Example Situation:

Definitions:

Covered Entity:  Health plans, healthcare clearing houses, and healthcare providers who electronically transmit any health information in connection with transactions for which the U.S. Department of Health and Human Services has adopted standards.  45 CFR §160.103.

Business Associate:  In short, a person or entity that performs activities on behalf of or provides services to a covered entity where the activities and/or services involve the use or disclosure of protected health information.  See 45 CFR §160.103.

Protected Health Information (“PHI”):  Generally relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for healthcare to an individual that identifies the individual or can be used to identify the individual.  See 45 CFR §160.103 and the definition of “individually identifiable health information.”

Generally, HIPAA requires that a Covered Entity enter into Business Associate agreements with the Covered Entity’s Business Associates to ensure adequate protections for the Covered Entity’s PHI.  This is very common for Covered Entities and their Business Associates.  What happens, however, when the Business Associate shares the Covered Entity’s PHI with another vendor who is providing services on behalf of the Business Associate? For example, an IT services provider (Business Associate) may access and retrieve data (PHI) of a client hospital (Covered Entity) and then store the data on the hosting platform of another company (Subcontracted Business Associate).

Issues:

By entering into a Business Associate agreement with the Covered Entity, the Business Associate agrees to safeguard the Covered Entity’s PHI that the Business Associate accesses, retrieves, and hosts.  How does the Business Associate assure that the subcontracted entity appropriately safeguards the Covered Entity’s PHI?

Solution:

A Subcontracted Business Associate agreement is the answer, and it is generally the law.  Under HIPAA, any subcontractor that creates, receives, maintains, or transmits PHI on behalf of a Business Associate of a Covered Entity, is itself a Business Associate.  A Business Associate may only use or disclose PHI as permitted or required by the Business Associate agreement between the parties or as required by law.  A Business Associate can be directly liable under HIPAA for its use and disclosure of PHI that is not within the permissions granted by the Business Associate agreement or required by law. It is beneficial for both the original Business Associate and the Subcontracted Business Associate to enter into the appropriate Business Associate agreement that sets forth the permissible uses and disclosures of PHI by the Subcontracted Business Associate. It doesn’t stop there either…continue downstream.  If you are the Subcontracted Business Associate, execute Business Associate agreements with your vendors who are receiving PHI of the Covered Entity from you.  It is likely that your Business Associate agreement with the original Business Associate requires it.  If you need help creating a Business Associate to Subcontracted Business Associate agreement or a review of one, contact Maggie DiCostanzo, Esq.