Updating Business Associate Contracts under HIPAA’s new Rule
Melissa Garcia
Texas State University
March 21, 2013
Business Associate Contracts under HIPAA Individually identifiable health information in the United States is kept under strict watch in terms of privacy. The Health Information Portability and Accountability Act (HIPAA) has determined who is able to access this information, and what they are able to do with it. A business partner under HIPAA regulations had previously been defined as one who uses individually identifiable health information – or protected health information (PHI) – from a covered entity, assists in using it, or uses the information on behalf of a covered entity (HIPAA 1996). Due to concerns about who would or would not fall into this category however, the government has decided to alter the definition. The term has been changed to business associate and has been specified to include anyone who is responsible for creating, receiving, maintaining, transmitting or has constant access to the individually identifiable health information by a covered entity, excluding members of the covered entities workforce or health care providers who use the information for the sole purpose of giving medical care (Federal Register, 2013). This paper is intended to give the reader a comprehensive overview of who is considered a business associate and the differences between the original HIPAA definition and the current one being put into effect. The reader should also be made aware of business contract information being updated, how it will be implemented, and who is being affected by it.
Public Concerns Several questions arose from the public about who will be obligated to join a business associate contract, and who will be responsible if a breach occurs under the business associate. Another large question was about the new term of a subcontractor; the public requested assurance that this was a necessary change and was concerned about the length of how far down the chain the title of subcontractor would apply.
Government Answers Focusing on the question of who takes responsibility for a breach of information under a business associates’ care, it is the business associates responsibility to immediately report any breach of information to the Department of Health and Human Services (HHS), the individuals who are affected by the breach and the covered entity or entities whom the business associate is in a contract with, regarding the information in jeopardy. By adopting the Health Information Technology for Economic and Clinical Health (HITECH) Act, the policies state that in the case of a breach that affects 500 or more individuals, the Secretary of the Department of Health and Human Services is required to post on their website a list of covered entities that experience a breach of such significance (Federal Register, 2013). When specifying who must enter into a business associate contract, it depends on the relationship the individual or organization will have with the health information and whether or not they are to use this information in any way. For example, if a janitorial service comes into contact with protected health information for cleaning purposes only, they would not have to enter into a business associate contract with the covered entity even though the service is working for the covered entity. Storage warehousing (physical or electronic) on the other hand, will be obligated to enter into contract with a covered entity due to the fact that although they may never view the PHI, the storage company is maintain it and has constant access to the health information. There is a list of basic organization descriptions who are generally obligated to join a business associate contract, and in contrast, there are several exceptions to the rule about who should enter into a business associate contract,