Are You a HIPAA Business Associate? It isn’t as Simple a Question as it Sounds.

As we enter summer this year, it is just a short few months to September 23, 2013 and so what is special about that date? That is when HIPAA business associates, those organizations that work with healthcare providers, health plans, and others who are exposed to sensitive patient data (protected health information, or PHI), are required to comply with new privacy, security and breach notification rules from the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) - known as the HIPAA Omnibus Final Rule.

So with this date fast approaching, do you know if your organization is a HIPAA Business Associate? And do you know all of the organizations that you work with that are also HIPAA business associates? It may not be as simple as you think (or hope) to know. But first, do you really need to care?

The answer to this question is a definitive “yes”. If you are considered a business associate under HIPAA and the HITECH Act, you have substantial obligations beginning in September to ensure the privacy and security of patient health information, and you also have notification obligations if you have a “breach” of such information. If you were investigated by OCR and found to be “neglectful” in complying with these provisions under the HIPAA Omnibus Rule, you may find your organization subject to fines, penalties, and corrective action plans, which can be financially substantial and operationally onerous.

So let’s look at what defines a business associate. On the HHS website, they define a business associate as “a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.” Under the Final Omnibus Rule, the definition is further explained and clarified.

Thanks to the Godfrey & Kahn Law Firm for their description of clarifications made in the Final Rule

“Under the Final Rule, a “business associate” is generally a person or entity that creates, receives, maintains, or transmits protected health information (PHI) in fulfilling certain functions or activities for a HIPAA-covered entity. Health information that is created or received by a covered entity, identifies an individual, and relates to that individual's physical or mental health condition, treatment, or payment for health care is considered PHI when it is transmitted by or maintained in any form of medium, including electronic media. Notably, the new definition clarifies that "business associates" include entities that "maintain" PHI for a covered entity, such as a data storage company.

The Final Rule also clarifies the definition of a "business associate" by expressly including health information organizations, e-prescribing gateways, and other persons that provide data transmission services with respect to PHI and require "routine access" to PHI. Additionally, as further explained below, the new definition of "business associate" provides that certain subcontractors of business associates are also "business associates." Due to the significance of the new rules and the imposition of direct liability on business associates under HIPAA, entities which are unsure of whether they qualify as a business associate should clarify with legal counsel.”

So the healthcare world that we are about to move into isn’t as simple as the one in which we are today. How so? Well first, HIPAA covered entities, those organizations such as healthcare providers and health plans, must revisit their inventory of business associates, and based on the Final Rules, see if they have other organizations that would be considered business associates based on the clarified definitions. If so, they are obligated to have business associate agreements with those organizations.

Then second, if your organization currently works with HIPAA covered entities and has a business associate agreement with them, you would be well served to investigate and understand the new obligations that you now carry under the Final Rules. It is fairly likely that your organization is either unaware of or unprepared to comply with the provisions of the Privacy Rule, the Security Rule and the Breach Notification Rule. There are specific actions that you must take to consider yourself in compliance.

Third, if your organization is currently a HIPAA business associate, you now may have subcontractors that you work with that are also considered business associates under the Final Rules. You have obligations to execute a business associate agreement with them. And they have obligations to comply with the new Rules. And in some cases, these subcontractors may not even be aware that they are now considered business associates. Whether they know it or not, they do have new obligations. So hopefully they are paying attention.

And that brings us to our fourth item. If your organization works in any way with healthcare organizations or healthcare patient data, you should get a legal opinion as to whether you could be considered a business associate under the new Rules. Waiting for your covered entity or upstream business associate to notify you of your obligations and provide you a business associate agreement to sign, may not be the best path. They may not recognize in a timely manner that your organization is, in fact, a business associate. You would be well served to be proactive in this regard and find out for yourself if you are considered a business associate under the new Rules and if so learn more about your obligations.

So hopefully in reading this, you realize that there is a lot of do and consider this summer, before we reach September 23, 2013. If you require any further motivation, note that OCR has recently completed an audit program where they audited a collection of HIPAA covered entities as to their level of compliance with HIPAA standards. The results were really not encouraging. You can check out the presentation by Linda Sanchez, OCR Senior Advisor, Health Information Privacy and Lead, HIPAA Compliance Audits here. In this presentation, she notes that in the next phase of audits, HIPAA business associates will also be included.

So think about it. If you received a letter from OCR notifying you that your organization is a HIPAA business associate and that you were selected for a HIPAA privacy and security audit, do you think you’d be ready?