Do the HIPAA Privacy and Security Rules Apply to My Organization? Part Two

Business Associates

Contacts

Employee Health & Benefits National Compliance Leader
+1 972 770 7153
Director, Research & Education, Health & Benefits
+1 248 822 6216
November 21, 2018

This article is the second in a two-part series addressing whether and how the Privacy and Security Rules (the “Rules”) under the Health Insurance Portability and Accountability Act (HIPAA) apply to various legal entities.Part One addressed Covered Entities and appeared in our October 2018 newsletter.This article addresses Business Associates of Covered Entities that are self-insured group health plans.[1]

Quick Recap
Covered Entities are the key stakeholders in the delivery and payment of health care, but they frequently partner with other organizations for assistance. Many of these organizations will need to come into contact with Protected Health Information (PHI) to assist the Covered Entity. Remember, PHI is:

  • Information about a past, present, or future health condition, treatment for a health condition, or payment for the treatment of a health condition;
  • Identifiable to a specific individual;
  • Created and/or received by a Covered Entity or Business Associate acting on behalf of a Covered Entity; and
  • Maintained or transmitted in any form.

What's a Business Associate?
In the group health plan context, HIPAA defines a Business Associate as a third party that requires PHI to perform some function or service on behalf of a group health plan.  In other words, a third party that helps make your health plan go but needs PHI to do it.  The third party might create, receive, store, or transmit[2] the PHI in this role, but it must be “PHI sticky” in at least one of those ways to be considered a Business Associate.  Many of HIPAA’s Privacy and Security requirements apply directly to Business Associates.

 Typical Business Associates for a Self-Insured Group Health Plan

Yes

No

Maybe So

  • Third party administrator  (TPA) including pharmacy benefit manager

  • COBRA administrator (more about this below)
  • Broker/consulting firm
  • Actuaries
  • Record keepers (e.g. Iron Mountain or other third parties storing physical electronic records with PHI)
  • Other cloud service providers such as Google if Gmail is used as the email system
  • Plan sponsor/employer
  • Stop-loss carrier (more about this below)

 

  • External legal counsel
  • Accountants if will see PHI in connection with an audit or review

 

 

 

 

COBRA Administrators
If a COBRA administrator merely receives enrollment and disenrollment information from the employer (as plan sponsor), the information it receives is not PHI and the COBRA administrator is not technically a Business Associate of the group health plan. The nature and source of the information provided is easily blurred between the employer and group health plan, and it’s common for COBRA administrators to agree to be treated as Business Associates. 

The Curious Case of Stop-Loss
The Rules indicate that stop-loss carriers are not Business Associates of a group health plan when the stop-loss policy insures the plan itself. The Rules are less clear about the more likely scenario where the stop-loss policy insures the employer/plan sponsor directly.  In practice, stop-loss carriers are often reluctant to be treated as Business Associates and are frequently excluded.  We recommend employers enter into robust non-disclosure agreements with stop-loss carriers not treated as Business Associates.  

Business Associate Contracts
Your organization’s group health plan is required to enter into a contractual agreement with all of your Business Associates outlining how the Business Associate may use and disclose PHI, how it will secure PHI, and other rights and obligations the parties have under the Rules.[3]  The Department of Health and Human Services (DHHS) has provided sample business associate contract language.  Among other items, the contract must include language addressing the parties’ responsibilities when unsecured PHI is improperly used or disclosed (a “breach”).  Your organization has a limited amount of time to investigate and respond to a breach.  

As a practical matter, it is the employer (as plan sponsor) who must secure the contract for all of the plan’s Business Associates, but Business Associates will often supply their version of this contract to the employer without being prompted.  It is in each party’s best business interest to use a standardized contract for administrative ease rather than having to honor the commitments of contracts from different sources, so there is a natural tension between the parties who each favor their own contracts.  The requirements for a Business Associate contract are pretty standard, but it is not unusual for the contract to be more favorable toward the drafting party or to include additional contractual terms beyond what the Rules require, so it is important to have this reviewed by your legal counsel.

Subcontractors
Sometimes Business Associates contract with other organizations to perform one or more functions the Business Associate was hired to perform for the group health plan (“subcontractors” who are also PHI sticky), and there is no direct relationship between the health plan and the subcontractor.  Your Business Associate must represent in the Business Associate contract that they have with your organization that it has a contract in place with its subcontractor that provides for all of the same protections under the Rules with respect to any PHI related to your health plan. 

Example – A self-insured medical plan engages a TPA for claims administration and other services.  One of these services is claims monitoring to reduce fraud, waste, and abuse.  The claims monitoring services are actually provided by a subsidiary of the TPA, and the medical plan does not have a direct contract with the claims monitoring subsidiary.  The TPA is a Business Associate of the medical plan.  The claims monitoring entity is a Business Associate of the TPA and should be addressed as a subcontractor within the Business Associate contract between the medical plan and the TPA.

Next Steps
You should always know who your Business Associates are and should make sure you have a list of all the current vendors who provide services related to your health plans.  Of these vendors, which ones use PHI to perform a function on behalf of a group health plan?  

These are your Business Associates, and you should maintain current Business Associate contracts with all of them.  Don’t forget to make this an implementation step when adding a new vendor who will be a Business Associate to your health plan(s).


[1] A failure to enter into the contract does not mean the third party is not your Business Associate and just subjects you to potential penalties for non-compliance. 

[2] A third party that only transmits PHI without accessing or storing it may qualify for an exception as a mere conduit of the information.

[3] In Part One, we addressed that insurance carriers are the Covered Entities for fully-insured group health plans and that employers/plan sponsors generally have few obligations under the Rules for those plans.

The information contained herein is for general informational purposes only and does not constitute legal or tax advice regarding any specific situation. Any statements made are based solely on our experience as consultants. Marsh & McLennan Agency LLC shall have no obligation to update this publication and shall have no liability to you or any other party arising out of this publication or any matter contained herein. The information provided in this alert is not intended to be, and shall not be construed to be, either the provision of legal advice or an offer to provide legal services, nor does it necessarily reflect the opinions of the agency, our lawyers or our clients. This is not legal advice. No client-lawyer relationship between you and our lawyers is or may be created by your use of this information. Rather, the content is intended as a general overview of the subject matter covered. This agency is not obligated to provide updates on the information presented herein. Those reading this alert are encouraged to seek direct counsel on legal questions. © 2018 Marsh & McLennan Agency LLC. All Rights Reserved.