There seems to still be a fair amount of discussion around what makes a vendor a business associate. This is actually troubling when you consider that we are about 30 days away from enforcement of the new rules.
I thought that the new Omnibus Rule actually did a good job of clarifying this for everyone. If a vendor creates, receives, maintains or transmits protected health information on behalf of a covered entity that vendor is a business associate. OCR even clarified what constitutes an acceptable “conduit” exemption. If the vendor merely transfers information and retains that information no longer than is necessary to support the transference process then the vendor can claim the conduit exemption. So it’s really quite simple. Ask yourself the following questions:
1. Does the vendor create protected health information either originally or derivatively?
2. Does the vendor receive PHI from any covered entity they work with?
3. Does the vendor store temporarily or long term any PHI from a covered entity?
4. Does the vendor transmit PHI either to and from a covered entity or on their behalf to others?
If the answer to any of these questions is yes, it's a safe bet that the vendor is a business associate. This includes cloud venders, hosting sites, storage sites, processors, service providers, consultants, etc.
Becoming a business associate is about possession. Does the vendor have possession of the PHI? The HHS Office of Civil Rights (OCR) also made it clear that it is not about what level of access the vendor has or whether they ever look at the information. It’s about whether the vendor has it or not. So even if all the vendor does is host the covered entity’s system/application or store its information and never looks at it directly, the vendor is still a business associate. And there is good reason for that.
First, possession often means the vendor could look at the data if they wanted to, and second, there are other security rule requirements around back up, disaster recovery, audit, accounting for disclosures, etc. that you still have even if you do not access the data. Business associates are responsible for compliance with the full HIPAA Security Rule and those portions of the Privacy Rule that apply to what they are doing on behalf of the covered entity. Meaning the responsibilities of the vendor once they take possession of the information go well beyond access alone. This is why the encryption question, although still being reviewed, does not change status. Meaning even if the covered entity encrypts the data before sending to the vendor and retains possession of the key so that the vendor cannot decrypt the information their status as a business associate is still dictated by possession not access.
This makes it an imperative to understand exactly what the covered entity’s expectations are regarding security. Starting with what constitutes Minimal Necessary for this contract to disposition of any data and/or access at contract termination. If there is a breach involving a vendor OCR is likely to investigate the relationship between the covered entity and the business associate first to understand what is involved. One of things that they may look at is whether the information involved in the incident should have been in the vendor’s possession to begin with, whether or not there is an agreement that lays out expectations, whether any due diligence was performed and whether the covered entity knew of any situation that gave cause for concern. If there was how was it handled?
Breaches involving business associates are a shared responsibility since the covered entity bears the burden of notifications externally. As a result the covered entity will likely want to be included in the risk analysis process for any incident. How will you work together to accomplish this? Covered entities and vendors should work together to clarify expectations at the outset of the contract to ensure there are no surprises.
So once again, being a business associate is about what you do, not just what you have access to. Possession determines business associate status. If the vendor creates, receives, maintains or transmits PHI on behalf of a covered entity then the vendor is a business associate. Vendors claiming to be a conduit may only possess the information long enough to support the transfer process and no longer. And, at least for the moment, encryption does not obviate business associate status. Make sure you know your responsibilities and the expectations of your business partner. It could save you some real headaches later.