Are You in the Business Associate Danger Zone?
According to Statista, health expenditures in the US are a whopping 18% of US GDP. Regardless of what you do or where you live, virtually everyone interacts with the US healthcare system in some way. The US healthcare system has several different entities such as healthcare providers, health plans, clearinghouses that assist with providing individuals with care: classified under the Health Insurance Portability and Accountability Act ("HIPAA") as covered entities. Additionally, legal, billing, consultants, and other individuals and companies provide invaluable services to these covered entities but are not covered entities themselves.
HIPAA and Health Information Technology for Economic and Clinical Health Act ("HITECH") regulate entities that handle patient data. Various organizations and individuals serve the healthcare system, but that does not necessarily place them under the purview of these regulations. A frequent question that many companies who are not covered entities face, especially start-up health technology companies, is whether or not they must comply with HIPAA. HITECH extends HIPAA compliance directly to Business Associates. Thus, all companies or individuals deemed a Business Associate must comply with various HIPAA regulations.
One frequent question that companies that are not covered entities ask: Am I a Business Associate? There is no agreement or official classification that makes someone a Business Associate. You’re a Business Associate if you receive Personal Health Information (“PHI”) on behalf of a covered entity or another Business Associate; this does not include general enrollment information, basic genetic testing, basic information to plan sponsors, and other non-PHI. Business Associates do not need a direct relationship with a covered entity to be a Business Associate. Even if you’re merely providing a service on behalf of a Business Associate and you receive PHI, you’re deemed a Business Associate.
PHI is defined by HIPAA HITECH regulations. HIPAA defines PHI as information relating to health conditions, health care services, or payment for healthcare services AND identifies the patient. There are 18 PHI identifiers cited under HIPAA, but generally speaking, information that can I identify an individual qualifies. The HHS cites the following as examples of PHI: medical records, lab reports, and hospital bills because such records “would contain a patient’s name and/or other identifying information associated with the health data content.” The determining factor regarding whether a Business Associate possesses PHI is the relationship between personal identifiers and health information. Data can be de-identified in accordance with 45 CFR 164.514 and thus not considered PHI under the Privacy Rule.
If you receive data classified as PHI under HIPAA and that data has not been properly de-identified (de-identified of 18 identifiers), you’re a Business Associate. Thus, you need to be vigilant about the data you receive and the regulations governing the handling of such data. If you have any questions, you should reach out to an attorney that is familiar with HIPAA and HITECH to make sure you're complying with the law.