The recently published final rule from the Department of Health and Human Services relating to the privacy and security of protected health information focused close attention on the expanded definition and role of “business associates” and their subcontractors relating to protected health information (see “OCR Issues Advance Release of HIPAA Privacy and Security Rules,” January 21, 2013).
Under the final rule, business associates of covered entities will be directly liable for compliance with certain HIPAA Privacy and Security Rules requirements. A business associate is a person or organization that, working on behalf of a covered entity (usually some type of healthcare provider, health plan, or health clearinghouse) creates, receives, maintains, or transmits protected health information (PHI). The regulations specifically include Health Information Organizations, E-prescribing Gateways or other persons or organizations that provide data transmission services for PHI to a covered entity and so require access on a routine basis to PHI. The final rule did not include a definition of “Health Information Organization” because HHS recognized that the field is still evolving. HHS did address concerns from commenters about what it means to be able to access PHI on a routine basis. The final rule specifically notes that courier services such as the U.S. Postal Service, United Parcel Service, and their related internet service providers would not be considered business associates.
Further, according to the rule, “a telecommunications company may have occasional, random access to protected health information when it reviews whether the data transmitted over its network is arriving at its intended destination. Such occasional, random access to protected health information would not qualify the company as a business associate.” On the other hand, “a data storage company that has access to protected health information (whether digital or hard copy) qualifies as a business associate, even if the entity does not view the information or only does so on a random or infrequent basis.”
Personal Health Record Vendor
A “personal health record vendor” is not a business associate of a covered entity solely by virtue of entering into an interoperability relationship with a covered entity. However, if the covered entity hired a vendor to provide and manage a personal health record service that the covered entity wishes to offer its patients or enrollees, and also provides the vendor with access to protected health information in order to carry out this task, then the vendor would be considered a business associate.
“Subcontractors” to business associates are also covered by these new regulations, if they are not part of the workforce of the business associate. This creates an extra burden of responsibility for covered entities. As HHS points out in the rule, “covered entities must ensure that they obtain satisfactory assurances . . . from their business associates, and business associates must do the same with regard to subcontractors, and so on, no matter how far ‘down the chain’ the information flows. This ensures that individuals’ health information remains protected by all parties that create, receive, maintain, or transmit the information in order for a covered entity to perform its health care functions.”
The final rule clarifies that “an external researcher is not a business associate of a covered entity by virtue of its research activities, even if the covered entity has hired the researcher to perform the research.” However, if the researcher takes on a task such as creating a de-identified or limited data set for the covered entity, the researcher would be considered a business associate.
Banking and Financial Institutions
The final rule re-emphasized that the business associate rules do not apply to banking and financial institutions that undertake payment processing functions for a covered entity. A bank or financial institution could be considered a business associate, however, if it performed functions such as accounts receivable for a covered entity.