HIPAA Business Associate Examples

Who Does HIPAA Apply To

Many sources of HIPAA business associate examples tend to repeat the examples of HIPAA business associates provided by the Department of Health & Human Services (HHS) on its business associate web page. However, these examples were first produced in 1999, and a lot has happened in the past two decades.

The earliest HIPAA-related mention of business associates was not until the publication of the first Final Privacy Rule in 2000 – prior to which third party service providers had been referred to as business partners. Although the terminology changed to help covered entities better understand what a business associate is, the examples used in the 1999 proposed Privacy Rule didn´t.

Consequently, many sources of HIPAA business associate examples list the same examples that were used twenty-plus years ago – third-party administrators, accountants and auditors, consultants and private accreditation organizations, attorneys, independent transcriptionists, and healthcare clearinghouses that translate claims from a non-standard format for payment.

In fact, the only two services that have been dropped from most lists of HIPAA business associate examples are billing agents and data aggregation/warehousing services: which is relevant to an up-to-date list because – like many more modern healthcare and health insurance operations – these services can be done more easily in-house or via the cloud using Software-as-a-Service (SaaS) apps.

Up-To-Date HIPAA Business Associate Examples

While accountants, administrators, and attorneys are still classified as business associates when PHI is shared with them, up-to-date HIPAA business associate examples are more likely to include cloud storage services, email encryption services, web hosting services, digital media shredding services, outsourced answering services, and Managed Service Providers.

Vendors of software and mobile apps that have access to the data stored in the software or app are also post-1999 examples of HIPAA business associates. Therefore, business associate agreements should be signed with vendors of telehealth technologies, EHRs, and practice management software if they have access to PHI and – importantly – also with vendors of “zero-knowledge” solutions.

Vendors of “zero-knowledge” solutions (i.e., vault-based password managers) claim to be unable to access PHI stored or shared via their solutions because the password to access the solution acts as a decryption key. However, in 2016, HHS issued guidance on zero-knowledge solutions that stated:

“CSPs that provide cloud services to a covered entity or business associate that involve creating, receiving, or maintaining (e.g., to process and/or store) electronic protected health information (ePHI) meet the definition of a business associate, even if the CSP cannot view the ePHI because it is encrypted and the CSP does not have the decryption key”.

Examples of HIPAA Business Associate Exemptions

There are scenarios in which the HIPAA business associate examples listed above may be exempt from business associate status. Naturally, if PHI is not shared with a third party service provider such as an accountant, an administrator, or an attorney, the service provider is not a business associate and there is no requirement for a business associate agreement between the two parties.

Similarly, there is no requirement for a business associate agreement to be in place when a covered entity discloses PHI to another covered entity acting as a business associate for permitted uses of PHI (i.e., treatments, payments, and health care operations), or when disclosing PHI for “public interest and benefit activities” to organizations that may be covered entities under HIPAA.

It is also the case that a covered entity providing a service to or on behalf of another covered entity is not considered to be a business associate if both covered entities belong to an integrated delivery system classified as an “Affiliated Covered Entity” or an “Organized Health Care Arrangement”. For example, a physician providing consulting services for a medical facility is not a business associate.

Additionally, different business associate rules may apply if both the covered entity and the business associate are governmental entities (for example, one government agency determining eligibility for a government health plan administered by a different government agency), or if a business associate is required by a federal or state law to provide a service involving the disclosure of PHI to or on behalf of a covered entity. You can find out more about these scenarios in §164.504.

Why Knowing Who Is – and Who Isn´t – a HIPAA Business Associate is Important

Covered entities are required to conduct due diligence on potential business associates to obtain satisfactory assurances that business associates will use PHI disclosed to them only for the purposes for which they were engaged by the covered entity, will safeguard PHI from misuse, and will help the covered entity comply with some of the covered entity’s duties under the Privacy and Security Rules.

If covered entities fail to conduct due diligence on potential business associates – and a breach of unsecured PHI results – the covered entity, rather than the business associate, may be held liable by the HHS´ Office for Civil Rights. Additionally, conducting due diligence on organizations that do not qualify as a business associate is a costly waste of time that may not absolve the covered entity from liability if a HIPAA violation subsequently occurs.

Therefore, it is in everybody´s best interests for third party organizations to understand under what circumstances they qualify as HIPAA business associates, and to put measures in place to comply with the areas of the Privacy, Security, and Breach Notification Rules that apply to them. Covered Entities and Business Associates unsure of their status under HIPAA should seek professional compliance advice.