Skip to main content

Why the Time to Revisit Third-Party Relationships and Your Business Associate Agreements Is Now

June 2013, Vol 3, No 4

The Final Rule modifying 45 CFR Parts 160 and 164, commonly known as the “HIPAA Rules,” which was promulgated on January 25, 2013, and be­­comes effective on September 23, 2013, is replete with changes that are required for the maintenance, use, and disclosure of protected patient health information, which includes individually identifiable patient health information that is electronically transmitted or maintained. This article will address changes to the HIPAA Rules that impact your relationships with third parties.

A significant change to the HIPAA Rules is the direct extension of liability for breaches of the rules by agents of the practice, meaning that, prior to the Final Rule, third parties with access to protected health information that are responsible for the misuse or any breach of the HIPAA Rules would not necessarily open the practice up to potential liability, as long as the agent was a business associate and relevant contract requirements had been met.

In addition, for the practice to be protected from such an agent’s exposure, the practice would not have known that a pattern or practice of the business associate was in violation of the contract and, therefore, the practice would not have failed to act as required under the HIPAA Rules with respect to any such violation. However, the Final Rule has clearly modified this premise so that liability by an agent of the practice will result in exposure and potential fines for the practice.

At the crux of whether liability will be charged to a practice based on an agency relationship is whether an agency relationship actually exists. The fact that an individual works directly for the practice or is a known business associate of the practice does not impact whether or not that person is an agent of the practice. Whether an agency relationship exists is fact-specific, taking into account the totality of the circumstances in the ongoing relationship.

The essential factor in determining agency is the right or authority that the practice has to control the conduct of the agent in the performance of a service for the practice. One relevant question in such an inquiry includes whether the practice has the authority to give interim instructions or directions to the agent. For example, the practice would not be in an agency relationship if it enters into a business associate agreement with a third party that sets the terms and conditions of the relationship between the parties, and the only avenue of control is for the practice to amend the terms of that contract or sue for breach of contract.

In a circumstance where the practice has no authority over the third party, the practice is simply engaging a third party to perform a specific service; because the third party determines the best course of action, it is likely that no agency relationship would be found. A typical example of a nonagency relationship is most practices’ relationships with their billing companies. Typically, a practice contracting with a billing company is not aware of, nor does it have the authority to control, the billing company’s operations and services. The contract governs the relationship, and if the relationship deviates from the agreement, the recourse for either party is to initiate a breach of contract lawsuit. Another example of a nonagency relationship is where the practice engages an accreditation consultant. Under most circumstances, accreditation functions performed by a third party cannot be performed by the practice, because a practice cannot perform an accreditation survey or award accreditation and, as such, functions performed by a third party do not constitute an agency relationship.

Once you have determined that you may, in fact, have an agency relationship, it is important to ensure that the agent is aware of and adheres to the HIPAA Rules with regard to protected health information. From a practical standpoint, any agent of the practice should be held—at a minimum—to the same standards as practice employees, and should be made aware of any and all existing HIPAA policies at the practice and be subject to any and all HIPAA training employed by the practice. Holding your agents to a high standard is essential, as you may very well be held responsible for any improper use or disclosure of protected health information by those agents, which is not the case for business associates of the practice as long as certain requirements are followed.

Prior to the Final Rule, a business associate was defined as any person who performed activities or services on behalf of a practice that involved the use of or disclosure of protected health information. With the implementation of the Final Rule, the definition of a business associate has expanded to include any person who creates, receives, maintains, or transmits protected health information for any number of purposes, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities, billing, benefit management, practice management, and repricing. The definition of a business associate also includes individuals providing management, administrative, accreditation, or financial services where the provision of such services involves the disclosure of protected health information. In accordance with the Final Rule, any individual with more than “routine access” to protected health information qualifies as a business associate, except for a practice employee, healthcare provider, other practice, government agency, or a plan sponsor.

Determining if an individual has more than “routine access” is a fact determination that requires looking at whether the individual serves as a mere conduit. Pursuant to the Final Rule, a conduit transports information but does not access it other than on a random or infrequent basis as necessary to perform the transportation service as required by law. For example, an Internet service provider would qualify as having only “routine access” and would not qualify as a business associate. Similarly, a financial institution likely does not qualify as a business associate when conducting payment processing.

For each business associate of the practice, a duly executed business associate agreement is required. Each business associate agreement must comply with certain parameters, including being in writing and detailing the services to be provided by the business associate and the access needed by the business associate to the practice’s protected health information. In addition, each business associate agreement should also contain required protections against the improper use of protected health information as well as such assurances as determined necessary for protecting that health information.

Another element of a business associate agreement that every provider should incorporate is a contractual shifting of risk and exposure upon the improper use or disclosure of protected health information to the business associate. If the business associate is the responsible party for an improper use or disclosure of protected health information, it should be clear in the business associate agreement that the business associate will bear the cost of such exposure, including legal fees, costs, fines, and expenses.

Failure to comply with the HIPAA Rules—including the requirement for proper business associate agreements and proper use and disclosures of protected health information by agents of the practice—may result in exposure that would cause the imposition of civil monetary penalties. To ensure compliance, all practices should review their relationships with third parties to ensure that they are operating with proper business associate agreements, as well as properly protecting all patient health information.

Jennifer Kirschenbaum, Esq, manages Kirschenbaum & Kirschenbaum’s healthcare department, which specializes in representing healthcare practitioners in regulatory compliance, audit defense, licensure, and transactional matters. To ensure that your practice is in compliance with the HIPAA Rules before September 23, 2013, read the available HIPAA policies at or contact Jennifer at 516-747-6700 x302 or by e-mail at This email address is being protected from spambots. You need JavaScript enabled to view it..

Related Items