Business associates that engage downstream contractors to provide services to (or on behalf of) the business associate and that will have access to a covered entity’s PHI must also enter into or update agreements with those downstream contractors. Anyone who performs services or functions that fit within the definition of business associate will be subject to the business associate obligations, even if no BAA is signed. Therefore, it’s important for both covered entities and business associates to identify those relationships implicating HIPAA and satisfy the HIPAA rules in connection with those relationships.
Explore This Issue
September 2014The initial question: Are you functioning as a covered entity or business associate? A covered entity under HIPAA is a healthcare provider that transmits health information in electronic form, a health plan or a healthcare clearinghouse (which includes certain medical billing companies that process and submit claims to health plans). Generally, an individual (other than a member of the covered entity’s workforce) or organization that performs or furnishes any function, activity or service, for or on behalf of a covered entity involving the use or disclosure of PHI, is considered a business associate. The Omnibus Rule also added new categories of business associates, including those who store or otherwise maintain PHI and certain subcontractors of business associates. Functions or activities that are performed on behalf of a covered entity by a business associate include claims processing or administration, billing, accounting and consulting. The HIPAA rules also specifiy certain individuals and entities that are not business associates.
Entities that generate or have access to PHI should have in place a process to ensure that potential new arrangements and existing relationships are evaluated and BAAs are executed when necessary. The process for negotiating a BAA can be time consuming, and Sept. 23, 2014, is right around the corner, so the time to start negotiations is now.
Steven M. Harris, Esq., is a nationally recognized healthcare attorney and a member of the law firm McDonald Hopkins LLC. He may be reached at sharris@mcdonaldhopkins.com