HITECH Business Associate Rule Tool Section 12: Implications for Consultants and Other Professional Services Firms

Professional services including “legal, actuarial, accounting, consulting, data aggregation . . .,  management, administrative or financial services” are expressly included in the definition of Business Associate, so there is no doubt that any professional services firm which creates, receives, maintains, or transmits PHI for services provided to a Covered Entity will be a Business Associate.

The question may be more difficult when the firm is providing services to a Business Associate, however. As discussed in Section 2, a subcontractor which provides services to a Business Associate for purposes of the Covered Entity at the top of the Business Associate chain, that subcontractor becomes the next Business Associate in the chain. On the other hand if the subcontractor provides services to a Business Associate for purposes of the Business Associate, the subcontractor does not become a Business Associate. I have suggested calling this kind of subcontractor to a Business Associate a “Business Associate Services Provider,” a term which has been criticized in comments but which I’ll use for now.

Spotting Potential Business Associate Status.

The distinction between Business Associate and Business Associate Services Provider status can have significant implications for how a client or engagement is managed. The determination which status applies depends upon careful analysis of the intended purpose and uses of the services. This might be best shown by some examples.

Consider a hospital (Covered Entity), which contracts with a health information exchange organization (HIO) to provide health information exchange services. The HIO would be the hospital’s Business Associate, and a First Tier Business Associate. The HIO might in turn contract with a different company to host and manage the record locator service used for its health information exchange services. Because the record locator service uses PHI and is part of the set of services provided by the First Tier Business Associate to the Covered Entity, the record locator service host is a Second Tier Business Associate.

Now let’s take this example in a couple of different directions. The record locator service may want to contract with a consulting firm to help it develop more effective protocols for responding to record queries. Since these protocols are to be used in a service which is part of the set of services ultimately being provided to the Covered Entity, the consulting firm would become the Business Associate of the Second Tier Business Associate. This would require a Business Associate Contract between the record locator service and the consulting firm, and the consulting firm would have to fully comply with Business Associate regulatory requirements.

On the other hand, the record locator service might experience a security breach affecting the PHI in the record locator service. In that case it is likely to want legal counsel and a computer forensics firm to help it determine the scope of the breach and appropriate responses. I generally advise that in cases like this the investigation should be conducted by the forensics firm as a contractor to a law firm to get the benefits of attorney-client and work product privileges, so this Second Tier Business Associate would contract with the law firm as a Business Associate Services Provider.

The record locator service would be permitted to let the law firm have access to PHI for this purpose as part of its “proper management and administration” and in order to “carry out its legal responsibilities,” as long as that was authorized under its Business Associate Contract with the HIO. (NOTE: Failure to include such a provision could therefore cause serious problems for downstream Business Associates!)

As opposed to the Business Associate Contract required for the consulting firm providing protocol advice, the record locator service would only have to have assurances from the law firm that it would hold the PHI confidentially, implement reasonable and appropriate security safeguards for the PHI, report breaches of confidentiality, and only use or further disclose the PHI for the purposes for which it was made available or as required by law. The law firm would not be considered a Business Associate and so would not be subject to Business Associate regulatory requirements, and could subcontract for computer forensics services for use in its engagement by the record locator service without the forensics firm being deemed a Business Associate.

Managing Compliance Obligations.

Business Associate regulatory compliance obligations may conflict with ethical obligations of some professional services providers, particularly law and accounting firms, but those considerations are beyond the scope of this Section. (Please contact me if you would like a copy of presentation materials on the ethical implications of Business Associate status for law firms under HITECH.) In a firm with multiple service areas they may also be hard to explain or justify to principals in non-health care practice areas, as they create firm-wide legal exposures and may require some changes to management, administrative procedures and information system configuration.

One strategy for this kind of risk and compliance management is based on the “hybrid entity” concept. Under HIPAA a hybrid entity is Covered Entity which is a single legal entity, whose business activities include both covered and non-covered functions.  This kind of entity can designate “health care components,” in which case the Security and Privacy Rules apply only to the health care component. Health care components include organizational units to the extent that they perform Covered Entity functions, as well as functions which would make the unit a Business Associate of a unit performing Covered Entity functions.

The Omnibus Rule commentary indicated that a commenter had suggested the regulations permit a Business Associate to designate health care components. This suggestion was dismissed with the comment that:

As a business associate is only subject to the HIPAA Rules with respect to the protected health information it maintains, uses, or discloses on behalf of a covered entity (or business associate) and not to other information it may maintain, including health information, there is no need for business associate to designate one or more health care components.

The rules therefore did not include such a provision.

It is not clear why this distinction is supposed to be significant, since a Covered Entity is also only subject to the HIPAA rules with respect to PHI and “not to other information it may maintain.” At the same time there do seem to be potential compliance and risk management benefits for a professional services firm which has multiple practice areas, including a health care department which needs to use and disclose PHI to provide its services, to designate that department as a defined health care component. This would limit the scope of security policies and procedures and other compliance obligations to members of that department and its support staff. This may not have been positively allowed for in the Omnibus Rule, but it also was not prohibited (and perhaps not understood).

© 2013 John R. Christiansen

One Response to HITECH Business Associate Rule Tool Section 12: Implications for Consultants and Other Professional Services Firms