by Sara Jasper, JD
Staff Attorney
The Therapist
July/August 2012

---

If you are considered a Covered Entity for purposes of the Health Insurance Portability and Accountability Act (“HIPAA”) and you have “Business Associates” as defined by HIPAA, you will want to read on to ensure that neither you nor your Business Associate is at risk of committing HIPAA violations for which you could both face lawsuits and/or hefty fines.

Who is a Covered Entity?
To be a Covered Entity, a health care provider must transmit health information in electronic form in connection with certain administrative and financial transactions.¹ The definition of a Covered Entity, with respect to providers, includes three foundational questions that must be answered before you can determine whether you, as a health care provider, are a “Covered Entity.” Those three foundational questions are: (1) Are you a health care provider? (2) Do you transmit information electronically? And, (3) Do you conduct covered transactions?

You are only a Covered Entity if you answer yes to each of these foundational questions or if someone, such as a billing service, conducts these transactions electronically on your behalf. If you answer yes to just one or two of the foundational questions, or if you do not employ someone to conduct the covered transactions on your behalf, then you are not a Covered Entity and HIPAA does not apply to you.

Are You a Health Care Provider?
A “health care provider” is any person who furnishes, bills, or is paid for health care in the regular course of their business.² Included within the definition of health care is rendering counseling for mental conditions.³ Consequently, marriage and family therapists, interns, and trainees are health care providers within the meaning of HIPAA.

Do You Transmit Information Electronically?
Transmitting information electronically means to use computer-based technology to transmit and store health information.⁴ For instance, using the Internet, an Extranet, leased lines, dial-up lines, private networks and those transmissions that are physically moved from one location to another using magnetic tape, disk, or compact disk media come within the meaning of the definition.⁵

Providers should note that facsimile transmissions do not constitute electronic transmissions. This means that the act of faxing information to other covered entities does not make someone a covered entity for HIPAA’s purposes.

Do You Conduct Covered Transactions?
A covered transaction for HIPAA’s purposes involves transmitting information between covered entities to carry out certain financial or administrative activities related to health care.⁶ These activities are referred to both as covered transactions and standard transactions, and the terms are synonymous. The emphasis, however, is on certain administrative and financial transactions. It is not all administrative and financial transactions that we are concerned about, however. It is just the transactions that have been listed in the federal regulations. Currently, the list includes eight such transactions. Those transactions are:

1. A request to obtain payment from a health plan for the rendering of health care to one of your patients, and any necessary accompanying information regarding the health care;⁷
2. An inquiry regarding a patient’s eligibility, coverage, or benefits under a health plan, or a response from a health plan to you about such issues;⁸
3. A request that treatment or a referral be authorized, or a response to such a request;⁹
4. An inquiry regarding the status of a health care claim made by you, or a response about the status of such a claim;¹⁰
5. Transmission of subscriber (patient) information to a health plan to establish or terminate insurance coverage;¹¹
6. Transmission of the following information from a health plan to a health care provider’s financial institution: payment, information about the transfer of funds, or payment processing information. Or, transmission of the following information from a health plan to a health care provider: explanation of benefits information or remittance advice;¹²
7. Conducting health plan premium payment transactions (typically not done by health care providers); and,¹³
8. Transmission of claim or payment information to a health plan for the purpose of determining the relative payment responsibilities of such plan for health care (coordination of benefits).¹⁴

Who is a Business Associate?
A Business Associate is a person or entity to which the Covered Entity discloses protected health information (PHI) so that the person or entity may carry out, assist with the performance of, or perform a function or activity for the Covered Entity.¹⁵

In order to determine whether a person or entity is a Business Associate, you first need to decide whether you as the Covered Entity are disclosing Protected Health Information (PHI). PHI means individually identifiable health information that is transmitted by electronic media, maintained in electronic media, transmitted or maintained in any other form or medium.¹⁶ If you have determined that you are disclosing PHI, the next step is to determine whether the recipient of the PHI provides a service to, for, or on your behalf. If you answer “yes” to both of those questions, you likely have a relationship that requires a Business Associate Agreement.

Potential Business Associates include the following:

• Lawyers
• External auditors or accountants
• Professional translator services
• Answering services
• Accreditation Agencies
• Shredding companies
• Software companies that may be exposed to or use PHI
• Transcription services, even if you contract with an individual as opposed to a company

For example, if you were to employ a transcription service to transcribe your progress notes and then transmit them to you electronically, the nature of that business relationship would subject you and the transcription service to HIPAA. The relationship between you and the transcription service would require that you both be HIPAA compliant because not only does the nature of your relationship require you to disclose the PHI of your clients, but also the transcription service, being the recipient of the PHI, is performing a service on your behalf.

Background History
In February of 2009, Congress passed the Health information Technology for Economic and Clinical Health (“HITECH”) Act as part of the American Recovery and Reinvestment Act (“ARRA”). The HITECH Act contains several provisions that impact Business Associate agreements between HIPAA Covered Entities and their Business Associates who may use or disclose Protected Health Information on their behalf.

The changes brought about by the HITECH Act require Business Associates to now comply with specific sections of HIPAA and abide by new language surrounding breach notification and the security of data and disclosures of Electronic Health Records. This means that Business Associates are now subject to ARRA civil and criminal penalties for HIPAA violations.

The HITECH Act significantly expanded HIPAA’s reach by making the Security Rules directly applicable to Business Associates and by requiring them to take action if they find that Covered Entities are violating HIPAA. Before the HITECH ACT, HIPAA obligated only a health care provider, as a Covered Entity, to police compliance by a Business Associate. Meaning, if the health care provider became aware of a pattern, activity or practice of the Business Associate that constituted a material breach of the Business Associate’s security obligations under the agreement, the health care provider was required to take reasonable steps to cure the breach. Now, under the HITECH ACT, policing is a responsibility of both the Covered Entity and the Business Associate. Accordingly, the Business Associate must also monitor the health care provider’s compliance. This means that if either the health care provider or the Business Associate become aware of a material breach of the other’s obligations, the nonbreaching party must take reasonable steps to fix the breach. If those steps prove unsuccessful, the non-breaching party is required to terminate the contract or notify Health and Human Services (HHS).

