HITECH Business Associate Rule Tool Section 4: How to Tell If You’re a Business Associate

  1. In order to determine whether you are a Business Associate, ideally before agreeing to or accepting any arrangement in which you will create, receive, maintain or transmit PHI, you should determine:
    1. Whether the party for or from which you will do so is a Covered Entity or a Business Associate,
    2. If the party is a Business Associate,

(i)      whether the purposes for which you will do so is a function, activity or service the Business Associate has agreed to provide or perform for or on behalf of a Covered Entity or another Business Associate, or

(ii)    Whether it is a function, activity or service for purposes of the Business Associate.

  1. A Covered Entity is defined as any person (corporate entity or individual) which is:
    1. A Health Care Provider, including hospital, physician, clinic, laboratory, or any other provider of health care or medical services, which is paid for its services by electronic claims transactions;
    2. A Health Plan, including a health insurance carrier, employee group health benefits plan, government health plan, or any of a number of other health care payors; or
    3. A Health Care Clearinghouse, a health claims transactions processor.
    4. A Business Associate is defined as any person (corporate entity or individual), including a Covered Entity, which:
      1. Creates, receives, maintains, or transmits PHI,
      2. In order to provide or perform a function or activity on behalf of a Covered Entity including but not limited to claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities, benefit management, practice management, repricing, or services to a Covered Entity including but not limited to legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, financial, health information exchange (“HIE”) or personal health record (“PHR”) services,
      3. Including not only a person which is providing or performing the function, activity or service directly to or for a Covered Entity (“First Tier Business Associate”), but also persons to which a First Tier Business Associate subcontracts or delegates some or all of the function, activity or service (“Second” or “Lower Tier Business Associate”), and so on downstream as far as functions, activities or services are subcontracted or delegated to other persons (“Lower Tier Business Associates”).
      4. Business Associates do not, however, include:

(i)      Individual members of the Covered Entity’s Workforce,

(ii)    Covered Entities performing such functions or activities or providing such services to other Covered Entities, when they are all part of an Organized Health Care Arrangement.

(iii)   Health care providers receiving PHI for purposes of treating an individual.

  1. Business Associate status is “definitional,” which means that a person becomes a Business Associate whenever conditions exist which meet the definition of Business Associate. A person can therefore become a Business Associate without knowing or wanting to become one, and without entering into a Business Associate Contract.
    1. Please see Compliance as a Business Associate.
    2. A Second or other Lower Tier Business Associate must be distinguished from a Business Associate Services Provider. Part of the definition of Business Associate is that it is acting for or on behalf of a Covered Entity, directly or indirectly, when dealing with PHI. A Business Associate Services Provider, on the other hand, is acting for or on behalf of a Business Associate, and a Business Associate Services Provider is not a Business Associate.

9 Responses to HITECH Business Associate Rule Tool Section 4: How to Tell If You’re a Business Associate

  • By Bill Braithwaite January 22, 2013 - 6:06 pm

    I think the concept of a Business Associate Services Provider is unclear in this section and I think the introduction of such a definition would be confusing to most, since it is not in the rule (that I can find).

    • By John R. Christiansen January 22, 2013 - 8:15 pm

      Fair point, and I’m not thinking this or any of several other concepts are fully-baked. I’m also not fully comfortable with some of the other Business Associate terminology I’ve put out. But I do find I need some kind of shorthand way of talking about some of this and the Rule doesn’t give it to us. What would be a better way of talking about this concept, and what is missing or needs fuller explanation?

      And thanks much for commenting, this is valuable. p

    • By John R. Christiansen January 23, 2013 - 9:45 pm

      Okay, two votes against Business Associates Services Provider, which is significant.

      Here’s my problem: I want to be able to refer to a “Subcontractor to a Business Associate which is not providing a function, activity or service to or for a Covered Entity, directly or indirectly, and therefore is not a Business Associate within the regulatory definition, but is still permitted to use or disclose PHI for purposes of the proper management or administration of a Business Associate because it is subject to an agreement requiring it to maintain the confidentiality of the PHI and use or disclose it only for the purposes for which the Business Associate permits it to obtain the PHI.”

      If I don’t qualify it this way, this kind of Subcontractor might be construed to be a Business Associate. So, if we don’t call it something like a Business Associate Services Provider, how do we talk about it in shorthand?

  • By Missy January 23, 2013 - 1:57 pm

    I like what you’re doing here. But I have to agree that talking about the Business Associate Service provider is probably more confusing at this point. Maybe consider just leaving that out all together and stay focused on BAs. Also, in the next section you talk about downstream BAs. In the rule, they call these subcontractors. Maybe it would help to stay consistent with the rule terminology. Just a though. Overall, this is a nice breakdown and helps me to digest the 563 pages!

  • By Pat Holmstead January 24, 2013 - 11:18 am

    I think that the phrase “subcontractor of business associate” will make sense to individuals who will be responsible for ensuring compliance with the new regs.

  • By beth January 24, 2013 - 11:32 am

    John, Thank you for engaging us in this review process. It is certainly helpful in reviewing and considering the applicability of the many changes.

    I agree with the discussion regarding the use of the term Business Associate Services Provider and that it is best to stay with the terms used in the statute. If the idea is that there are other entities which are neither a CE, BA or a Subcontractor, but which may still fall under the BA umbrella, then I would still characterize that person as a Subcontractor. For instance, if a shredding company performs shredding services for a Business Associate that involves the receipt of documents containing PHI, that “services provider” would, in my opinion, be characterized as a Subcontractor although the shredding company does nothing more than destroy the paper product and its services are solely for the benefit of the BA. The service is provided as a part of the BA obligations to the CE.

  • By Tony March 28, 2013 - 6:36 pm

    If you don’t mind, could you clarify something for me. If a subcontractor performing compliance functions (auditing, training, document creation, IT Manged Services) without coming into direct contact with PHI (hosting, reviewing storing,…) is now considered as being a “Business Associate” and regulated as such? I seemed to have lost my way somewhere. Thanks

    • By John R. Christiansen March 29, 2013 - 2:11 pm

      The key question is whether the party has “routine” or “recurring/nonrandom” access to PHI for purposes of or in the course of providing services. I interpret this, as applicable to the kind of case you describe, to mean that the party will be a BA if any of the functions it performs must entail access to PHI, or there is any reason to believe they might on something other than an accidental basis. So, for example, if the scope of auditing were limited to system log review, that shouldn’t entail PHI access and shouldn’t be enough to establish BA status. On the other hand if it auditing involved access to EMR files, those would include PHI and that activity would trigger BA status.

      The difficulty is that there’s no bright-line test; you have to review each function and determine whether there it entails PHI access. If it happens to be structured so that it does, but doesn’t really need to, it might make sense to re-structure it to avoid PHI access. If it does need PHI access, even potentially and infrequently, but “non-randomly,” I think you have to accept BA status to keep performing that function.

    • By John R. Christiansen June 28, 2013 - 9:19 am

      No, if you don’t have access to PHI, you aren’t a Business Associate. That’s still the rule.

Categories

Tags

bill gates cert christiansen it blog cobiT coco contract law do it yourself ehr issues ehrs electronic health records electronic health recores electronic medical records eula hackers healthcare system healthy information networks hipaa hitech information security information security duty information security theory infosec integrated information security standard of care integreated information security it law it risk it security legal counsel medical records nasa dod hacker network security newbie lawyers opering system risk acceptance risk assessment risk management risk theory secuirty rule security incident response poilicy security legislation self help strategic information security ufo hacking vista windows vista

Worthwhile Links