My Technology Company Says They Aren’t a BA. What do I do?

We have had a rash of these type questions lately.  Personally, I don’t understand why so many technology companies are fighting this concept.  It is really, really hard for anyone to meet the Security Rule requirements without an IT Department or IT Support Company.  In fact, many IT companies are coming to us to help them become compliant and expand their business in the process.  We have been happy to help.  Between the CEs and BAs that must be compliant there is plenty of work for everyone out there.  At least, for everyone willing to do the required work on their end too.

Here are the direct excerpts from the final rule that pretty much seal the deal on an IT support company being a Business Associate, at least in my opinion.  All the following information is pulled from:

  • 3. Subpart A—General Provisions, Section 160.103—Definitions
    • a. Definition of “Business Associate”
      • ii. Inclusion of Health Information Organizations (HIO), E-Prescribing Gateways, and Other Persons That Facilitate Data Transmission; as well as Vendors of Personal Health Records
        • Final Rule

When asked to define what “access on a routine basis” meant the response is as follows:

Regarding what it means to have “access on a routine basis” to protected health information with respect to determining which types of data transmission services are business associates versus mere conduits, such a determination will be fact specific based on the nature of the services provided and the extent to which the entity needs access to protected health information to perform the service for the covered entity.

So the nature of the services provided and the extent to which the entity needs access to PHI to perform the service is considered when applying HIPAA regulations to data transmission services.  I reference this because it is the most direct statement that could relate to IT services, systems maintenance and network support.  While this doesn’t make some believe they are a BA, we continue with the following further discussions in the rule.

When discussing the conduit BA exceptions in the rule, they specifically reference how narrow the exception is applied.

We note that the conduit exception is limited to transmission services (whether digital or hard copy), including any temporary storage of transmitted data incident to such transmission. In contrast, an entity that maintains protected health information on behalf of a covered entity is a business associate and not a conduit, even if the entity does not actually view the protected health information.

So, an entity that maintains PHI for a CE is a BA.  This designation applies even if the entity does not actually view the PHI.  That covers the maintenance of the PHI systems and the fact that tech support staff may not actually view the PHI.  Even more important is the point made about the difference between a conduit and a BA.

….. the difference between the two situations is the transient versus persistent nature of that opportunity.

The persistent nature of the opportunity is what makes the difference.  This reasoning is used further to specifically designate a data storage company as a BA.

…… qualifies as a business associate, even if the entity does not view the information or only does so on a random or infrequent basis

And to sum up their point they mention again the maintenance factor of the BA designation.

To help clarify this point, we have modified the definition of “business associate” to generally provide that a business associate includes a person who “creates, receives, maintains, or transmits” (emphasis added) protected health information on behalf of a covered entity.

An IT support company is generally granted administrator level access to the servers and network devices on an ongoing basis.  I have been in the IT support business for over 25 years.  I have no idea how anyone could provide your business a proper level of maintenance services without the ability to control the servers and device settings on your network.

To sum it up, the nature of the service provided requires complete security level controls of the systems that contain and/or transmit your PHI.  Therefore, administrator access defines the extent to which the entity needs access.  The fact that most IT companies are providing an ongoing support solution means there is a persistent nature of the opportunity.  Finally, the emphasis was added to maintains.   If you are maintaining a server that contains PHI as part of your maintenance contract does that not fall under the “maintains” case?

If your IT company says they are not a BA, they must not have administrator access to your network devices and servers that creates, receives, maintains, or transmits PHI.  If they do, they are a BA.  If they don’t want to be a BA, then, you should find one that does.

Of course, both sides could just ask their attorney’s to write up a decision on all of this if there is a disagreement.  I just don’t understand why that would be necessary.

Filed under: HIPAA Tagged: Business Associate, Business Associate Agreements, Business Associates, Compliance, HIPAA, information hipaa, Privacy Rule, Small Provider