Do the HIPAA Privacy and Security Rules Apply to My Organization? Part Two

This article is the second in a two-part series addressing whether and how the Privacy and Security Rules (the “Rules”) under the Health Insurance Portability and Accountability Act (HIPAA) apply to various legal entities.Part One addressed Covered Entities and appeared in our October 2018 newsletter.This article addresses Business Associates of Covered Entities that are self-insured group health plans.[1]

Quick Recap
Covered Entities are the key stakeholders in the delivery and payment of health care, but they frequently partner with other organizations for assistance. Many of these organizations will need to come into contact with Protected Health Information (PHI) to assist the Covered Entity. Remember, PHI is:

• Information about a past, present, or future health condition, treatment for a health condition, or payment for the treatment of a health condition;
• Identifiable to a specific individual;
• Created and/or received by a Covered Entity or Business Associate acting on behalf of a Covered Entity; and
• Maintained or transmitted in any form.

What's a Business Associate?
In the group health plan context, HIPAA defines a Business Associate as a third party that requires PHI to perform some function or service on behalf of a group health plan.  In other words, a third party that helps make your health plan go but needs PHI to do it.  The third party might create, receive, store, or transmit[2] the PHI in this role, but it must be “PHI sticky” in at least one of those ways to be considered a Business Associate.  Many of HIPAA’s Privacy and Security requirements apply directly to Business Associates.

COBRA Administrators
If a COBRA administrator merely receives enrollment and disenrollment information from the employer (as plan sponsor), the information it receives is not PHI and the COBRA administrator is not technically a Business Associate of the group health plan. The nature and source of the information provided is easily blurred between the employer and group health plan, and it’s common for COBRA administrators to agree to be treated as Business Associates. 

The Curious Case of Stop-Loss
The Rules indicate that stop-loss carriers are not Business Associates of a group health plan when the stop-loss policy insures the plan itself. The Rules are less clear about the more likely scenario where the stop-loss policy insures the employer/plan sponsor directly.  In practice, stop-loss carriers are often reluctant to be treated as Business Associates and are frequently excluded.  We recommend employers enter into robust non-disclosure agreements with stop-loss carriers not treated as Business Associates.  

Business Associate Contracts
Your organization’s group health plan is required to enter into a contractual agreement with all of your Business Associates outlining how the Business Associate may use and disclose PHI, how it will secure PHI, and other rights and obligations the parties have under the Rules.[3]  The Department of Health and Human Services (DHHS) has provided sample business associate contract language.  Among other items, the contract must include language addressing the parties’ responsibilities when unsecured PHI is improperly used or disclosed (a “breach”).  Your organization has a limited amount of time to investigate and respond to a breach.  

As a practical matter, it is the employer (as plan sponsor) who must secure the contract for all of the plan’s Business Associates, but Business Associates will often supply their version of this contract to the employer without being prompted.  It is in each party’s best business interest to use a standardized contract for administrative ease rather than having to honor the commitments of contracts from different sources, so there is a natural tension between the parties who each favor their own contracts.  The requirements for a Business Associate contract are pretty standard, but it is not unusual for the contract to be more favorable toward the drafting party or to include additional contractual terms beyond what the Rules require, so it is important to have this reviewed by your legal counsel.

Subcontractors
Sometimes Business Associates contract with other organizations to perform one or more functions the Business Associate was hired to perform for the group health plan (“subcontractors” who are also PHI sticky), and there is no direct relationship between the health plan and the subcontractor.  Your Business Associate must represent in the Business Associate contract that they have with your organization that it has a contract in place with its subcontractor that provides for all of the same protections under the Rules with respect to any PHI related to your health plan.