- It is important to first determine if there is any patient information involved in your business at all. Before you quickly determine that your services are not those of a Business Associate, let’s review some examples:
Consider and weigh incidental exposure to PHI
There are exceptions for entities that function as conduits. Those exceptions apply to companies that transmit but never hold access to data. In these cases, you should consider protecting yourself as well as the the data you or your staff may be able to access. For example:
- Courier services, US Post office, etc fall under the conduit exception.
- As a phone company, PHI may go over your lines. There is little access to data, if at all. However, if you are telecom service provider, do your technicians ever have access to voicemail or data transmissions?
- There are no concerns for a company that sells copier/fax machines or similar office or clinical equipment. However, can your service technicians or any staff member access data during repairs or at the end of a lease term?
- A cleaning service may never see patient information when cleaning the office during normal business hours. Any work they do shouldn't put them in direct contact with patient information except by complete accident. However, consider gaps in physical and technical security safeguards if service is performed after normal business hours.
Don't worry yet about what happens with it, just consider if there is any chance of seeing or accessing patient data.
Access to protected health information.
If anything you do involves being able to see or access a patient name, address, social security number or date of birth, you are likely a Business Associate.
- Street address
- Telephone number
- E-mail addresses
- Social Security Number
- Medical record number or other health plan account numbers
- Certificate or License Numbers
- Device identifiers and serial numbers
- Device URL’s or IP addresses
Provide Services or Activities to Medical Practices
A Business Associates as defined by HIPAA regulations cover a broad spectrum of activity. Below are a list of services that often involve Business Associates:
And here is a list of some activities that may be performed a Business Associate or Subcontractor:
- data aggregation
- physical or electronic data storage
- financial services
- technology support services
- application support services
- data storage services
- shredding services
- claims processing or administration
- data analysis, processing, or administration
- utilization review
- quality assurance
- patient safety activities
- benefit management
- practice management
- data storage services
Any company that stores patient information, even encrypted, is now considered a BA under the 2013 rules. Simply having persistent access to the protected information is all that matters.
The key for determining exceptions that might apply is defining the transient vs persistent nature of access. If the access to data or your level of access to the data is very rare, very brief in nature and then removed, you may not be a BA. If, however, your access to the data is always present, then you are a BA. Even if you have no need to see the data, the fact that you have it consistently available makes you a BA. The Final Rule specifically states that a data storage company is a BA even if they store the data in an encrypted format - what matters is it is always on their servers.
You would be considered a Business Associate defined by HIPAA standards
Your vendor may not be a Business Associate defined by HIPAA standards. However, be certain to consider the physical and technical safeguards you have in place. Addressing confidentiality is also strongly recommended.