About Us | Chapters | Advertising | Join
The Legal Department articles are not intended to serve as legal advice and are offered for educational purposes only. The information provided should not be used as a substitute for independent legal advice and it is not intended to address every situation that could potentially arise. Please be aware that laws, regulations and technical standards change over time. As a result, it is important to verify and update any reference or information that is provided in the article.
If you are a considered a Covered Entity for purposes of the Health Insurance Portability and Accountability Act (“HIPAA”) and you have “Business Associates” as defined by HIPAA, you will want to read on to ensure that neither you nor your Business Associate is at risk of committing HIPAA violations for which you could both face lawsuits and/or hefty fines.
by Sara Jasper, JD Staff Attorney The Therapist July/August 2012
If you are considered a Covered Entity for purposes of the Health Insurance Portability and Accountability Act (“HIPAA”) and you have “Business Associates” as defined by HIPAA, you will want to read on to ensure that neither you nor your Business Associate is at risk of committing HIPAA violations for which you could both face lawsuits and/or hefty fines.
Who is a Covered Entity? To be a Covered Entity, a health care provider must transmit health information in electronic form in connection with certain administrative and financial transactions.1 The definition of a Covered Entity, with respect to providers, includes three foundational questions that must be answered before you can determine whether you, as a health care provider, are a “Covered Entity.” Those three foundational questions are: (1) Are you a health care provider? (2) Do you transmit information electronically? And, (3) Do you conduct covered transactions?
You are only a Covered Entity if you answer yes to each of these foundational questions or if someone, such as a billing service, conducts these transactions electronically on your behalf. If you answer yes to just one or two of the foundational questions, or if you do not employ someone to conduct the covered transactions on your behalf, then you are not a Covered Entity and HIPAA does not apply to you.
Are You a Health Care Provider? A “health care provider” is any person who furnishes, bills, or is paid for health care in the regular course of their business.2 Included within the definition of health care is rendering counseling for mental conditions.3 Consequently, marriage and family therapists, interns, and trainees are health care providers within the meaning of HIPAA.
Do You Transmit Information Electronically? Transmitting information electronically means to use computer-based technology to transmit and store health information.4 For instance, using the Internet, an Extranet, leased lines, dial-up lines, private networks and those transmissions that are physically moved from one location to another using magnetic tape, disk, or compact disk media come within the meaning of the definition.5
Providers should note that facsimile transmissions do not constitute electronic transmissions. This means that the act of faxing information to other covered entities does not make someone a covered entity for HIPAA’s purposes.
Do You Conduct Covered Transactions? A covered transaction for HIPAA’s purposes involves transmitting information between covered entities to carry out certain financial or administrative activities related to health care.6 These activities are referred to both as covered transactions and standard transactions, and the terms are synonymous. The emphasis, however, is on certain administrative and financial transactions. It is not all administrative and financial transactions that we are concerned about, however. It is just the transactions that have been listed in the federal regulations. Currently, the list includes eight such transactions. Those transactions are:
Who is a Business Associate? A Business Associate is a person or entity to which the Covered Entity discloses protected health information (PHI) so that the person or entity may carry out, assist with the performance of, or perform a function or activity for the Covered Entity.15
In order to determine whether a person or entity is a Business Associate, you first need to decide whether you as the Covered Entity are disclosing Protected Health Information (PHI). PHI means individually identifiable health information that is transmitted by electronic media, maintained in electronic media, transmitted or maintained in any other form or medium.16 If you have determined that you are disclosing PHI, the next step is to determine whether the recipient of the PHI provides a service to, for, or on your behalf. If you answer “yes” to both of those questions, you likely have a relationship that requires a Business Associate Agreement.
Potential Business Associates include the following:
For example, if you were to employ a transcription service to transcribe your progress notes and then transmit them to you electronically, the nature of that business relationship would subject you and the transcription service to HIPAA. The relationship between you and the transcription service would require that you both be HIPAA compliant because not only does the nature of your relationship require you to disclose the PHI of your clients, but also the transcription service, being the recipient of the PHI, is performing a service on your behalf.
Background History In February of 2009, Congress passed the Health information Technology for Economic and Clinical Health (“HITECH”) Act as part of the American Recovery and Reinvestment Act (“ARRA”). The HITECH Act contains several provisions that impact Business Associate agreements between HIPAA Covered Entities and their Business Associates who may use or disclose Protected Health Information on their behalf.
