HIPAA Tip #4: Understanding HIPAA Business Associates



What Is a HIPAA Business Associate?

Most developers in the healthcare space already know that HIPAA is the primary US federal law protecting the privacy and security of personal health data. HIPAA applies in all fifty US States, and protects individually identifiable health information in all forms and media, including hardcopy, digital, imagery, and even spoken conversations. All US medical providers are considered “covered entities” (CEs) under HIPAA, and are directly regulated by HIPAA Regulations (Regs). But many other organizations who do not provide direct medical care, from transcription services to software developers, are now subject to the HIPAA Regs as well, and are known as “Business Associates”.

Beginning in September 2013 with the HITECH Act, Business Associates became directly liable for HIPAA compliance.

BA Compliance Timeline

What Is a Business Associate under HIPAA?

The Office for Civil Rights (OCR), the official HIPAA enforcement agency, states:

“A “business associate” is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information. A “business associate” also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate.”

A BA under HIPAA, in simple terms, is any person, company, or other entity that is exposed to “Protected Health Information” (PHI), and performs some work or other function(s) involving the use of PHI on behalf of a CE or another BA.

While doctors and hospitals who provide direct medical care are considered CEs under HIPAA, all other entities who handle, process, or are routinely exposed to PHI are classified as Business Associates. Some BAs, like transcription services or medical document storage firms, obtain PHI directly from Covered Entities. Other types of BAs, like app developers, obtain PHI from other Business Associates or from a wide variety of other sources. In every case, it is the presence of PHI that determines whether a given entity is or is not a BA. If PHI is on or in its systems, that entity is a Business Associate. If PHI is not received, stored, processed or used by an entity, that entity is not a BA and is not subject to HIPAA Regs and HIPAA compliance.

BA Relationships Follow the PHI

Business Associates today frequently have a number of other BAs they work with, either upstream or downstream from themselves. An app created by a developer, for example, may obtain PHI originally from a hospital or a series of clinics. When running, that app might send PHI to an A.I. or machine-learning vendor for analytical processing. PHI may also be routed to a voice processing firm for speech-to-text processing. Data at any stage of the app’s functions might be stored on a cloud vendor’s site as it is processed or after processing. Finally, the app itself may be hosted on an app hosting platform or ecosystem.

In each of these situations, the presence of PHI determines whether an individual vendor or partner is a BA under HIPAA. If PHI is present or is used, the vendor that handles it is a BA. If PHI is never present Bor used in any way, the vendor is not a BA and is not subject to HIPAA.

The Covered Entity – Business Associate Chain

As Business Associates, Developers Have Direct Liability under HIPAA

The HITECH Act, beginning in late 2013, made Business Associates directly liable for compliance with most of the HIPAA Regulations and applies the same penalties to BAs that apply to Covered Entities.
Under HIPAA’s Privacy Rule, all limitations on how a CE uses or discloses PHI automatically extend to its BAs, and create direct liability for the BAs.

BAs, including developers, are directly liable under HIPAA for the Following:

  1. Impermissible uses and disclosures;
  2. Failure to provide breach notification to the CE;
  3. Failure to provide access to a copy of electronic PHI to either the CE, the individual, or the
  4. Individual’s designee (whichever is specified in the BAA);
  5. Failure to disclose PHI where required by HHS to investigate or determine compliance;
  6. BA’s general, overall compliance with HIPAA, as required;
  7. Failure to provide an accounting of disclosures; and
  8. Failure to comply with the applicable requirements of the Security Rule.

Business Associate Relationships Are Governed by Business Associate Agreements (BAAs)

HIPAA Regs require that in each situation where PHI is exchanged or used between two entities, a written agreement must be in place. These agreements are known as “Business Associate Agreements” (BAAs) and are legally binding contracts, enforceable in courts of law. According to the OCR:

“A business associate is directly liable under the HIPAA Rules and subject to civil and, in some cases, criminal penalties for making uses and disclosures of protected health information that are not authorized by its contract or required by law.”

BAA’s between a developer and its various vendors and partners must be in place before PHI is exchanged between the parties, or the exchange becomes a HIPAA violation subject to severe penalties.

BA Duties under HIPAA Fall into Two Broad Categories

Developers must understand that their duties as a HIPAA Business Associate fall into two broad categories, 1) duties directly required by HIPAA, and 2) duties required by BA Agreements.

ONE – Required by HIPAA (Non-compliance = HIPAA Violation)

  1. Limit uses and disclosures of PHI.
  2. – Pursuant to HIPAA
    – Pursuant to BAA

  3. Notify Covered Entity or upstream BA of any breach of unsecured PHI.
  4. Provide electronic copies of health data (if applicable) to CE, upstream BA, or directly to individuals (as set forth in BAA) to respond to request for access.
  5. Disclose records (including PHI) to HHS for HIPAA investigations.
  6. Provide an accounting of disclosures (if applicable).
  7. Comply with the Security Rule.
  8. – General requirements
    – Administrative safeguards
    – Physical safeguards
    – Technical safeguards
    – Organizational requirements
    – Policies and documentation

TWO – Required Only by BA Agreement (Non-compliance = Breach of Contract)

  1. Safeguards for hard copy and verbal PHI.
  2. Report impermissible uses and disclosures that do not qualify as a breach of unsecured PHI.
  3. Report security incidents.
  4. Provide designated record set maintained in hard copy to respond to request for access.
  5. Ensure that appropriate agreement is in place with subcontractors (potentially punishable impermissible disclosure).
  6. Make available PHI for amendments and incorporate amendments.
  7. Return or destroy PHI at termination.

For developers, being a Business Associate under HIPAA can seem daunting. However, fully understanding BA relationships and BA Agreements is essential to avoiding violations and enforcement actions. It’s also necessary for success under HIPAA.

For more on Business Associate Agreements (BAAs) check out our next tip, or subscribe below to learn more about MedStack and get tips delivered straight to your inbox.