DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
Introduction
This article discusses circumstances under which entering into a business associate agreement is not required.
What are the Circumstances Under Which Entering into a Business Agreement is Not Required?
Circumstances under which entering into a business associate agreement is not required, include:
1. An entity is not a business associate. Under the HIPAA Privacy Rule, to meet the definition of "business associate," an entity must create, maintain, receive, and/or transmit PHI, in the course of performing specified services for or on behalf of a covered entity. An entity that does not engage in these activities is not a business associate.
2. Entities acting on their own behalf or on behalf of the patient. The business associate requirements only apply to entities who are performing a function involving PHI on behalf of a covered entity or its business associate.
Entities handling PHI for their own purposes are not business associates. For example, a provider that submits a claim to a health plan and a health plan that assesses and pays the claim are each acting on its own behalf as a covered entity, and not as the ‘business associate’ of the other.
Similarly, a bank or financial institution is not a business associate of a covered entity when it “processes consumer-conducted financial transactions by debit, credit, or other payment card, clears checks, initiates or processes electronic funds transfers, or conducts any other activity that directly facilitates or effects the transfer of funds for payment for health care or health plan premiums." In these cases, “the financial institution is providing its normal banking or other financial transaction services to its customers; it is not performing a function or activity for, or on behalf of, the covered entity” and is not a business associate."
In addition, where a physician or other provider has staff privileges at an institution, neither party to the relationship is a business associate based solely on the staff privileges because neither party is providing functions or activities on behalf of the other. Likewise, covered entities that simply provide PHI for another covered entity’s healthcare operations are not business associates of the other entity.
Finally, an entity performing services on behalf of a patient, not on behalf of a healthcare provider, is not a business associate (e.g., an attorney who requests health information to represent the patient, or a company that collects and interprets data on behalf of a patient) with respect to that provider.
3. Entities who are mere “conduits” for PHI. Entities that transmit PHI for a covered entity are not business associates if they are not required to access the PHI on a routine basis, i.e., they are merely “conduits” of the PHI (e.g., internet service providers, phone companies, etc.).
Whether an entity has access to PHI on a routine basis is a fact-specific determination, based on the nature of the services provided and the extent to which the entity needs access to PHI to perform the service for the covered entity. The "conduit exception" to being a business associate is a narrow one, intended to apply to only those entities providing mere courier services, such as the U.S. Postal Service or UPS, and their electronic equivalents, such as internet service providers (ISPs) who merely provide data transmission services.
4. Members of a covered entity's or contractor's workforce. The definition of "business associate" under HIPAA specifically excludes members of a covered entity's or contractor's workforce.
The HIPAA regulations define "workforce" as "employees, volunteers, trainees, and other persons whose conduct, in performance of work for a covered entity or a business associate, is under the direct control of such entity or business associate, whether or not they are paid by the covered entity or business associate."
5. Healthcare providers to whom a covered entity provides PHI to treat patients.
A healthcare provider is not a business associate of other covered entities while rendering treatment to patients. The HIPAA Privacy Rule explicitly excludes from the business associate requirements disclosures of PHI by a covered entity to a health care provider for treatment purposes.
For example,
- A hospital is not required to have a business associate contract with the specialist to whom it refers a patient and transmits the patient’s medical chart for treatment purposes.
- A physician is not required to have a business associate contract with a laboratory as a condition of disclosing PHI for the treatment of an individual.
- A hospital laboratory is not required to have a business associate contract to disclose PHI to a reference laboratory for treatment of the individual.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article