The changes brought about by the HITECH Act require Business Associates to now comply with specific sections of HIPAA and abide by new language surrounding breach notification and the security of data and disclosures of Electronic Health Records. This means that Business Associates are now subject to ARRA civil and criminal penalties for HIPAA violations.
The HITECH Act significantly expanded HIPAA’s reach by making the Security Rules directly applicable to Business Associates and by requiring them to take action if they find that Covered Entities are violating HIPAA. Before the HITECH ACT, HIPAA obligated only a health care provider, as a Covered Entity, to police compliance by a Business Associate. Meaning, if the health care provider became aware of a pattern, activity or practice of the Business Associate that constituted a material breach of the Business Associate’s security obligations under the agreement, the health care provider was required to take reasonable steps to cure the breach. Now, under the HITECH ACT, policing is a responsibility of both the Covered Entity and the Business Associate. Accordingly, the Business Associate must also monitor the health care provider’s compliance. This means that if either the health care provider or the Business Associate become aware of a material breach of the other’s obligations, the nonbreaching party must take reasonable steps to fix the breach. If those steps prove unsuccessful, the non-breaching party is required to terminate the contract or notify Health and Human Services (HHS).
Also note that the previous requirement that Covered Entities have Business Associate agreements with their Business Associates has not changed. Moreover, unless they have been recently revised, most Business Associate agreements probably still reflect the former policing policies. Therefore, any Business Associate agreements between a health care provider and a Business Associate should be amended to reflect the new requirements related to the relationship.
Business Associates or Covered Entities who have been lax on HIPAA compliance requirements which technically went into effect in 2010 will want/need to change their ways and make those changes quickly. If you are not sure whether you have Business Associates or have not already taken a careful look at your Business Associate agreements in light of the passage of the HITECH Act in 2010, it is possible that you will need to either put some Business Associate agreements in place or review any old agreements you signed to comply with the expansions to HIPAA.
Actions Your Business Associates Should Take to Safeguard PHI Business Associates should use appropriate safeguards to prevent use or disclosure of PHI that is received from, created, or received on behalf of, the Covered Entity.
The following are some actions Business Associates may take to avoid potential HIPAA violations, subsequent lawsuits and/or fines:
The actions listed above are suggestions not all of which will be practical for individuals doing business. At a minimum, Business Associates should research and understand HIPAA standards and make sure there is an agreement in place that specifies how sensitive client information is to be handled.
Business Associate Agreement Requirements HIPAA requires business associate agreements to contain specific terms. The following are provisions which must be included in such agreements:
Thanks to the passage of the HITECH Act and the significant expansion of HIPAA, it is now more important than ever that Covered Entities and Business Associates not only understand and comply with HIPAA requirements, but also have Business Associate agreements in place that adequately reflect the responsibilities of both parties.
Sara Kashing, JD, is a staff attorney for CAMFT. Sara is available to answer member calls regarding business, legal, andethical issues.
1 45 CFR §164.104 2 45 CFR §160.103 3 45 CFR §160.103 4 45 CFR §160.103 5 45 CFR §160.103 6 45 CFR §160.103 7 45 CFR §162.1101 8 45 CFR §162.1201 9 45 CFR §162.1301 10 45 CFR §162.1401 11 45 CFR §162.1501 12 45 CFR §162.1601 13 45 CFR §162.1701 14 45 CFR §162.1801 15 45 CFR §160.103 16 45 CFR §160.103 17 45 CFR §164.504(e)(2)(i) 18 45 CFR §164.504(e)(2)(ii)(A) 19 45 CFR §164.504(e)(2)(ii)(B) 20 45 CFR §164.504(e)(2)(ii)© 21 45 CFR §164.504(e)(2)(ii)(D) 22 45 CFR §164.504(e)(2)(ii)(E) 23 45 CFR §164.504(e)(2)(ii)(F) 24 45 CFR §164.504(e)(2)(ii)(G) 25 45 CFR §164.504(e)(2)(ii)(H) 26 45 CFR §164.504(e)(2)(ii)(I) 27 45 CFR §164.504(e)(2)(iii)