PLEASE SEE THIS POST FOR MORE CURRENT INFORMATION: Do the HITECH Rules Really Make All Healthcare ASPS and Cloud Services Providers Business Associates?
There are a number of models for the provision of electronic health record (EHR), personal health record (PHR), billing and administrative and related types of information system in healthcare. Whether or not a vendor of such a system depends very much on the business model used.
At one end of the spectrum the vendor may simply sell software and nothing more. In such a case the vendor is clearly not a Business Associate, as the sale of software should not entail any use or disclosure of PHI by the vendor.
At the other end of the spectrum a vendor may provide fully outsourced application services and even some IT staff to support operations. A full-service application services provider (ASP), whose staff need routine access to PHI to provide the services, just as clearly is a Business Associate.
ASPs as Conduits
Most vendors fall somewhere in between these examples, and for them the question of Business Associate status is fact-specific. Any vendor whose staff has routine or recurring access to PHI, for example to provide support, help desk or operational services, will be a Business Associate. So will any vendor which hosts or operates applications which “persistently” store PHI, or otherwise provides a PHI storage service.
This analysis follows DHHS’ comments on “conduit” status. (See Section 10 for more information.) A “conduit” is an entity whose services do not entail “routine access to PHI, such as an Internet services provider (ISP).
DHHS’ comments on the Omnibus Rule indicate very clearly that anything more than “transient” or “temporary” storage triggers Business Associate status if the vendor has “access” to the PHI. This suggests that access controls preventing vendor access to PHI would keep it from being a Business Associate, but DHHS has provided no additional guidance on this point. If this is a valid interpretation, adequate access control might include data encryption using a methodology which would render the data “secured” for purposes of the breach notification rule, as long as the services provider doesn’t have access to the encryption keys.
Personal Health Records Vendors
The Omnibus Rule also has provisions specific to PHR vendors:
[D]etermining whether a personal health record vendor is a business associate is a fact specific determination. A personal health record vendor is not a business associate of a covered entity solely by virtue of entering into an interoperability relationship with a covered entity. For example, when a personal health record vendor and a covered entity establish the electronic means for a covered entity’s electronic health record to send protected health information to the personal health record vendor pursuant to the individual’s written authorization, it does not mean that the personal health record vendor is offering the personal health record on behalf of the covered entity, even if there is an agreement between the personal health record vendor and the covered entity governing the exchange of data (such as an agreement specifying the technical specifications for exchanging of data or specifying that such data shall be kept confidential). In contrast, when a covered entity hires a vendor to provide and manage a personal health record service the covered entity wishes to offer its patients or enrollees, and provides the vendor with access to protected health information in order to do so, the personal health record vendor is a business associate.
A personal health record vendor may offer personal health records directly to individuals and may also offer personal health records on behalf of covered entities. In such cases, the personal health record vendor is only subject to HIPAA as a business associate with respect to personal health records that are offered to individuals on behalf of covered entities.
DHHS also clearly stated that “
a. personal health record vendor that offers a personal health record to a patient on behalf of a covered entity does not act merely as a conduit. Rather, the personal health record vendor is maintaining protected health information on behalf of the covered entity (for the benefit of the individual). Further, a personal health record vendor that operates a personal health record on behalf of a covered entity is a business associate if it has access to protected health information, regardless of whether the personal health record vendor actually exercises this access.
Entities providing application services which include any “persistent” storage of PHI should therefore assume they are Business Associates, unless their services do not involve any routine or recurring access to the PHI and they also do not have the technical ability to access the PHI, for example if all PHI is properly encrypted and the vendor cannot access the encryption keys.
© 2013 John R. Christiansen