February 8, 2013. Today, we examine (1) and (2)—the first two parts of four—of the business associate definition, as modified by the Final Rule: Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications of the HIPAA Rules, which was published in the Federal Register on January 25, 2013. The effective date of the Final Rule is March 26, 2013, and covered entities and business associates must comply by September 23, 2013.
As with its predecessor, the modified definition of business associate refers to “business associate means, with respect to a covered entity, a person.” [emphasis added] That’s legal lingo. As defined at 45 CFR 160.103, person means “a natural person, trust or estate, partnership, corporation, professional association or corporation, or other entity, public or private.”
Here is the modified version of the first two parts of business associate definition, with modifications underlined, followed by the complete predecessor version of the business associate definition.
Modified Definition of Business Associate
(1) Except as provided in paragraph (4) [Exceptions to Business Associate] of this definition, business associate means, with respect to a covered entity, a person who:
(i) On behalf of such covered entity or of an organized health care arrangement (as defined in this section) in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or arrangement, creates, receives, maintains, or transmits protected health information for a function or activity regulated by this subchapter, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities listed at 42 CFR 3.20, billing, benefit management, practice management, and repricing; or
(ii) Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation (as defined in § 164.501 of this subchapter), management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of protected health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.
(2) A covered entity may be a business associate of another covered entity.
Predecessor Definition of Business Associate
(1) Except as provided in paragraph (2) of this definition, business associate means, with respect to a covered entity, a person who:
(i) On behalf of such covered entity or of an organized health care arrangement (as defined in § 164.501 of this subchapter) in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or arrangement, performs, or assists in the performance of:
(A) A function or activity involving the use or disclosure of individually identifiable health information, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing; or
(B) Any other function or activity regulated by this subchapter; or
(ii) Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation (as defined in § 164.501 of this subchapter), management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of individually identifiable health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.
(2) A covered entity participating in an organized health care arrangement that performs a function or activity as described by paragraph (1)(i) of this definition for or on behalf of such organized health care arrangement, or that provides a service as described in paragraph (1)(ii) of this definition to or for such organized health care arrangement, does not, simply through the performance of such function or activity or the provision of such service, become a business associate of other covered entities participating in such organized health care arrangement.
(3) A covered entity may be a business associate of another covered entity.
Here are three key modifications in (1) of the modified definition, aside from some wording rearrangement.
1. “Individually identifiable health information” in the predecessor version is modified to “protected health information” in the modified version. The reason for the modification: “a business associate has no obligation under the HIPAA Rules with respect to individually identified health information that is not protected health information.” [78 Federal Register 5574]
2. “Performs, or assists in the performance of” in the predecessor version is modified to “creates, receives, maintains, or transmits protected health information” in the modified version. The reason for the modification: “to clarify that a business associate includes an entity that ‘creates, receives, maintains, or transmits’ protected health information on behalf of a covered entity. This change is to make the definition more consistent with language at 164.308(b) [Security Rule Business associate contracts and other arrangements standard] and 164.502(e) [Privacy Rule Disclosures to business associates standard], as well as to clarify that entities that maintain or store protected health information on behalf of a covered entity are business associates, even if they do not actually view the protected health information. [78 Federal Register 5574]
3. The modified version includes a new activity, patient safety activities performed by an organization as a business associate: Patient Safety Organization (PSO). The Patient Safety and Quality Improvement Act of 2005 (PSQIA) “provides that PSOs must be treated as business associates when applying the Privacy Rule. PSQIA provides for the establishment of PSOs to receive reports of patient safety events or concerns from providers and provide analyses of events to reporting providers. A reporting provider may be a HIPAA covered entity and, thus, information reported to a PSO may include protected health information that the PSO may analyze on behalf of the covered provider. The analysis of such information is a patient safety activity for purpose of PSQIA and the Patient Safety Rule, 42 CFR 3.10, et seq. While the HIPAA Rules as written would treat a PSO as a business associate when the PSO was performing quality analyses and other activities on behalf of a covered health care provider, … this change to the definition of ‘business associate’ [is] to more clearly align the HIPAA and Patient Safety Rules.” [78 Federal Register 5570]
Finally, note that (2) in the modified version of the business associate definition is identical to (3) in the predecessor definition. An example is a healthcare clearinghouse in a business associate role with a healthcare provider.
Monday, we begin examination of the new provisions of the modified business associate definition in part (3) of 4 parts.
Leave a Reply