If you have a client that works with HIPAA protected data in any way, it’s in your best interest to clarify exactly what responsibilities you have as their solutions provider. This means you need a concrete understanding not only of what qualifies as a covered entity, but also, who qualifies as, and what it means to be a “business associate.”
HIPAA was designed not only with the protection of patient information in mind, but also with an understanding of the layered relationships that providers have with the organizations around them. Enter the “business associate” — a title that can leave its owner in just as much hot water as any negligent care provider, even if they’ve never seen a patient.
The term “business associate” refers to any person or organization that does business with a covered entity, with the stipulation that the business relationship involves an exchange or disclosure of protected health information. That means, that any company that performs services on behalf of the covered entity (claims processing, data analysis, utilization review, billing, legal, actuarial accounting, consulting, data aggregation, management, administration, accreditation, or financial services), and touches protected health information (PHI), is defined as a business associate. The HITECH (Health Information Technology for Economic and Clinical Health) Act broadens that definition to include organizations that provide data transmission of PHI to a covered entity.
To give a more specific example, a software vendor that is doing nothing but selling software to a covered entity is not a business associate. However, if they are hosting the software (that contains patient information) on their own servers, they would fall under the classification of business associate.
More Than Just Liability
Being a business associate goes beyond just being held liable if anything goes wrong with patient data. The Department of Health and Human Services (HHS) stipulates that, when a covered entity enlists the services of any contracted worker to perform the work of a business associate, that the contract between the two entities include certain protections around the information. The covered entity also does not have the right to contractually authorize a business associate to make any use or disclosure that violates HIPAA rules.
It also means that it’s in your best interest to keep up with HHS’ changes around the definition and requirements of business associates. As of September, 2013, the department released an omnibus rule adding new stipulations to the requirements of all business associate contracts. HealthITSecurity also offers a discussion around the cloud and business associate agreements after the omnibus rule changes.
The Past Can Come Back To Haunt You
Retroactivity of rules around business associate status can also impact solution providers. Boston Medical Center fired a transcription service in April of this year after a provider found out that records of over 15,000 patients were posted to that service’s website. The hospital had been doing business with the transcription service for almost a decade, and it was unclear when the records were posted. Regardless, because of the severity of even the risk of the breach, Boston Medical still decided to sever business ties with the business.
Solutions providers looking to go deeper can read more at HHS’s page dedicated to helping stakeholders better understand the rules and responsibilities around HIPAA.