Know HIPAA’s definition of business associates

[Editor’s note: This is a periodic column that will address specific questions related to Health Insurance Portability and Accountability (HIPAA) implementation. If you have questions, please send them to Sheryl Jackson, Hospital Home Health, American Health Consultants, P.O. Box 740056, Atlanta, GA 30374. Fax: (404) 262-5447. E-mail: sherylsmjackson@cs.com.]

Question: What is a business associate under the HIPAA privacy rule?

Answer: In essence, it is someone who is not a part of your work force, who provides services to you (not to your patients), and who needs individually identifiable health information to provide those services, says John C. Gilliland II, an Indianapolis-based attorney. The complete detailed definition is in the privacy rule.

Question: What are some examples of business associates?

Answer: A business associate is anyone who needs individually identifiable health information to perform his or her services for you, says Gilliland. Examples include: computer software vendors, consultants, accreditation organizations, attorneys, accountants, answering services, and billing companies.

Question: What about our referral sources or providers to whom we refer?

Answer: A referral source or provider to whom you refer is not a business associate. Business
associates do not include health care providers to whom a provider discloses information about an individual for treatment of the individual, he says.

Question: What about our cleaning staff?

Answer: No. They generally are not your business associates because they do not need individually identifiable health information to perform the cleaning services for you, Gilliland explains.

Question: So what’s the significance of someone being a business associate?

Answer: If someone is your business associate, it is OK for him or her to have access to individually identifiable information, provided you have a written contract or other form of written arrangement, with them that contains at least the provisions required by the privacy rule, he says.

Question: What does the privacy rule require to be in the contract?

Answer: Quite a few things, Gilliland says:

  • It must establish the permitted and required uses and disclosures of protected health information by the business associate.
  • The contract must provide that the business associate will not further use or disclose the protected health information other than as
    permitted or required by the contract or as required by law.
  • It must require the business associate to use appropriate safeguards to prevent use or disclosure of the information other than as provided for in the contract.
  • The business associate must be required to report to the health care provider any use or disclosure of the information of which it becomes aware that is not provided for by the contract.
  • The business associate must ensure that any agents, including any subcontractor, to whom it provides protected health information, agrees to the same restrictions and conditions that apply to the business associate.
  • The contract must provide that the business associate will permit an individual access to inspect, and to obtain a copy of, protected health information about that individual as required by the privacy rule.
  • The contract must require the business associate to make available protected health information for amendment and to incorporate any amendments to the information as required by the privacy rule.
  • The business associate must be required to make available the information required by the privacy rule in order to make an accounting of disclosures of protected health information by it during the six years prior to the date on which the accounting is requested (but not prior to April 14, 2003).
  • The business associate must agree to make its internal practices, books, and records relating to its use and disclosure of protected health information available to the secretary of Health and Human Services (HHS) for determining its compliance with the privacy rule.
  • At termination of the contract, if feasible, the business associate must be required to return or destroy all protected health information that the business associate still maintains in any form and retain no copies of it. If return or destruction of the information is not feasible, then the contract continues to apply to the information and uses and disclosures are limited to those purposes that make the return or destruction of the information not feasible.
  • The contract must authorize the health care provider to terminate the contract if the provider determines that the business associate has violated a material term of the contract. If termination is not feasible, the provider must report the problem to the secretary of HHS.

If both the health care provider and the business associate are governmental entities, the privacy rule contains different provisions for the arrangement than what is stated above, Gilliland says.

Exceptions also exist if the business associate is required by law to perform the functions involved, he adds. Sample business associate contract language can be downloaded from the HHS Office of Civil Rights web site at www.hhs.gov.

Question: When do we have to have these contracts in place?

Answer: With one exception, arrangements with business associates must be in writing and contain the HIPAA-required provisions by April 14, 2003. The exception involves a transition period with respect to a written business associate agreement that:

1. was in existence prior to Oct. 15, 2002;

2. is not renewed or modified from Oct. 15, 2002 until April 14, 2003.

The exception includes contracts that renew automatically without any change in terms or other action by the parties. It is not available for oral contracts. If the contract with the business associate meets these requirements, it is deemed to be in compliance with HIPAA until the earlier of:

1. the time the contract is renewed or modified after April 14, 2003;

2. April 14, 2004. In other words, if the exception applies, you gain up to an additional year to enter into a new, HIPAA-compliant contract with that business associate.

[For more information on HIPAA privacy, contact:

• John C. Gilliland II, Attorney at Law, Gilliland & Caudill, LLP, 6650 Telecom Drive, Suite 100, Indianapolis, IN 46278. Telephone and fax: (317) 616-3647. E-mail: jcg@gilliland.com. Gilliland
is the author of HIPAA Privacy Compliance Resource Manual. For more information about the manual, go to: www.gilliland.com.]