HIPAA and the Business Associate Puzzle
July 2003 Issue
HIPAA is the acronym for the Health Insurance Portability and Accountability Act of 1996. One part of that law, the Privacy Rule, went into effect on April 14, 2003. If your business is a "covered entity" as defined by the privacy regulations, you must comply with the requirements of these regulations.
The final regulations for the HIPAA Privacy Rule were released by the Department of Health & Human Services (DHHS) in August 2002. The Office for Civil Rights (OCR) that is charged with enforcement of the provisions of the Rule. Because these regulations are rather new, OCR is continuing to interpret them as well as to provide both technical assistance and information to entities required to comply. Thus, clarification of the issues under the HIPAA Privacy Rule is an on-going process.
A key concept under the privacy regulations is that of "business associate." This term is defined as "a person or entity that performs a function or activity on behalf of a covered entity that involves individually identifiable health information." The regulations require that your business have a written agreement with persons/entities who are business associates to ensure that the personal health information that you share with them is both used and safeguarded appropriately ("satisfactory assurances"). Thus, a covered entity cannot generally disclose protected health information (PHI) to a business associate without such a written agreement. Interestingly, the burden is on the covered entity to initiate the business associate agreement, but there is no requirement that the covered entity monitor how the business associate abides by the terms of the agreement. Furthermore, under the regulations, you are not legally liable for the actions of your business associate, but, if you discover that your business associate has violated the agreement, you must take reasonable steps to correct the violation; if you cannot correct the violation, you must terminate the agreement.
Identifying your business associates is not an easy task. The regulations add some information: The business associate is a person/entity who performs, or assists in performing, a "function or activity involving the use or disclosure of" personal health information. These functions or activities include "claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management and repricing," and it also includes providing "legal, accreditation or financial services." Complex legal language!
For the use of O&P businesses, a "business associate" is NOT a member of your workforce. Also, it is NOT another healthcare provider to whom you disclose personal health information for treatment purposes, such as a referring physician or physical therapist. Furthermore, it is NOT a payer nor is it a health plan to which you disclose personal health information for the purposes of payment or accepting a discounted rate for your services. It is NOT your janitorial service or a courier service, UPS, FedEx, or the US Postal Service. Finally, it is NOT a telephone or copier repair person who might stumble across some personal health information; this sort of situation is referred to within the regulations as an "incidental disclosure;" it is a very different situation with a software vendor who sees PHI while installing or developing new software for you.
Thus, you can start the process of defining your business associates by asking three questions:
(1) Does the business perform or assist in the performance of an activity or function involving the use or disclosure of PHI? Or
(2) Does the business provide legal, actuarial, accounting, consulting, management, claims processing, accreditation, or financial services that require the disclosure of PHI? And
(3) Does the business require the PHI in order to perform its function or does the person need the PHI to perform his/her duties?
In O&P, we do know that a central fabrication facility is considered part of "treatment" and is not a business associate. However, an entity that sells componentry and receives PHI in order to provide the appropriate componentry would be considered to be your "business associate." In fact, such a provider is referred to as a "specialty vendor" or a vendor that assists the direct treatment provider or enables the direct treatment provider to provide its services. Another business associate question has arisen regarding an entity that receives PHI as part of the warranty process: such an entity should be considered a business associate under the definition of the regulations as it is receiving PHI in order to perform its duties, i.e. warranty a particular component.
It is important to note that, even if your business is a covered entity, it may also be a business associate. For example, if you have a contract to provide services to a clinic or hospital and you are paid by that entity for the provision of services, you are a business associate of that clinic or hospital. The key in this situation is that you are being paid under a contract to provide services. Also, there has been some advice issued regarding the signing of a business associate agreement with another provider even if you are not a business associate under HIPAA. However, your lawyer would most likely tell you that it is never advisable to undertake legal obligations when it is not necessary to do so.
The issue of "business associate" will, no doubt, continue to be clarified by OCR as the implementation of the privacy regulations proceeds, and you will receive that information in later issues of The O&P Edge.
Sheila M. Press, Attorney, is president of Healthcare Compliance Solutions, a company providing consulting services, including HIPAA and OIG compliance, and customized compliance programs for O&P. Contact her at 480.767.9477; e-mail email@example.com; www.hccsolutions.com.