Firms providing support and assistance to healthcare organizations often enter into debate with their customers as to whether they and their offerings fall into the definition of a business associate and therefore require execution of a Business Associate Agreement (BAA) or Business Associate Contract (BAC).
In many cases, the answer is clear. According to the Health Insurance Portability and Accountability Act (HIPAA), a business associate is “a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information (PHI) on behalf of, or provides services to, a covered entity” (45 CFR 160.103). The regulation provides some examples of this relationship such as a firm providing claims processing services to a hospital, a CPA or attorney that requires access to PHI to provide their services, independent transcription services, and others. However, exceptions to this relationship also exist and include the two most commonly cited: the exception of disclosures by an entity to a health care provider for treatment of the individual and disclosures that are incidental when services provided do not involve the use or disclosure of PHI (45 CFR 164.502(e)).
In many cases, the wording provided by the regulation is clear, and the thought exercise to determine the relationships a health care provider has with supporting individuals or organizations can be easily accomplished. However, the continued adoption of electronic medical record technology and emphasis on quality and efficiency has placed PHI on the doorstep of many organizations that have never before had to consider their own ability to safeguard this data.
One such example is the evolution of the role of medical devices in the healthcare setting. Once “dumb” machines responsible for performing a very specified task, these devices have now become smarter, providing integration into the provider’s network and transmission of critical information, along with PHI, to the organization’s electronic medical record (EMR) or other systems such as the picture archiving and communication system (PACS).
With these devices gaining intelligence, their manufacturers must provide assistance to the provider to support and service the product periodically. Whether this service is provided on-site or remotely, there is an inherent risk of exposure and potential breach of PHI. But does this warrant the creation of a BAA?
From a strictly regulatory perspective, the manufacturer could argue, perhaps convincingly, that support of their products does not explicitly require access to PHI, and therefore, they are no different than hiring an outside janitorial service. Manufacturers may also contest that when they do provide support and troubleshooting services they are, in fact, functioning as a health care provider in the treatment of a patient. The amount of water these arguments hold depends on the individual and the situation; however, in many cases, providers are preempting the sales process related to these devices with a request that the device manufacturer enter into a BAA regardless of their role as it relates to PHI.
This “hyper-sensitivity” is understandable as providers look to mitigate their own risk exposure. It often launches the provider and manufacturer into a relationship-damaging legal battle over the definition of a business associate and how it relates to their products and services. Frequently, these battles begin before the salesperson ever has the opportunity to demonstrate the value of the product in the context of their environment.
While device manufacturers have always considered the security and privacy controls implemented as part of the product’s design to be a value-add to the customer, it has only been in the last few years that some of the leading device manufacturers have worked to move the business associate argument into the same light. While these manufacturers may continue to hold the legal opinion that they do not fall under the business associate definition, they view it of strategic value to ensure that not only does their device conform to the technical safeguards outlined in HIPAA, but their own procedures for providing support and service to their customers comply with the administrative, physical, and technical safeguards as well. This allows the salesperson to quickly bypass the business associate discussion by emphasizing the additional value provided by the manufacturer in safeguarding the information of their patients while building trust between the two individuals and organizations, a core element of good security and privacy practices and at the heart of the current regulations.
These cooperative relationships also enable the manufacturer to continue to innovate and expand its offerings as the devices more closely integrate with the provider’s systems. With so much focus on regulation, many of us often lose sight of opportunities to review and revise our organization’s policies, procedures, and system configurations to not only better safeguard the security and privacy of PHI, but also increase the efficiency and effectiveness of our processes and prepare ourselves for future growth.
Founded in 1953, The Hill Group, Inc. is a management consulting firm, specializing in strategy, operations, and measurement. For more information on developing and revising your internal compliance environments to address domestic and international regulatory and market demands, please contact Scott Rogerson at 412-722-1111 or [email protected].