A company that does business within the health care sector may qualify as a business associate, making the company subject to HIPAA. A business associate is required to comply with the HIPAA Security Rule and have a Business Associate Agreement with its customers that are covered entities or business associates. Business associates can be directly liable under HIPAA and may be subject to civil and, in some cases, criminal penalties for making uses and disclosures of protected health information (PHI) that are not authorized by its Business Associate Agreements or for failing to safeguard PHI in compliance with the Security Rule. Understanding whether your company is a business associate, and if it is, becoming HIPAA compliant can save your company from the costs, both financial and reputational, of a HIPAA violation.
Generally, to qualify as a business associate a company must provide a service to a covered entity or business associate that involves access to, or use or disclosure of PHI. The definition of a covered entity is limited to health care providers, health plans and health care clearinghouses. A business associate helps a covered entity carry out its business functions, activities or operations if those services require access, use or disclosure of individual patient's PHI. Examples of business associates include pharmacy benefits managers, software companies, auditors and medical transcription services. There are also downstream business associate subcontractors that provide services to a business associate that require access, use or disclosure of PHI. There are some limited exception to the rule, like if access to PHI is only incidental (like janitorial services) or if the company only acts as a conduit of PHI (like a courier or the post office).
If your company does not need access to PHI to provide services, it is in your company's interest to avoid being designated a business associate. Although some covered entities or business associates may push for a business associate agreement, companies should avoid unnecessary business associate agreements and the contractual and regulatory burdens that those agreements impose. The Canoy Law Group can help you determine whether your company is a business associate, and provide guidance and advocacy to support your business either by arguing against your role as a business associate, or guiding your business through HIPAA compliance.