(Published in the Healthcare Review, April 2011)
Identifying which of your relationships with third parties require business associate contracts, and making sure to get those agreements in place, is an important part of any compliance program for those covered by the Health Insurance Portability and Accountability Act (HIPAA). It has been just over a year since the Health Information Technology for Economic and Clinical Health Act (HITECH Act) required HIPAA covered entities to make certain amendments to their business associate contracts. Now that the dust has settled after the flurry of activity involved with making those amendments, it is a good time to make sure that the basics of your HIPAA compliance are in order, such as making sure that those agreements are in place with the right third parties. Although you likely recently revised your form business associate contracts to comply with the HITECH Act’s requirements, do you know when to use them?
What is a Business Associate Contract?
As is typical with any analysis of HIPAA, the key to the answer lies in understanding the definitions. A business associate contract is an agreement between a HIPAA covered entity (such as a health care provider who submits claims electronically) and that covered entity’s business associate that governs the business associate’s use and disclosure of the protected health information (PHI) it receives from the covered entity. To understand that definition, it is necessary to understand how HIPAA defines a “business associate.” A business associate is a person or entity who performs activities or functions, or provides services for, or on behalf of, a covered entity that involves the use or disclosure of PHI. The business associate contract is intended to document that the covered entity has “satisfactory assurance” from the business associate that it will appropriately safeguard the PHI it receives from the covered entity. If you are a covered entity, some examples of services you may have business associates perform on your behalf are claims processing, data analysis, or billing. You might also use business associates to provide legal, accounting, actuarial, consulting, management, data aggregation, administrative, accreditation, or financial services, although the third parties providing these services are only considered business associates if their services involve your disclosure of PHI to them. Both HIPAA’s Privacy Rule and the HITECH Act dictate what provisions must be included in a business associate contract, but note that those provisions may alternatively be incorporated into a third-party services agreement or the underlying agreement with the business associate.
When are Business Associate Contracts Required?
If you are a covered entity that utilizes the services of a business associate, you must have a business associate contract in place prior to your disclosure of PHI with that person or entity. Some business associates may provide the majority of their services to non-HIPAA covered entities and may be unaware of HIPAA’s requirements, therefore, do not rely on them to determine whether a business associate contract is required. Start by making a list of all the companies you do business with that handle PHI and then determine if they should be considered business associates. For example, do you contract with a shredding company that removes your paper documents for proper disposal, or with an off-site record storage company? These companies are performing functions on your behalf that likely involve the use of PHI, and you should make sure you have business associate contracts in place with them.
If you are a business associate, you should know by now that the HITECH Act makes the requirement to enter into a business associate contract just as much your obligation as it is that of the covered entity. However, the business associate contract requirement is not just a burden imposed on the parties; instead, it provides an excellent place to set out the parties’ expectations about the proper uses of PHI and their respective obligations should there be a breach of PHI while it is under the business associate’s control.
When are Business Associate Contracts Not Required?
If you are a HIPAA covered entity, you are not required to enter into a business associate contract if you are disclosing PHI to a health care provider for treatment purposes only, to an insurance plan in connection with payment, or to a government agency such as the Centers for Medicare & Medicaid Services in connection with an official investigation. Since members of a covered entity’s workforce are not considered business associates, there is also no need to enter into a business associate contract for services they perform on your behalf. The U.S. Department of Health and Human Services website lists other examples of when business associate contracts are not required, including, for example, with those providing janitorial services where disclosure and access to PHI would be incidental, if at all, or with “conduits” of health information, such as the U.S. Postal Service.
Recent news about the $4.3 million civil monetary penalty imposed on Cignet Health Center, part of which stemmed from Cignet’s failure to comply with portions of HIPAA’s Privacy Rule by denying patients timely access to their medical records, is great motivation for getting your compliance ducks in a row. Although the Cignet example reflects perhaps an extreme example of HIPAA Privacy Rule violations, it demonstrates that the U.S. Department of Health and Human Services is serious about taking action against companies that disregard HIPAA’s requirements. Making sure that you have the necessary business associate contracts in place is a crucial component of meeting those requirements.
Kara Dowal is an Attorney in the Corporate Department of McLane, Graf, Raulerson & Middleton, Professional Association. Kara can be reached at 603-628-1178 or email@example.com. The McLane Law Firm is the largest law firm in the State of New Hampshire, with offices in Concord, Manchester, Portsmouth, as well as Woburn, Massachusetts.