HIPAA Q&A: HITECH and BAs
Q. I read a Q&A that discussed who must send out breach notification letters if the business associate (BA) was responsible for the breach. The answer was covered entities. Didn’t HITECH make BAs covered entities?
A. HITECH didn’t make BAs covered entities. The act requires BAs to comply with the HIPAA Security Rule and the use and disclosure provisions of the Privacy Rule. It did not change the BA definition and it did not change the definition of covered entities. (See ARRA, Division A, Title XIII, Subpart D, Section 13401[a] and [b] and Section 13404[a] and [b].).
Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, answered this question. He has more than 17 years of experience in information technology and specializes in security compliance, assessments, training, and strategic planning. Apgar is a board member of the Workgroup for Electronic Data Interchange and chair of the Oregon and Southwest Washington Healthcare, Privacy and Security Forum.
Get blog updates in your e-mail
Subscribe to our e-zine
Click here to learn how!
Click here
I would like to answer this question as a BA. Chris is absolutely correct. We are an offsite record storage company. That means that we store records for our clients in our facilities. Many of our clients are covered entities by definition. Procedurally, for 30 years and long prior to HIPAA/HITECH, we have never released information to an individual, such as a patient of a doctors office. This was done initially so that our clients knew where their information was. We only release information to the CE, and only to their employees that they authorize to receive the information. If one of those employees leaves, it is critical that the CE notify us to remove the employee name that no longer is employed there, because the former employee can still, with prior authorization from their previous employer, get information. We have no idea, nor is it our responsibility, to track who another companies employees are. This always has been a difficult challenge, because our clients often to forget to notify us. We usually have to initiate this updated list.
I mention this because many times we get business associate agreements from the CE’s (per their requirement as dictated by law) that include the scenario you refer to, as well as addressing releasing the information to a patient. It is not a responsibility of a BA to notify anyone, except for the owner of that information (which is the entity that creates it).
Tom,
Interesting. Are the services you provide more than the offsite storage of records for your clients.
For example, a popular vendor contracts with hospitals to provide offsite storage of medical records. The vendor essentially picks up and delivers when requested boxed up records.
As clarified a few years ago, entities that provide such service as I described are not considered business associates.
This has helped a lot of small storage companies that I’ve come across over the last few years as they were being asked to sign BA agreements which now they have successfully shown the covered entities that they no longer apply.
I
Frank,
I would have to respectfully disagree with you regarding whether or not we are a BA. Because of the designated record sets that we store and maintain PHI and the definition of s designated record set, we fall into the category. There is a clear distinction between conduits (defined in the law as companies that exclusively only transport packages without specifically knowing the contents of these packages) and BA’s. Examples of conduits are the United States Postal Service, FedEx, UPS, etc. We also use and disclose protected health information on an individual file level, and not sealed boxes. Therefore, our employees are subject to viewing PHI on an individual basis.
This has been hotly debated among some members of our industry for a few years now, as well as the privacy professional community. Not only is it widely accepted that we are in fact BA’s (because very few of us store completely sealed boxes and transport these completely sealed boxes) but in the few occasions where a record storage facility was found to be responsible for a breach, it was for “unlawful use and disclosure”. CE’s are required to have BAA’s in place for their vendors that perform a service for them that involves the use and disclosure of PHI-and record storage facilities do just that. I know of one such company in the US that was recently assessed a $2 million dollar fine when they had 2 boxes of records stolen from a vehicle. And although we still have some industry senior management types that do not think they are business associates, the community of RIM companies and privacy professionals is hugely in agreement that we are. Some attorneys still do not know that if they represent someone in any case that includes PHI that the attorney himself is a BA because he must use and disclose PHI and the CE that owns the information must have them sign a BAA. The debate continues…….
Tom,
I respectfully disagree. If you “use and disclose” PHI on behalf of a covered entity, you are a business associate. If you ask Iron Mountain, Neospire, Amazon and others, they will adamantly disagree – they do not see themselves as business associates and are not likely to sign any covered entity’s business associate contract.
