An HR Director recently asked me (i) how to determine if an entity is a business associate and (ii) what terms should be included in a business associate agreement?
Who is a Business Associate?
Generally, a business associate is a person who, on behalf of a health plan, and in a capacity other than as part of the covered entity’s workforce:
- performs or assists in performing a function or activity involving the use or disclosure of individually identifiable health information (including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing); or
- provides legal, actuarial, accounting, consulting, data aggregation, management, accreditation, or financial services, if the performance of such services involves giving the service provider access to individually identifiable information.
Therefore, an insurance agent, broker, consultant, attorney, or third-party
administrator is a business associate if he or she is working on behalf of a covered entity and the service provider is given access to individually identifiable health information.
What is a covered entity?
A covered entity is generally defined as:
- a health plan;
- a health care clearinghouse;
- a health care provider that conducts certain types of transactions in electronic form; and
- endorsed sponsors of the Medicare prescription drug discount card
What is individually identifiable health information?
Health information is “individually identifiable health information” if it:
- is created or received by a health care provider, health plan, employer, or health care clearinghouse;
- relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual; and
- identifies the individual, or with respect to which there is a reasonable basis on the part of the disclosing entity for believing that the information may be used to identify the individual
Courts have come to different conclusions with regards to whether certain information
constitutes individually identifiable information. If the information does not include a name or does not include specific health information, there is a reasonable basis to believe that the information cannot be used to identify the person.
What provisions must be included in a Business Associate Contract?
Under the HIPAA Privacy Rule, the business associate contract must:
- Establish the permitted and required uses and disclosures of PHI by the business associate;
- Prohibit the business associate from using or disclosing the information other than as permitted or required by the contract or by law;
- Require the business associate to implement appropriate safeguards to prevent the use or disclosure of PHI other than as provided for by the contract;
- Require the business associate to report to the covered entity when it becomes aware of any uses or disclosures of information not provided for by the contract;
- Impose the same requirements on all the business associate’s agents and subcontractors to whom the PHI is disclosed;
- Require the business associate to make PHI available in compliance with the individual’s rights to access, amend, and receive an accounting related to such information;
- Require the business associate to make its internal books and records available to the Department of Health and Human Services (“HHS”) for purposes of determining the covered entity’s compliance with HIPAA;
- Require the business associate to return or destroy all PHI received from, or created or received by or on behalf of, the covered entity, if feasible, upon termination of the relationship and retain no copies of such information;
- Authorize the covered entity to terminate the contract if the business associate has violated a material term of the contract.
The HIPAA Security Rule states that the business associate contract must require the business associate to:
- Implement the administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic PHI that the business associate creates, receives, maintains, or transmits on behalf of the covered entity;
- Ensure that any agent or subcontractor to whom a business associate provides the covered entity’s electronic PHI agrees to implement appropriate safeguards to protect the electronic PHI;
- Authorize termination of the business associate agreement by the covered entity if the covered entity determines that the business associate contract has violated a material term of the agreement; and
- Report to the covered entity any security incidents of which the business associate becomes aware
This summary is intended to be informational and does not constitute legal advice. Hamby Benefits Law, LLC recommends that you consult with ERISA legal counsel (i) to assist in determining whether a service provider for your group health plan is a business associate, and (ii) to assist in drafting the business associate contract to ensure that the provisions mandated by the HIPAA Privacy and Security Rules are included in such agreement.
Hall Benefits Law, LLC
Latest posts by Hall Benefits Law, LLC (see all)
- Penalties for Failing to Timely File 2023 Forms 1094/1095 - April 18, 2024
