HIPAA Business Associate: That was then, this is now.Whereas theHIPAA Privacy Rule (“PR”) deals with protected health information (“PHI”) in general, the HIPAA Security Rule (“SR”) deals with electronic PHI (ePHI), which is essentially a subset of what the Privacy Rule encompasses. In terms of actual regulatory text the Security Rule only spans approximately eight (8) pages, which is the good news. The bad news is the Security Rule is highly technical in nature. For all intents and purposes this rule is the codification of certain information technology standards and best practices. Show
Broadly speaking, the Security Rule requires that a Business Associate (“BA”) implement three types of safeguards: 1) administrative, 2) physical, and 3) technical. In addition, it imposes other organizational requirements and a need to document processes analogous to the Privacy Rule. That said, creating the necessary Security Rule documentation will likely prove significantly more “vexing” than its Privacy Rule counterpart, especially for a smaller Business Associate. In short, small business associates, depending on their staff’s regulatory compliance and technical skills depth, will almost certainly need to hire HIT consultants if they want to “reasonably and appropriately” comply with the Security Rule. This article is a summary of a document that, together with the reference material cited, provides a roadmap for a Business Associate’s Security Rule implementation. However, it should be noted that this roadmap implies an iterative methodology for developing a “good Security Rule compliance story” and is not intended as a recommendation for a “one off big bang” project. This article focuses on providing an overview of relevant Business Associate compliance issues under HITECH. Our guiding principle with respect to this rule is “implement the necessary safeguards.” We readily admit that this is much easier said than done, since the real challenge lies in defining “necessary.” As discussed below in the general rule, the Security Rule attempts to provide some “flexibility” in this regard (an apparent acknowledgment of the challenges faced by small providers, and now presumably under HITECH, small Business Associates as well), but as a practical matter does not otherwise significantly reduce the burden of implementation, in our opinion. The Security Rule is contained in CFR sections §164.302 through §164.318. However, as discussed below a Business Associate, under HITECH, is only required to comply with a subset of the Security Rule, although, as it turns out, it is the most substantive subset. Business Associate Security Rule ComplianceThe HITECH Act identifies four specific sections of the Security Rule (i.e. those previously discussed in the Introduction) that a Business Associate is required to comply with under the statute. That means that failure to comply exposes the Business Associate to the same civil and criminal penalties (i.e. legal liability) that a Covered Entity has. In fact, the specific enumeration of sections is ambiguous and somewhat misleading. These enumerated sections themselves reference other sections that are not part of the enumerated list (e.g .the General rule §164.306 as well as others). Therefore, we find this “regulatory hair splitting” completely useless, and therefore, recommend that a Business Associate simply comply with the Security Rule as written, since in any case it is being asked to comply with the most substantive sections. Who is a Business Associate?If you do business with health care providers then the obvious question is whether or not you are a business associates. The answer to that question is that "it depends on what you do on behalf of a Covered Entity, and specifically the kind of data that you interact with." In the general case, the definition of Business Associate means, with respect to a Covered Entity, a person who:
In other words, a provider's business universe is literally chock-full of potential business associates. The key test however, is whether this "person" (or entity) requires the disclosure of "individually identifiable health information" in order to deliver their product or service to, or on behalf of, the Covered Entity? What is Individually Identifiable Health Information ?As a practical matter, what this term means is information that can be used to identify an individual patient. The definition in the regulations is as follows:
Therefore, the bottom line is that if you are in the business of providing a product or a service to a Covered Entity that requires you to "handle" IIHI then you are a Business Associate. This definition is quite broad, and as discussed above, includes many providers of professional services that heretofore probably did not think of themselves as business associates (e.g. attorneys and accountants). What's a potential business associate's strategy for avoiding liability? That depends on the type of product or service you provide. If you provide professional services perhaps you can deliver the work without being exposed to IIHI. In that case. you simply don't meet the definition of a business associate. Obviously, this won't work for business associates that provide data services on behalf of a Covered Entity, including the majority of EHR vendors, whether they offer a hosted solution or not. In short, under HITECH there are simply many more "cooks in the compliance kitchen." Why? Because from a public policy perspective that is the value that the legislators placed on this kind of health information. Essentially recognizing that newly empowered healthcare consumers simply will not tolerate a Laissez-faire posture with respect to PHI. What is the difference between IIHI and Protected Health Information (PHI) ?Not much. It is unclear why the regulators chose to split hairs and did not simply use one comprehensive definition, but that is what we got and we have to live with. PHI is essentially IIHI with a few exceptions. PHI is defined as follows:
Unless an organization falls into one of the exception categories then IIHI equals PHI. Notice that the Business Associate definition above is written in terms of IIHI, and does not provide for exceptions. More often than not the general term PHI is used but as you now know they are not exactly one and the same. It is easy to get lost in this regulatory "mumbo jumbo" and the best way to get clarity is to go back to the source. That is why we constantly link back. We want to encourage readers to become comfortable with the source. Business Associate Compliance Touch Points?There are a number of compliance touch points that a provider must consider when implementing an EHR. One of many significant touch points have to do with interoperability. Why is this an important compliance touch point? Because a business associate contract is almost certainly required with each one of the nodes depicted in the graphic below (except of course for other providers). In other words, the graphic below illustrates a very small subset of potential business associates. If your business provides one or more of these peripheral services then you are almost certainly a Business Associate by definition (i.e. difficult to see a how an organization could function in one of these roles and not handle IIHI). But there are other compliance touch points that have more to do with a providers workflow and internal operations. There are additional Business Associates that play in this space. including many professional services providers (see the graphic below). For example your EHR systems integrator is almost certainly a Business Associate. It is hard to imagine a scenario where an integrator will not "handle" PHI as part of your implementation. Here's a view of a generic front office for a small provider: Business Associate Privacy Rule Compliance?A Business Associate is not directly required by HITECH to comply with the HIPAA Privacy Rule, except of course as specified within the Security Rule (i.e. there are no “bright lines” between the two in certain areas). However, a Business Associate is required to comply with those sections of the Privacy Rule that are specified in the required contract with its respective Covered Entity. Covered Entities are likely going to insist that a Business Associate comply with all appropriate substantive sections of the Privacy Rule that pertains to the type of service a Business Associate provides on behalf of the Covered Entity. In short, as a practical matter, Business Associate’s will be “on the hook” contractually regarding Privacy Rule compliance. HITECH Section 13404 strengthens the contractual arrangement between the parties by mandating, among other things, mutual reciprocal monitoring for a material breach of the contract. The bottom line is that the regulatory environment for business associates has become much more complex. Next Steps?It is likely that this article raises as many questions as it answers. That's the nature of the beast. In order to deal with this level of complexity business associates need a common sense pragmatic approach. We believe we have provided a roadmap in:"The Security Rule Under HITECH: a Business Associate's Perspective (First Edition)." Download our Free HIPAA Project Plan. © 2009-2022 3Lions Publishing, Inc. Do business associates have to comply with HIPAA?The HIPAA Rules apply to covered entities and business associates.
Who must comply with the HIPAA security Rule?The Security Rule applies to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with a transaction for which the Secretary of HHS has adopted standards under HIPAA (the “covered entities”) and to their business associates.
What do HIPAA security rules require of business associates?General Provision. The Privacy Rule requires that a covered entity obtain satisfactory assurances from its business associate that the business associate will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity.
Which of the following are considered business associates under HIPAA?Business associates of HIPAA covered entities include third-party administrators, billing companies, transcriptionists, cloud service providers, data storage firms – electronic and physical records, EHR providers, consultants, attorneys, CPA firms, pharmacy benefits managers, claims processors, collections agencies, ...
|