If your company creates, receives, maintains or transmits Personal Health Information (PHI) on behalf of a Covered Entity and is not a member of the Workforce of the Covered Entity, or is a company that provides accounting, legal, processing or administration, data analysis or aggregation, financial services or something similar that needs PHI to perform the services, then you are a Business Associate. This includes vendors of Personal Health Records (PHRs) that provide the PHR on behalf of a Covered Entity. Cloud services companies such as Amazon Web Services (AWS) are also Business Associates as they receive, maintain and transmit PHI as part of their service to your company.
In serving this vital role as a Business Associate to Covered Entity clients, health tech companies are subject to a multitude of requirements and expectations:
- The Privacy Rule
- The Security Rule
- The Enforcement Rule
- The Breach Notification Rule
- The 2013 Omnibus Rule
⦿ The federal laws such as protection of substance abuse records (42 CFR Part 2)
⦿ Applicable state medical privacy laws that go beyond HIPAA, such as:
- The California’s Confidentiality of Medical Information Act (CMIA)
- Texas’s Medical Privacy Records Act
- Massachusetts’s data security requirements (Mass. 201 CMR 17)
- The Breach Notification Rule
- Numerous state-specific laws such as laws regarding patient consent for uses and disclosure of “extra-sensitive health information” (HIV, mental health, STDs, genetic information, etc.)
Some state laws have a broader scope than HIPAA. For example, the California CMIA defines “Medical Information” more broadly than HIPAA defines Protected Health Information.
Business Associates are required to have a Business Associate Agreement (BAA) with their Covered Entity clients. HHS provides sample language for you to work with if your Covered Entity client does not have a BAA to provide you.
A Subcontractor Business Associate is an entity to which the Business Associate delegates a HIPAA-covered service, activity or function, other than in the capacity of a member of the Business Associate’s Workforce. A Business Associate is required to have a BAA with each Subcontractor Business Associate. Each Subcontractor Business Associate must also have a Subcontractor BAA with each of its downstream vendors to which it delegates any HIPAA-covered function, activity, or service. This obligation to have a BAA applies to all Subcontractor Business Associates down the line. The Covered Entity who provided the PHI is not required to have a BAA with the Business Associate’s subcontractors.
One of the important tasks I provide to my clients is the review of BAAs before they sign. BAAs often contain language not required by HIPAA, and many of these provisions require and/or prohibit certain activities that may be detrimental to your business. My goal is to redline these unrequired provisions and negotiate on your behalf with the prospective client to ensure your business can run, and that they’re not asking you to comply with requirements that are onerous or impossible with which to comply.