With a new era of active enforcement of the HIPAA privacy and security laws upon us, companies need to figure out early-on whether they are regulated under HIPAA, either as covered entities or business associates. However, determining whether a company is subject to the HIPAA privacy and security requirements is not always straightforward, especially for companies in the health technology space. There are two ways in which a company can become subject to HIPAA: (1) it functions as a health plan, health care provider or health care clearinghouse which could potentially make it a HIPAA “covered entity”, or (2) on behalf of a covered entity it assists in the performance of a function involving the use or disclosure of medical information, which could potentially make it a HIPAA “business associate. There are circumstances where telemedicine, remote medicine and other provider-driven technology companies could qualify as health care providers and hence “covered entities,” but most health tech companies that become subject to HIPAA’s privacy and security requirements do so because they engage in activities that make them “business associates”.
Although “business associate” is broadly defined under HIPAA, not every company that uses or discloses medical information will necessarily fall under the definition; some clearly fall outside the definition whereas others fall into a grey area. Here are two important factors that may impact whether a tech company is a “business associate”.
- To be a business associate, a company must be acting “on behalf of” a covered entity.
Although the definition of business associate broadly encompasses a wide range of functions (e.g. legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation and financial), these functions can only make a company a business associate if they are provided “on behalf of” a covered entity. While there is limited guidance on what “on behalf of” means, it can arguably be interpreted as excluding from the “business associate” definition companies that do not sell or provide services specifically intended or designed for use by covered entities. For example, even though some health care providers use iPhones or Skype to transmit medical information, these services are not activities that would require Apple or the owner of Skype to assume the classification of a HIPAA business associate. This interpretation appears to be consistent with guidance from the Department of Health and Human Services explaining that companies that act as mere conduits for medical information such as the phone companies and the Postal Service are not business associates.
Yet while it may seem obvious that the phone companies and the Postal Service are not business associates, these determinations are not as clear cut when you begin to consider the activities of many emerging health technology companies, and in particular companies operating within the mobile health and telemedicine industries. Consider a technology that is intended to facilitate communications among geographically distant physicians. The technology is designed for use by physicians but not customized or specially designed for use by any particular physician or physician group. Is the company that operates this technology acting on behalf of a covered entity? Unfortunately, there is no simple answer to this question. In this case and others like it determining whether the “on behalf of” element is met will often depend on the specific facts and circumstances (e.g. How is the medical information being used? Where it is stored? What is the nature of the arrangement with the covered entity?).
- The medical information must have originated from a covered entity.
Companies that obtain medical information directly from consumers and do not receive or otherwise obtain information from covered entities are not necessarily business associates. However, companies that not only collect medical information from consumers, but also exchange health related information with covered entities can be considered business associates. This determination will depend on a variety of factors including the nature of the information exchange that takes place with the covered entity. (What type of information is being exchanged? Which direction is it going? Was it modified by the covered entity? Etc.) With tech companies increasingly seeking to occupy the role of intermediary between consumer and covered entity, many are going to find it important to consider whether they are exchanging information in ways that could turn them into business associates.
Because HIPAA business associates now have many of the same legal obligations as HIPAA covered entities, whether a company is deemed a business associate can really matter. While there are many good reasons for companies handling health information to adopt strong privacy and security safeguards (e.g. covered entities often require this as a condition of doing business with them), the HIPAA privacy and security requirements impose significant demands on companies, especially on early stage companies that may lack the resources to develop robust HIPAA compliance programs. For these reasons and because the federal government has significantly ramped up its enforcement of HIPAA in recent years, it’s important to determine early-on whether your company is regulated under HIPAA, either as a covered entity or business associate.