The HIPAA privacy rule (“Privacy Rule”) regulates how health information may be used or disclosed by certain organizations (“Covered Entities”) and protects the unauthorized disclosure of certain medical information known as protected health information (“PHI”). These Covered Entities include health care providers, health care clearinghouses and employer-sponsored health plans.
When providing a health plan to employees, employers often use third-party service providers to assist with the administration of their plan(s). If that assistance requires the third-party to handle PHI, it will be considered a “Business Associate” of the health plan. As such, the Privacy Rule strictly regulates that relationship and the Covered Entity may disclose PHI to the Business Associate only if it has a written agreement imposing specific obligations on the Business Associate with respect to the use and disclosure of PHI. Failure to have the proper agreement(s) in place is a violation of HIPAA rules and can result in significant fees.
A recent case highlighting this need involved a physician’s office that failed to secure a Business Associate Agreement from a third party vendor prior to releasing PHI to it. In this case, Raleigh Orthopaedic Clinic, P.A. of North Carolina (“ROC”) orally arranged for a vendor to harvest the silver from x-rays for more than 17,000 patients in exchange for converting the film to electronic media. Following an investigation by the Department of Health and Human Services, ROC agreed to pay $750,000 to resolve the alleged HIPAA violation and further agreed to adopt a robust corrective action plan.
If you are a health plan sponsor, it is prudent to ensure you have current Business Associate agreements in place with all of the service providers to whom you may release PHI. It is recommended that a review of these agreements be done annually. Pay particular attention to vendors who may have access to PHI even if that’s not the primary purpose of the services they provide, e.g.:
- Document disposal services if some of the documents contain PHI;
- Providers of cloud and other off-site data storage facilities;
- Technicians that may have access to PHI while troubleshooting or fixing computer software.
Sample language for Business Associate agreements is provided by the Department of Health and Human Services.
Some employers may believe that they do not have any business associates if they have fully insured health plans. However, employers should consider all aspects of their employee health benefit plans. For example, an employer with a fully insured health plan may still have business associates acting on behalf of a plan if:
- It uses a broker that obtains PHI in order to quote coverage.
- It has a Health FSA.
- It has an HRA.
- It has certain types of wellness or employee assistance programs.