HIPAA action
HIPAA dvisory
HIPAAdvisory > HIPAAction > HIPAAdvisor Phoenix Health Systems
news
regs
action
tech
wares
alert
live
latest
online HIPAA training
HIPAAstore
HIPAA help desk
search
contact us
site map

HIPAAdvisor: Q & A with Steve Fox

HIPAA's Impact on Business Associate Relationships

QUESTION: My organization is a HIPAA-covered entity. What are our obligations with respect to our business associates? Are we subject to penalty because one of our vendors does not comply with the privacy regulation? What types of partnering arrangements qualify as business associations?

ANSWER: HIPAA protects the privacy of individually identifiable health information by regulating those entities that create and disclose this protected health information (PHI). But the healthcare marketplace is complex. Health plans, health care clearinghouses, and health care providers enter into a myriad of different strategic relationships with each other as well as other persons and organizations in their regular course of business. The purpose and outcome of some of these relationships is to place the very information that HIPAA protects into the hands of stakeholders over which the law has no authority. HIPAA's solution? To extend the effect of the regulations to business associates via business associate contracts.

A business associate is an entity that:

  1. performs functions or activities involving the use or disclosure of individually identifiable health information on behalf of a covered entity;
  2. assists in the performance of functions or activities involving the use or disclosure of individually identifiable health information on behalf of a covered entity;
  3. performs or assists in the performance of any other function or activity regulated by HIPAA on behalf of a covered entity; or
  4. performs certain enumerated services to or for covered entities, where the provision of the service involves the disclosure of individually identifiable health information from the covered entity or from another business associate of such covered entity.

As long as covered entities obtain satisfactory assurance that PHI will be "appropriately safeguarded", they may disclose it to business associates and allow business associates to create or receive PHI on their behalf. These assurances must be documented in a written contract or other written agreement with the business associate. The regulations set forth specific requirements for business associate contracts, which include, but are not limited to the following:

  1. establish the permitted and required uses and disclosures of the PHI;
  2. prohibit the business associate from using or disclosing the PHI except as permitted by the contract or as required by law;
  3. require the business associate to use appropriate safeguards to prevent unauthorized use or disclosure of the PHI and to report   any unauthorized use or disclosure of which it becomes aware;
  4. ensure that the restrictions and conditions in the contract apply to agents and subcontractors of the business associate; and e. authorize the covered entity to terminate the contract if the covered entity determines that the business associate has violated a material term of the contract.

Generally, the actions of business associates relating to PHI are considered to be the actions of the covered entity that engaged them. However, covered entities are subject to sanctions only if they have knowledge of a business associate's wrongful activity and fail to take reasonable steps to cure the breach. If a covered entity is unable to effect a cure, it must either terminate the business associate contract or report the problem to DHHS.

Note: This represents a very broad brush review. Please review the regulations themselves or consult with an appropriate advisor for additional clarification in this complex area.

Read past HIPAA Legal Q/A articles.

Steve Fox, Esq., is a partner in the Washington, D.C. office of Pepper Hamilton LLP. Pepper Hamilton LLP is a multi-practice law firm with more than 400 lawyers in ten offices. A specialist in healthcare, Steve is a frequent writer and speaker on healthcare information management and technology issues. www.pepperlaw.com/

This article was co-authored by Rachel H. Wilson, Esq., an associate at Pepper Hamilton.

Disclaimer: Steve's responses offer information that is general in nature and should not be relied upon as legal advice. Only your attorney is qualified to evaluate your specific situation and provide you with customized advice.

Have a question you'd like Steve to discuss in HIPAAlert? Send it to and he'll be glad to consider using it in a future column, with or without attribution.