Do you know your business associates? As the April 14 privacy standards compliance deadline approaches, covered entities should make sure their business associate contracts reflect HIPAA's requirements

Healthcare Financial Management, Jan, 2003 by Gerald M. Hinkley, Rachel Glitz, W. Reece Hirsch

A bank processes credit-card transactions for your hospital, giving the bank access to certain protected health information (PHI). A hospital hires a consulting firm to review its billing practices. A health plan provides a list of its members to a pharmaceutical company to market a drug. Do any of these situations constitute a business associate relationship as defined by HIPAA? You will need to know before April 14.

Although the ambiguous language and breadth of the requirements in the HIPAA privacy standards leave room for error, HIPAA compliance is attainable. In terms of business associate contracts, HIPAA requires that covered entities identify and enter into contracts with their business associates to safeguard the privacy of PHI.

Identifying Business Associates

The first step toward compliance with the HIPAA business associate requirements is to identify the covered entity's business associates.

Determine who is a business associate. A business associate is anyone who performs or helps perform a function or activity involving the use or disclosure of PHI, transmitted or maintained in any form, including electronic media, when that function or activity is performed on behalf of a covered entity or an organized healthcare arrangement in which the covered entity participates. As such, the definition of a business associate relies on what the entity does, not what it is.

A business associate's functions and activities are likely to include claims processing or administration; data analysis, processing, or administration; utilization review; quality assurance; billing; benefit management; practice management; or repricing. For example, a hospital that contracts with a billing company has created a business associate relationship because the billing company is acting on the provider's behalf and is receiving PHI in the form of patient billing information.

Business associates need not be businesses traditionally associated with healthcare services. Any individual or entity that receives PHI from a covered entity while providing legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services may be a business associate. For example, a hospital that hires a consultant to review its billing practices enters into a business associate relationship with that consultant.

Narrow your list. Not all of a covered entity's contracting parties are business associates under HIPAA. A contracting party that does not have access to PHI is not a business associate. For example, a medical group that uses a courier service to deliver medical records to a laboratory does not have a business associate relationship with that courier service, provided that the courier does not view the medical records in the course of its services. Incidental access is permitted if the covered entity has reasonable safeguards in place to prevent unauthorized disclosure of PHI. A janitorial service, for example, is not a business associate as long as the covered entity has taken reasonable precautions to limit disclosure. Although the service is performed on behalf of the covered entity a janitor's access to PHI would be incidental to the job of cleaning.

Even contracting parties that receive PHI are not business associates in all instances. Importantly, the business associate rule applies to contracts that are performed on behalf of the covered entity. If the individual or entity is acting independently or on behalf of someone other than the covered entity no business associate relationship exists. For example, physicians who contract with a health plan to participate in its provider network typically are not business associates of the health plan. Although the physicians are providing PHI to the health plan (for payment purposes), they are acting on behalf of the patients, not on behalf of or providing a service to the health plan. Similarly, if a health plan provides a list of its members to a pharmaceutical company to market a drug to certain plan members, the pharmaceutical company is not a business associate of the health plan because it is not acting on behalf of the health plan. Although the disclosure to the company probably would require the plan mem bers' authorization, the transaction between the plan and the pharmaceutical company does not create a business associate relationship.

Cross-check your contracts with an exceptions checklist. Additional exceptions to the business associate rule exist (see sidebar, page 56). Even a covered entity's contracts that clearly fall under the rule should be cross-checked against the exceptions.

Avoid entering into a business associate contract where no business associate relationship exists. A covered entity, such as a hospital, does not need a business associate contract with a bank that processes consumers' payment for health care. By processing creditor debit-card transactions or clearing checks for a hospital, a bank will have access to certain PHI, but access to that information does not make the bank a business associate of the hospital. The bank is not acting on behalf of the hospital in performing its functions; it is providing financial services. Entering into a business associate agreement would unnecessarily burden both parties with provisions that do not suit the nature of the arrangement, such as the requirement that the business associate return or destroy if feasible, all PHI received from the covered entity upon termination of the agreement.