Question: When does an employer need to enter into a HIPAA business associate agreement (BAA) with an outside service provider for the plan?

Compliance Team Response:

HIPAA Business Associate Defined

A HIPAA business associate is a third-party that creates, receives, maintains, or transmits PHI for any of the following services:

• Claims processing or administration

• Data analysis, processing, or administration

• Utilization review

• Quality assurance

• Patient safety activities

• Billing

• Benefit management

• Practice management

• Repricing

A HIPAA business associate also includes a third-party that provides any of the following services, if such services involves disclosure of PHI from the plan to the third-party:

• Legal

• Actuarial

• Accounting

• Consulting

• Data aggregation

• Management

• Administrative

• Accreditation

• Financial

When is a HIPAA Business Associate Agreement (BAA) Required?

Employers cannot permit third-party vendors (business associates) to access the PHI of their employees or dependents without entering into a HIPAA BAA on behalf of the health plan (the HIPAA covered entity).  Therefore, employers must enter into a BAA any time an outside vendor in any of the above-listed categories will have access to the health plan’s PHI.

Exception: Employers with only fully insured health plans generally do not need to enter into HIPAA BAAs.  See our previous FAST on this topic for more details: https://www.newfront.com/blog/hipaa-notice-of-privacy-practices-2

What is a HIPAA BAA?

A BAA imposes certain required safeguards on the business associate’s use of PHI that ensures the business associate is contractually bound to provide the same HIPAA privacy and security safeguards as the covered entity (the health plan).

Note that the HITECH Act also imposes direct liability on business associates for failure to comply with HIPAA’s privacy and security requirements with respect to PHI.  This permits HHS to directly enforce upon business associates—regardless of the terms of the BAA.

The BAA must include certain required provisions set forth in the regulations copied below.

What is HIPAA PHI?

Protected Health Information (PHI) generally includes any individually identifiable health information maintained or transmitted by a HIPAA covered entity.  In this case, the covered entity is the employer-sponsored group health plan.

Keep in mind that employee enrollment and disenrollment information (that does not include any substantial clinical information) maintained by the employer is not PHI protected by HIPAA.  That information is considered an employment record rather than PHI held by the plan.  That major exclusion from the definition of PHI limits the scenarios where a BAA is required.

Regulations

45 CFR §160.103:

Business associate: (1) Except as provided in paragraph (4) of this definition, business associate means, with respect to a covered entity, a person who:

(i) On behalf of such covered entity or of an organized health care arrangement (as defined in this section) in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or arrangement, creates, receives, maintains, or transmits protected health information for a function or activity regulated by this subchapter, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities listed at 42 CFR 3.20, billing, benefit management, practice management, and repricing; or

(ii) Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation (as defined in §164.501 of this subchapter), management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of protected health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.

45 CFR §164.502(e):

(e)

_(1)  _Standard: Disclosures to business associates.

(i)   A covered entity may disclose protected health information to a business associate and may allow a business associate to create, receive, maintain, or transmit protected health information on its behalf, if the covered entity obtains satisfactory assurance that the business associate will appropriately safeguard the information. A covered entity is not required to obtain such satisfactory assurances from a business associate that is a subcontractor.

(ii)   A business associate may disclose protected health information to a business associate that is a subcontractor and may allow the subcontractor to create, receive, maintain, or transmit protected health information on its behalf, if the business associate obtains satisfactory assurances, in accordance with §164.504(e)(1)(i), that the subcontractor will appropriately safeguard the information.

(2)  Implementation specification: Documentation.

_The satisfactory assurances required by paragraph (e)(1) of this section must be documented through a written contract or other written agreement or arrangement with the business associate that meets the applicable requirements of §164.504(e) _.

45 CFR §164.504(e)(1):

_(1)  _Standard: Business associate contracts.

(i)   The contract or other arrangement required by §164.502(e)(2) must meet the requirements of paragraph (e)(2), (e)(3), or (e)(5) of this section, as applicable.

(ii)   A covered entity is not in compliance with the standards in §164.502(e) and this paragraph, if the covered entity knew of a pattern of activity or practice of the business associate that constituted a material breach or violation of the business associate’s obligation under the contract or other arrangement, unless the covered entity took reasonable steps to cure the breach or end the violation, as applicable, and, if such steps were unsuccessful, terminated the contract or arrangement, if feasible.

(iii)   A business associate is not in compliance with the standards in §164.502(e) and this paragraph, if the business associate knew of a pattern of activity or practice of a subcontractor that constituted a material breach or violation of the subcontractor’s obligation under the contract or other arrangement, unless the business associate took reasonable steps to cure the breach or end the violation, as applicable, and, if such steps were unsuccessful, terminated the contract or arrangement, if feasible.

_(2)  _Implementation specifications: Business associate contracts.

