What is a Business Associate?
Under the HIPAA Privacy Rule, a business associate is a person or entity that provides services for or performs functions on behalf of a covered entity that involves having access to protected health information (PHI). A health care provider or health plan can be a business associate of another covered entity. A person who works for a covered entity, however, is not considered a business associate.
Are Data Center Service Providers Considered Business Associates?
The HIPAA Omnibus Rule clarified, on a national level, the role of data center and data storage companies to uphold the Privacy, Security and Breech Notification rules of HIPAA and HITECH. This rule explicitly stated: “… a data storage company that has access to protected health information (whether digital or hard copy) qualifies as a business associate, even if the entity does not view the information or only does so on a random or infrequent basis.”
What is a Business Associate Agreement?
The HIPAA Privacy Rule only applies to covered entities, but most covered entities don’t carry out all of their health care activities by themselves. They use the services of other businesses for things such as claims processing, legal services, and accounting services. HIPAA allows covered entities to disclose a patient’s PHI to these businesses if they obtain assurance that the information will only be used to carry out the functions for the covered entity and will be safeguarded. When employing business associates, the Privacy Rule requires that both parties must enter into a contract known as a Business Associate Agreement.
What must a Business Associate Agreement include?
The contract between a covered entity and business associate must contain the elements specified in 45 CFR 164.504(e) of the HIPAA Privacy Rule. The agreement must:
- Outline the permitted uses and disclosures of PHI
- Establish the business associate will not use or disclose the PHI other than as permitted or as required by law
- Require the business associate to implement appropriate safeguards to prevent unauthorized access or disclosure of the PHI
- Detail that the business associate must report to the covered entity any breaches in security or uses of the information for functions not covered in the contract
- Require the business associate to share the PHI with the covered entity to satisfy an individual’s request for copies of the individual’s own health information
- Require the business associate to comply with the HIPAA Privacy Rule to the extent necessary to fulfill its obligation to the covered entity
- Necessitate that the business associate makes its internal practices, books, and records relating to the use of PHI available to the United States Department of Health and Human Services (HHS)
- Require that any subcontractors used by the business associate that have access to PHI agree to the same restrictions
- At the termination of the contract, the business associate must return or destroy all PHI received from, or created on behalf of the covered entity
- Authorize the termination of the contract by the covered entity if the business associate, or any subcontractors of the business associate, violates any of the terms
Who must sign a Business Associate Agreement?
To determine if a HIPAA Business Associate Agreement is required, ask the following questions:
- Is PHI being disclosed?
- Does the recipient of the PHI provide a service for, to, or on behalf of the covered entity?
If the answer to both of these questions is “yes,” a Business Associate Agreement might be necessary.
Exceptions to the Rule:
There are a few exceptions to who must sign a HIPAA Business Associate Agreement in the Privacy Rule. In the following situations, a covered entity is not required to enter into a contract with the person or entity:
- Disclosures to a health care provider for treatment of the individual
- Disclosures to a health plan sponsor, such as an employer, provided that the group health plan’s documents are amended to limit the disclosures
- The collection and sharing of PHI by a health plan that is part of a public benefits program that requires the information to determine eligibility for enrollment where the joint activities are authorized by law (i.e. Medicare)
The above exceptions apply to:
- Laboratories that do testing for the treatment of an individual
- Health care workers providing treatment
- Individuals or companies with very limited access to PHI (i.e. telephone companies, electricians, etc.)
- Companies that act as a channel for PHI under the conduit exception (i.e. private couriers, the postal service, etc.).
Does OnRamp Sign Business Associates Agreements?
OnRamp takes our responsibility as a Business Associate for customers that are considered Covered Entities and Business Associates very seriously. As such, through OnRamp’s online, HIPAA Risk Management Tool and supporting 3-Step Risk Management Process, OnRamp develops a customized Business Associates Agreement which we sign with our customers. In it, we detail the responsibility of each party to protect PHI and how we cooperatively work together to maintain HIPAA compliance.