and pays the claim are both acting on their own behalf as covered entities, not as the “business associate” of the other.