A contract between the covered entity and a business associate must:

(i)   Establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that:

(A)   The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section; and

(B)   The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity.

(ii)   Provide that the business associate will:

(A)   Not use or further disclose the information other than as permitted or required by the contract or as required by law;

(B)   Use appropriate safeguards and comply, where applicable, with subpart C of this part with respect to electronic protected health information, to prevent use or disclosure of the information other than as provided for by its contract;

(C)   Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware, including breaches of unsecured protected health information as required by §164.410 ;

(D)   In accordance with §164.502(e)(1)(ii), ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such information;

(E)   Make available protected health information in accordance with §164.524;

(F)   Make available protected health information for amendment and incorporate any amendments to protected health information in accordance with §164.526;

(G)   Make available the information required to provide an accounting of disclosures in accordance with §164.528;

(H)   To the extent the business associate is to carry out a covered entity’s obligation under this subpart, comply with the requirements of this subpart that apply to the covered entity in the performance of such obligation.

(I)   Make its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, the covered entity available to the Secretary for purposes of determining the covered entity’s compliance with this subpart; and

(J)   At termination of the contract, if feasible, return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity that the business associate still maintains in any form and retain no copies of such information or, if such return or destruction is not feasible, extend the protections of the contract to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible.

(iii)   Authorize termination of the contract by the covered entity, if the covered entity determines that the business associate has violated a material term of the contract.

45 CFR §160.103:

Protected health information means individually identifiable health information:

(1) Except as provided in paragraph (2) of this definition, that is:

(i) Transmitted by electronic media;

(ii) Maintained in electronic media; or

(iii) Transmitted or maintained in any other form or medium.

(2) Protected health information excludes individually identifiable health information:

(i) In education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g;

(ii) In records described at 20 U.S.C. 1232g(a)(4)(B)(iv);

(iii) In employment records held by a covered entity in its role as employer; and

(iv) Regarding a person who has been deceased for more than 50 years.

67 Fed. Reg. 53181, 53208 (Aug. 14, 2002):

https://www.gpo.gov/fdsys/pkg/FR-2002-08-14/pdf/02-20554.pdf

While the standard enrollment and disenrollment transaction does not include any substantial clinical information, the information provided as part of the transaction may indicate whether or not tobacco use, substance abuse, or short, long-term, permanent, or total disability is relevant, when such information is available. However, the Department clarifies that, in disclosing or maintaining information about an individual’s enrollment in, or disenrollment from, a health insurer or HMO offered by the group health plan, the group health plan may not include medical information about the individual above and beyond that which is required or situationally required by the standard transaction and still qualify for the exceptions for enrollment and disenrollment information allowed under the Rule.

65 Fed. Reg. 82461, 82496 (Dec. 28, 2000):

https://www.gpo.gov/fdsys/pkg/FR-2000-12-28/pdf/00-32678.pdf

The preamble to the Transactions Rule noted that plan sponsors of group health plans are not covered entities and, therefore, are not required to use the standards established in that regulation to perform electronic transactions, including enrollment and disenrollment transactions. We do not change that policy through this rule. _Plan sponsors that perform enrollment functions are doing so on behalf of the participants and beneficiaries of the group health plan and not on behalf of the group health plan itself. _For purposes of this rule, plan sponsors are not subject to the requirements of § 164.504 regarding group health plans when conducting enrollment activities.

65 Fed. Reg. 82461, 82646 (Dec. 28, 2000):

https://www.gpo.gov/fdsys/pkg/FR-2000-12-28/pdf/00-32678.pdf

We agree with the commenters that firewalls are necessary to prevent unauthorized use and disclosure of protected health information. Among the conditions for group health plans to disclose information to plan sponsors, the plan sponsor must establish firewalls to prevent unauthorized uses and disclosures of information. The firewalls include: describing the employees or classes of employees with access to protected health information; restricting access to and use of the protected health information to the plan administration functions performed on behalf of the group health plan and described in plan documents; and providing an effective mechanism for resolving issues of noncompliance.

78 Fed. Reg. 5565, 5597 (Jan. 25, 2013):

https://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf

Before the HITECH Act, the Privacy Rule did not govern business associates directly. However, section 13404 of the HITECH Act makes specific requirements of the Privacy Rule applicable to business associates, and creates direct liability for noncompliance by business associates with regard to those Privacy Rule requirements. Specifically, section 13404(a) of the HITECH Act creates direct liability for uses and disclosures of protected health information by business associates that do not comply with its business associate contract or other arrangement under the Privacy Rule. Additionally, section 13404(a) applies the other privacy requirements of the HITECH Act directly to business associates just as they apply to covered entities. Section 13404(b) applies the provision of § 164.504(e)(1)(ii) regarding knowledge of a pattern of activity or practice that constitutes a material breach or violation of a contract to business associates. Finally, section 13404(c) applies the HIPAA civil and criminal penalties to business associates.