Pursuant to HIPAA, business associates of health care organizations have until September 23, 2013 to become HIPAA-compliant. This alert sets forth the factors often used to determine whether a company will be considered a business associate (BA) for HIPAA purposes, and, if so, what its obligations are under the Act.

Defining "Business Associate"

A HIPAA BA is a person or organization that performs functions, services, or activities on behalf of a health care organization (a covered entity) that has access to a patient’s protected health information (PHI). In addition, if a BA delegates a function, service, or activity to a subcontractor that involves disclosing PHI to the subcontractor, then that subcontractor is also a BA. An organization is a BA if it meets the definition of a BA regardless of whether it knows it, or whether it has a BA agreement in place.

The following business types are often deemed BAs when they perform services for a covered entity, such as a hospital, physician’s office, or health care plan:

  • CPA firms and auditors
  • Consultants, including those used for quality assurance, utilization review, data analysis, and accrediting
  • Management companies
  • Third party administrators
  • Pharmacy benefit managers
  • Medical transcriptionists
  • Claims processors, coders, or billing providers
  • Copy services
  • Translators
  • Answering services
  • Waste disposal, recycling and shredding vendors
  • Data processing firms
  • Software and hardware providers who may access patient information for installation, maintenance, and support services
  • Health information organizations and e-prescribing gateways
  • Data storage companies, including cloud storage vendors
  • Document storage facilities
  • Law firms

The following are not typically deemed BAs:

  • The U.S. Postal Service, UPS, Internet service providers, or other courier services
  • Telecommunications companies that only have occasional random access to PHI
  • Banking and financial institutions that only undertake payment processing functions
  • External researchers who do not create PHI
  • Janitorial companies

The Obligations of a Business Associate

The new HIPAA rule makes BAs directly liable for compliance with the HIPAA Security Rule. Failure to comply may result in civil and criminal penalties. Among other requirements, by the compliance date of September 23, 2013, BAs must:

  • Appoint a security officer who will be responsible for the organization’s compliance with the HIPAA rules
  • Perform a HIPAA risk assessment to identify current risks and areas that need improved protection
  • Develop and implement HIPAA administrative, technical, and physical safeguard policies and procedures
  • Provide HIPAA privacy and security training to all employees
  • Require that all BA subcontractors comply with the same HIPAA rules

While the existence of a business associate relationship is not dependent on a formal agreement, should you be asked to sign one, there are several important aspects to any such agreement. You should consult an attorney experienced in this field to assist you.