Many sources of HIPAA business associate examples tend to repeat the examples of HIPAA business associates provided by the Department of Health & Human Services (HHS) on its business associate web page. However, these examples were first produced in 1999, and a lot has happened in the past two decades.
The earliest HIPAA-related mention of business associates was not until the publication of the first Final Privacy Rule in 2000 – prior to which third party service providers had been referred to as business partners. Although the terminology changed to help covered entities better understand what a business associate is, the examples used in the Privacy Rule didn´t.
Consequently, many sources of HIPAA business associate examples list the same examples that were used twenty-plus years ago – third-party administrators, accountants and auditors, private accreditation organizations, attorneys, independent transcriptionists, and healthcare clearinghouses that translate claims from a non-standard format for payment.
In fact, the only two services that have been dropped from most lists of HIPAA business associate examples are billing agents and data aggregation/warehousing services: which is relevant to an up-to-date list because – like many more modern healthcare and health insurance operations – these services can be done more easily in-house or via the cloud using Software-as-a-Service (SaaS) apps.
Up-To-Date HIPAA Business Associate Examples
While accountants, administrators, and attorneys are still classified as business associates when PHI is shared with them, up-to-date HIPAA business associate examples are more likely to include cloud storage services, email encryption services, web hosting services, password managers, digital media shredding services, outsourced answering services, and Managed Service Providers.
Vendors of software and mobile apps that have access to the data stored in the software or app are also post-1999 examples of HIPAA business associates. Therefore, business associate agreements should be signed with vendors of telehealth technologies, EHRs, and practice management software if they have access to PHI and – importantly – also with vendors of “zero-knowledge” or “no view” solutions.
Vendors of “zero-knowledge” and “no view” solutions (i.e., vault-based password managers) claim to be unable to access PHI stored or shared via their solutions because the password to access the solution acts as a decryption key. However, in 2016, HHS issued guidance on zero-knowledge solutions that stated:
“CSPs that provide cloud services to a covered entity or business associate that involve creating, receiving, or maintaining (e.g., to process and/or store) electronic protected health information (ePHI) meet the definition of a business associate, even if the CSP cannot view the ePHI because it is encrypted and the CSP does not have the decryption key”.
Examples of HIPAA Business Associate Exemptions
There are scenarios in which the HIPAA business associate examples listed above may be exempt from business associate status. Naturally, if PHI is not shared with a third party service provider such as an accountant, an administrator, or an attorney, the service provider is not a business associate and there is no requirement for a business associate agreement between a covered entity and a third party service provider.
Similarly, there is no requirement for a business associate agreement to be in place when a covered entity discloses PHI to another covered entity acting as a business associate for permitted uses of PHI (i.e., treatments, payments, and health care operations), or when disclosing PHI for “public interest and benefit activities” to organizations that may be covered entities under HIPAA.
It is also the case that a covered entity providing a service to or on behalf of another covered entity is not considered to be a business associate if both covered entities belong to an integrated delivery system classified as an “Affiliated Covered Entity” or an “Organized Health Care Arrangement”. For example, a physician providing consulting services for a medical facility is not a business associate.
Other HIPAA business associate exemptions include:
- When both the covered entity and the third party service provider are governmental entities
- When a physician discloses PHI to an external therapist for the treatment of a patient.
- When a hospital discloses PHI to an outsourced laboratory for the treatment of a patient.
- When PHI is collected for or shared on behalf of a health plan that is a public benefits program – i.e., Medicare.
- When a healthcare provider discloses PHI to a health plan to support a Part 162 transaction (i.e., request for authorization).
- When any access to PHI by a third party service provider is unintentional or incidental (i.e., an environmental services provider).
- When the third party qualifies as a physical conduit for PHI. Examples include the US Postal Service, DHL, UPS, and FedEx.
- When a financial institution processes payments for health care or health plan premiums (because it is providing its normal banking services rather than a service for or on behalf of a covered entity).
Why Knowing Who Is – and Who Isn´t – a HIPAA Business Associate is Important
Covered entities are required to conduct due diligence on potential business associates to obtain and document satisfactory assurances that business associates will use PHI disclosed to them only for the purposes for which they were engaged by the covered entity, will safeguard PHI from misuse, and will help the covered entity comply with some of the covered entity’s duties under the Privacy and Security Rules.
If covered entities fail to conduct due diligence on potential business associates – and a breach of unsecured PHI results – the covered entity, rather than the business associate, may be held liable by the HHS´ Office for Civil Rights. Additionally, conducting due diligence on organizations that do not qualify as a business associate is a costly waste of time that may not absolve the covered entity from liability if a HIPAA violation subsequently occurs.
Therefore, it is in everybody´s best interests for third party organizations to understand under what circumstances they qualify as HIPAA business associates, and to put measures in place to comply with the areas of the Privacy, Security, and Breach Notification Rules that apply to them. Covered Entities and Business Associates unsure of their status under HIPAA should seek professional compliance advice.