HIPAA Compliance and the Role of the Business Associate


It’s no secret that staying compliant with HIPAA regulations can be tough for health-care organizations, but when you add in business associates, things can get even more difficult. I recently attended a panel at the Association of Corporate Counsel’s annual meeting devoted to this challenge, and the discussion focused on improving the relationship between a covered entity (CE) and a business associate, including tips on negotiating a business associate agreement.

Association of Corporate Counsel 2For the uninitiated, a CE is a health plan, health-care clearinghouse, or provider who transmits electronic protected health information (PHI), while a business associate is any organization that performs services for a CE that involve the use or disclosure of PHI.

The first thing a CE needs to do is identify if a vendor qualifies as a business associate, Aileen Casanave, the deputy general counsel for Jiff Inc., said. Casanave said consultants may qualify as business associates, while government agencies, conduits like the U.S. Postal Service, or janitorial service providers, wouldn’t. Jiff, an enterprise health benefits platform company, was recently purchased by Castlight Health.

The next step is to sign a business associate agreement, which is a contract between the CE and the business associate ensuring that the business associate will appropriately safeguard any PHI. Prior to signing, a CE should do due diligence on the prospective business associate, Casanave said.

For example, a CE should require prospective vendors to fill out security questionnaires, Casanave said, and the CE should know what type of servers a vendor uses, how many they have, and what kind of password system they use.

CEs should also consider additional elements to a business associate agreement, including defining how the company’s PHI will be used, Richelle Ladwig, senior managing attorney with Quartz Health Solutions, a health plan services company and third-party administrator, said.

Companies should also consider defining when they expect a business associate to report a data breach and identifying the type of data a business associate should be required to include in a data breach report, Ladwig said.

Stay on top of new developments in health law and regulation with a free trial to the Health Law Resource Center.

Learn more about Bloomberg Law and sign up for a free trial.