Much has been made about business associates in HITECH and the HIPAA Final Omnibus Rule. In a previous post and in our webinar we hit on the high points – that much of HIPAA applies directly to business associates, and that business associates themselves have obligations relative to their business associates. Indeed, not only do “traditional” business associates have increased compliance obligations, but so do their vendors – many of whom might be entirely unaware of this fast-moving train barreling down the tracks.
With compliance deadlines around the corner, providers are likely wondering what this means for them. Most are quite familiar with the HIPAA requirement that they have a business associate agreement (“BAA”) in place with their business associates. For many, this has historically been nothing more than a low-priority fomality. Now, they must ensure that these agreements adequately address downstream compliance obligations, in particular those related to an unauthorized access, use, or disclosure of PHI. More fundamentally, providers will need to be more vigilant in identifying their business associates. And, due to increased enforcement, providers may wish to shepherd their business associates as they strive to become compliant with HIPAA, and even consider periodically auditing these vendors for HIPAA compliance. As part of this process, which will be discussed in greater detail below, we suggest that providers consider educating their business associates on identifying subcontractors and making these vendors aware of their own HIPAA compliance obligations.
Identify Your Business Associates
Traditional business associates are easy to identify. Many providers outsource claims processing. Providers frequently engage professionals to provide legal, accounting, and various consulting services. When sensitive patient information is no longer needed, providers will often contract with a document shredding company to properly dispose of these records. Because these third parties provide services which involve creating, receiving, maintaining, or transmitting PHI for a HIPAA covered entity, they fall squarely within the definition of business associate.
But what about a courier transmitting PHI, but who does not need frequent to access the PHI? Or a data transmission service, such as telecommunications or health information exchange, the provision of which may or may not require access to the PHI ? Is a third-party financial services entity a business associate when the only information it accesses is the name of the patient, the provider, and the cost of the service? These types of third-parties may be business associates. The analysis turns on what type of information is provided to the third-party, the type of service provided by the third-party, and whether the third-party needs routine access to the PHI.
Providers must be attentive to these and other types of situations involving the disclosure of potentially sensitive information outside their organization. We recommend training all associates who might interface with such situations so that, at the very least, they will be able to identify situations which might involve a business associate. Although the answer is not always clear, covered entities can best position themselves by having the proper procedures in place to enable them to know when to ask the right questions.
Educate Your Business Associates on Their Business Associates
Once providers identify their business associates and enter into a BAA, they should stay engaged with these business associates. Just like their covered entity counterparts, the business associates must also enter into BAAs with their third-party vendors. However, unlike most covered entities, many of these business associates will not be familiar with having to identify their business associates. We envision this as one of the greatest challenges posed by the Final Rule.
Take the example of a small physician practice which engages a consultant to provide coding and billing consultation. The consultant, likely a business associate, may utilize various vendors – for document services and data storage, for example. These vendors, to the extent they provide services for the consultant which involve the physician practice PHI, are likely subcontractor business associates.
It is these types of vendors who, although they handle sensitive information, may be entirely unaware of their HIPAA compliance obligations. HIPAA is widely considered as being limited to health care entities. Providers know better than this, but many vendors likely still do not. Because providers are ultimately responsible for ensuring the privacy and security of their patient PHI, it is up to the providers to educate their vendors.