Scenario: A financial planner contacted me concerned as he just received an e-mail that a business associate agreement needs to be signed in order to work with the company that processes applications for life insurance. The financial planner didn’t know what a business associate under HIPAA regulations meant and was getting ready to just sign the document and return it. Thankfully, the financial planner reached out for clarification, I quickly advised against just signing the agreement and pushing back against the company to determine why they thought he was a business associate. While dialogue between the insurance company and financial planner is still occurring, through evaluation of the work between the financial planner and insurance company (and client), it is clear that the financial planner WOULD NOT be a business associate under the HIPAA regulations.
Since the final Omnibus Rule was effective in 2013, a new wave of confusion and challenge on who is considered a business associate and who is not considered a business associate has come to light. To protect themselves, organizations (Covered Entities and Business Associates) have been requiring that all third parties that they work with in any business aspect sign a business associate agreement. Even if the third party doesn’t meet the definition of a business associates or physically have interaction with protected health information, a blanket coverall approach to get signed business associate agreement is being applied. To create more confusion, many third party organizations are just signing business associate agreements not truly knowing or understanding what it actually means and the implications of becoming a business associate. Is this the best approach or taking the business associate agreement process to the EXTREME?
MY OPINION (Not Advice): Not everyone is a business associate and should sign a business associate agreement. Proper review and governance over the management of business associates within covered entities and business associate organizations needs to be completed. Additionally, the third party organizations who are just signing business associate agreements should stop and evaluate what it is they are signing. Agreeing to terms in a business associate agreement and declaring that you are a business associate or subcontractor or a business associate does have major implications.
Covered entities and business associates need to spend time really understanding who may or may not be a business associate. It should not be a blanket process where everyone that works with a specific company automatically has to sign an agreement. Additionally, if information is being shared to support the spectrum of patient care (provider to provider), the business associate definition may not apply. Dedicated individuals who are knowledgeable and understand the regulations should be working with organizations to help them navigate the business associate process.
Per the 2013 Omnibus Rule, a business associate is “a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information. Per the Omnibus Rule of 2013, a “business associate” may also be considered a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate.” Those are key words to use to evaluate if an organization is a business associate – do they create, receive, maintain, or transmit data on behalf of a covered entity or business associate?
What should an organization do?
The best process for an organization is to have an established person or group of people in charge of the evaluation of business associate agreement. Here are some recommended steps for overall governance of Business Associates within an organization.
- Create a team or individual responsible for the management of business associates
- Generate a list of the account payable reports for the past 3 months and review all third party vendors and/or individuals for your organization
- Determine the scope of work that the third party has been doing on behalf of the organization
- Evaluate if the third party scope of work being done qualifies the third party as a business associate
- If it is determined that they are a business associate establish and execute a business associate agreement
- Keep up a log of all business associates – some recommended fields are Business Associate Name, Contact Individual, Contact Information, Tasks that qualify as a business associate, Business Associate Agreement signed, Date agreement signed
- Create a process for a proactive review of any NEW third parties and that organizations is going to establish a business relationship with
It is now time to effectively oversee and manage the business associate process within an organization – the covered entity should be aware that while business associate and subcontractors are liable for HIPAA compliance, the ultimate liability falls onto the covered entity.
Note to third parties (contractors, subcontractors) – make sure you know and understand the implications of becoming a business associate or an organization. If you truly don’t meet the definition of a business associate or subcontractor, don’t just sign the contract – seek out advice or guidance on the proper steps!