Posted by: Jenny Laurello
Business associates, covered entities, HIPAA, HIPAA omnibus, PHI, Protected health information
Covered entities (e.g., doctors, hospitals, etc.) provide health services, while business associates help them provide health services. Until January, only covered entities were responsible for reporting data breaches to the Department of Health and Human Services (HHS). While HIPAA required the covered entities to contractually obligate their business associates to safeguard any protected health information (PHI) they handled, business associates were under no obligation to report data breaches to anyone other than the covered entities they served.
But that’s all changed since the finalization of the HIPAA Omnibus rule:
- Health information exchanges, regional health information organizations, or any companies or communities (e.g., a document-storage company, a media-destruction company, an e-prescribing gateway, a patient-safety organization, etc.) that provide more than just data-transmission services for PHI are now business associates.
- Business associates are now required to report any PHI breaches directly to HHS Office for Civil Rights, abide by the same rules and regulations as the covered entities they serve, and accept the same penalties.
So the question is: are you a business associate?
Do you create, receive, maintain, or transmit PHI? If so, you’re a business associate. But if you merely bus the PHI (e.g., a telecommunications company, a courier, etc.) and don’t have regular access to it, you’re not.
What if you’re a record-locator service, an entity that uses PHI to respond to questions from a community? You’re not creating, receiving, maintaining, or transmitting PHI, but you are accessing it regularly. You’re a business associate.
What if you merely bus data but are required by state law to look at it in order to satisfy a discovery requirement, manage a billing issue, or research a transmission failure? You’re not accessing it regularly, so again, you’re not a business associate.
Reality isn’t always as black and white as these examples. For instance, is a PHI record vendor a business associate? It depends. A PHI record vendor who solicits all the hospitals in a state and signs interoperability agreements in order to receive PHI would not be a business associate.
A vendor becomes a business associate the moment a hospital asks that vendor to open up a patient portal on its behalf.If a business associate subcontracts personnel to work in their IT department, the subcontractor is now subject to HIPAA and In fact, if that subcontractor hires their own subcontractor to help with their subcontracted work, they too will become a business associate and subject to HIPAA.
This means you must now take a fresh look at every relationship you and your partners maintain, no matter how many degrees of separation there may be between you and a covered entity. You must determine whether your partners, subcontractors, or their subcontractors are accessing data while performing a service for you — and if they are, therefore, classifiable as business associates.
HIPAA is trying to ensure that partners and subcontractors take the same care with data as covered entities and business associates do. That makes it the perfect time to review your policies and perform a new risk assessment. It’s time to determine if you routinely access PHI to perform a specific task on someone’s behalf and if you must conform to HIPAA’s new definition.
All business associates must recognize their status and ensure their compliance with the HIPAA Omnibus rule by September 23, 2013. Will you guarantee you’ve satisfied the definition by then, or are you merely “pretty sure” you already have?
For more information, please visit Axway.