I could make the argument that custodial services are business associates because they are exposed to PHI but OCR ruled early on that they are not business associates. Any PHI they may be exposed to is considered incidental disclosure.
Will vendors such as large public cloud vendors who store backup data for covered entities and others in a similar business (whether the PHI is paper or electronic) be classified as business associates in the future? That’s the $1 million question. For now, especially the large data storage vendors do not consider themselves business associates because they do not “use and disclose” PHI.
Thanks…Chris
Chris,
I suggest that you read their own HIPAA Primer, which is on the IM website. Page 4.
Chris,
I forgot to mention that a lot of large record storage facilities have hired me to perform the employee HIPAA training program that I have, and I make it very clear from the get-go that it specifically for business associates. One of these companies is ranked behind IM as being the second largest or the third largest document storage company in the world, depending on who is doing the ranking. I also know people at IM that have stated that they are a business associate, but I guess it depends on who is asked as to what their opinion is. But, this is the ongoing great debate that I stated in my original reply to Frank. Some think so, and others think not.
Tom
For the reasons stated by Tom, this is one reason why I keep the OCR clarification letter handy.
I still get calls from CEs that state that storage companies that only provide services consistent and as described in the OCR letter are calling themselves BAs.
After some education and the sharing of the clarification letter, the issue is resolved. Certainly the storage company and the CE still execute an agreement as to what are the expectations between the two as a matter of business but it does not equate or represent a BAA.
What I find very funny is that a storage facility which has agreed in one case it is not a BA will still push for a BAA with another facility where the storage facility is providing the same services. So as pointed out, onsistency is not a key point when dealing with this matter…even when dealing with the same vendor.
I feel the need to clarify something in an effort to better explain my position on this topic. A huge majority of record storage companies store both paper (hard copy) and electronic media (back up data tapes, hard drives, or directly to servers.
I apologize for not making that clear from the beginning. And if I was responsible for anyone’s blood pressure rising, sorry about that too! That wasn’t the goal…..
Tom
Tom,
Thanks for the clarification. You didn’t make my blood pressure rise – I always love a good debate.
I did a bit of research and found an old OCR FAQ issued in 2003 and updated in 2006 that I think is relevant. It makes a clear distinction between vendors, such as paper record storage vendors, and other vendors where the only access to PHI would be incidental. Here’s the “official guidance” from OCR…
If workforce members of a record storage facility regularly view PHI as part of their daily work, they are likely business associates. On the other hand, if (and this was the FAQ that included exposure of PHI to custodial crews) exposure is not part of the workforce’s job and exposure would not be considered likely, the vendor is likely not a business associate.
What OCR has not done is caught up with today’s technology and current electronic data storage practices. There is no guidance about cloud vendors, web-based backup solutions and so forth. At this point, if the above holds true, if, say, the cloud vendor or hosting center does not access PHI and access is not a part of their required duties, they are likely not business associates. Now let’s see if OCR catches up with current technology…
Thanks…Chris
Glad to hear it Chris!! I love this stuff too. Most record storage center employees do view PHI, dozens of times daily. We even have a couple employees that see it hundreds of times per day as they do their everyday tasks.
The OCR hasn’t caught up, you are right. And they most likely won’t. Currently, a single LTO II data tape can hold around 4,000,000 folders. How many records that can be contained in a folder, of course, depends on the size of each record.
A single LTO VIII (in development now from what I understand) will be able to hold 32 terabytes of data! By the time the OCR figures out how to deal with the II’s, the VIII’s will be the norm.
Tom
I am employed in a small IHS facility and am looking forward to becoming promoted to a managment position in the next few weeks. Although i have not begun to review PHI Policies and Procedures, i fear our facility is so far behind in management and securing of health information. I am aware of two BAs that handle client records and this is the company that transcribes doctors orders, H&P etc, and the other receives a copy of emergency room records to codify information. If there are no P&P that guide this agreement with BAs, where is the best place to go for appropriate guidelines that meet HIPPA/HITECH requirements. Please advise.