Also note that the previous requirement that Covered Entities have Business Associate agreements with their Business Associates has not changed. Moreover, unless they have been recently revised, most Business Associate agreements probably still reflect the former policing policies. Therefore, any Business Associate agreements between a health care provider and a Business Associate should be amended to reflect the new requirements related to the relationship.

Business Associates or Covered Entities who have been lax on HIPAA compliance requirements which technically went into effect in 2010 will want/need to change their ways and make those changes quickly. If you are not sure whether you have Business Associates or have not already taken a careful look at your Business Associate agreements in light of the passage of the HITECH Act in 2010, it is possible that you will need to either put some Business Associate agreements in place or review any old agreements you signed to comply with the expansions to HIPAA.

Actions Your Business Associates Should Take to Safeguard PHI Business Associates should use appropriate safeguards to prevent use or disclosure of PHI that is received from, created, or received on behalf of, the Covered Entity.

The following are some actions Business Associates may take to avoid potential HIPAA violations, subsequent lawsuits and/or fines:

• Conduct and document an initial risk assessment/analysis in order to determine whether the business has implemented HIPAA security safeguards.
• Research and understand the HIPAA standards and a Business Associate’s role in handling PHI.
• Draft a Business Associate agreement that clearly defines the Business Associate’s role and obligation in handling clients’ sensitive information. Include clauses about the termination of the agreement, information ownership and notification of a breach of PHI.
• Conduct annual training for employees, contractors and subcontractors on how to prevent the improper use or disclosure of PHI.
• Adopt policies and procedures regarding the safeguarding of PHI.
• Enforcement of those policies and procedures, including sanctions for anyone who is found to be out of compliance with HIPAA.
• Implement appropriate technical safeguards to protect PHI, including access controls, authentication and transmission security:
• Implement appropriate physical safeguards to protect PHI, including workstation security and device and media controls.
• Appoint a Risk Management and Security Officer position to implement, manage and oversee compliance to ensure everyone is following the documented policies and procedures, preferably someone with a strong technical background.

The actions listed above are suggestions not all of which will be practical for individuals doing business. At a minimum, Business Associates should research and understand HIPAA standards and make sure there is an agreement in place that specifies how sensitive client information is to be handled.

Business Associate Agreement Requirements
HIPAA requires business associate agreements to contain specific terms. The following are provisions which must be included in such agreements:

• A statement of permitted and required uses and disclosures.¹⁷
• A limitation on the parties using or disclosing PHI other than as stated in the agreement or as required by law.¹⁸
• A statement that the parties will use appropriate safeguards to prevent the inappropriate use or disclosure of PHI.¹⁹
• A statement that the parties will report uses or disclosures of PHI that violate the business associate agreement.²⁰
• A statement ensuring that the parties’ agents and subcontractors agree to the same restrictions and conditions that apply to the business associate and covered entity. ²¹
• A statement that the parties will make PHI available as required by the Privacy Rules “right to access” provision.²²
• A statement that the parties will make PHI available for amendment and will incorporate amendments as required by the Privacy Rules “right to request an amendment” provision.²³
• A statement that the parties will provide an accounting of uses and disclosures as required by the Privacy Rules “right to an accounting” provision.²⁴
• A statement that the parties will let the United States Department of Health and Human Services audit them to determine compliance with the business associate agreement provisions.²⁵
• A statement that the parties will return or destroy all PHI at the termination of the contract or, if that is not feasible, will continue to protect the information while maintaining the PHI.²⁶
• A statement authorizing the parties to terminate the agreement upon a determination that the business associate breached the contract.²⁷

Thanks to the passage of the HITECH Act and the significant expansion of HIPAA, it is now more important than ever that Covered Entities and Business Associates not only understand and comply with HIPAA requirements, but also have Business Associate agreements in place that adequately reflect the responsibilities of both parties.

---

Sara Kashing, JD, is a staff attorney for CAMFT. Sara is available to answer member calls regarding business, legal, andethical issues.

---

¹ 45 CFR §164.104
² 45 CFR §160.103
³ 45 CFR §160.103
⁴ 45 CFR §160.103
⁵ 45 CFR §160.103
⁶ 45 CFR §160.103
⁷ 45 CFR §162.1101
⁸ 45 CFR §162.1201
⁹ 45 CFR §162.1301
¹⁰ 45 CFR §162.1401
¹¹ 45 CFR §162.1501
¹² 45 CFR §162.1601
¹³ 45 CFR §162.1701
¹⁴ 45 CFR §162.1801
¹⁵ 45 CFR §160.103
¹⁶ 45 CFR §160.103
¹⁷ 45 CFR §164.504(e)(2)(i)
¹⁸ 45 CFR §164.504(e)(2)(ii)(A)
¹⁹ 45 CFR §164.504(e)(2)(ii)(B)
²⁰ 45 CFR §164.504(e)(2)(ii)©
²¹ 45 CFR §164.504(e)(2)(ii)(D)
²² 45 CFR §164.504(e)(2)(ii)(E)
²³ 45 CFR §164.504(e)(2)(ii)(F)
²⁴ 45 CFR §164.504(e)(2)(ii)(G)
²⁵ 45 CFR §164.504(e)(2)(ii)(H)
²⁶ 45 CFR §164.504(e)(2)(ii)(I)
²⁷ 45 CFR §164.504(e)(2)(iii)