I recently received a letter from a medical group that had apparently purchased my Health Information Compliance Library. The letter required me to sign a business associate agreement because I am a vendor. Although I certainly agree that some vendors are business associates, merely selling a covered entity a product or even a service does not make one a business associate. Taken to its logical conclusion, this medical group would require vendors that sold that facility toilet paper to sign business associate agreements.
As you know—and as this medical group apparently doesn’t—qualifying as a business associate involves performing a service for or on behalf of a covered entity that involves individually identifiable health information and/or maintaining or transmitting electronic health information for a covered entity. Certainly, a vendor could both sell a product and/or service to a covered entity and perform a service involving protected health information (“PHI”) and/or transmit the same electronically and so qualify as a business associate. The classic example is the vendor of an electronic health record (“EHR”) that has to view PHI in order to ensure that the system is functioning and to trouble-shoot any problems. But if a hospital purchases the Joint Commission on Accreditation of Healthcare Organizations 2011 Standards, such a transaction would hardly seem to make the Joint Commission a business associate.
The letter from the medical group states that this requirement that not only business associates but also third party vendors sign a new business associate agreement is “to ensure [the group’s] compliance with these (The HITECH Act’s) enhanced standards.” Although the HITECH Act extended HIPAA’s civil and criminal penalties to business associates and made them have to follow the Security Rule and Privacy Rule by law, not just by virtue of the business associate contract, as well as other requirements, it did not change the definition of business associate in any manner relevant to vendors other than those of personal health records.
Nor should one want to have business associate contracts with those who are not business associates because the proposed regulation changes the potential liability of the covered entity for the breaches of its business associates. In the past, covered entities were liable for HIPAA violations if they had actual knowledge that their business associate was violating the business associate agreement and failed to take reasonable steps to cure the breach, end the violation, or terminate the contract. 45 C.F.R. § 164.504. The propose rule, however, also makes a covered entity liable for its business associate’s violations if the business associate or subcontractor was acting as the agent of the covered entity or principal business associate under common law agency principles. § 160.402. This change implies that covered entities may have to ensure that their business associates are HIPAA compliant—that is, covered entities may have to audit their business associates. Do you have the ability (or resources) to audit your business associates? So why would you want to make vendors that do not access, use, transmit, or disclose your PHI business associates? And how many vendors will decide to give up the sale rather than subject themselves to all of the compliance costs and potential liability inherent in the HITECH Act?
By the way, I am not signing this business associate agreement.
