July 22, 2014

OMG! Am I a Business Associate (BA)? Assessing the Impact of Recent HIPAA Changes on Your Business

  • Do you perform any work for health care providers, health plans, or others who provide services to health care entities?
  • Do you handle any protected health information1 (which may be as basic as a patient's name)?
  • If so, do you understand what your obligations may be to comply with HIPAA and that a failure to do so could cost you up to $1.5 million per incident?

Recently the U.S. Department of Health and Human Services finalized modifications to HIPAA—the Health Insurance Portability and Accountability Act of 1996. Given HIPAA's highly technical nature, it might be tempting to all those not working directly in health care settings to turn a blind eye to these changes. But ignoring the changes could prove to be a costly mistake. The changes expand liability for certain individuals and entities—known as "business associates"—for failure to comply with the privacy and security obligations in HIPAA. Because business associates are now subject to audits, investigations, and enforcement (including penalties up to $1.5 million per violation), it is important to assess whether your business could qualify as a business associate and to plan accordingly.

This Update outlines the expanded definition of business associate and is meant to assist you in determining whether your business qualifies. For more detailed information regarding other important revisions to HIPAA, please see von Briesen's Health Law Update on the full scope of the changes available here.

In short, if you provide services or perform functions on behalf of a health care provider or plan and, in doing so, deal with information about patients or plan members, you likely qualify as a business associate. A "business associate" performs functions or activities on behalf of, or certain activities for, a health care provider or health plan that involve the use or disclosure of protected health information (also known as "PHI") such as a person's name and their status as a patient.

The recent changes specify that the definition of business associate includes persons or entities that create, receive, maintain, or transmit protected health information on behalf of a provider or plan. The following functions, if they involve protected health information, would qualify an entity as a business associate:

  • claims processing or administration;
  • data analysis, processing, or administration;
  • utilization review;
  • quality assurance;
  • patient safety activities;
  • billing;
  • benefit management;
  • practice management; and
  • repricing.

Those who provide any of the following services to or for a health provider or health plan, involving the disclosure of protected health information from the provider or the plan are business associates:

  • legal;
  • actuarial;
  • accounting;
  • consulting;
  • data aggregation;
  • physical or electronic data storage;
  • management;
  • administrative;
  • accreditation; and
  • financial services.

Under the recent rule changes, a business associate's subcontractors are now directly liable for complying with the privacy and security obligations in HIPAA. This means that not only is a company that has a direct relationship with a HIPAA-covered entity a business associate—but any companies that may be contracted to support the work are also subject to regulation as a business associate—if the subcontractor has access to protected health information.

In addition to expanding the types of businesses that may qualify as business associates, the new rules also expand penalties for violations. Previously, business associate liability was generally limited to contractual breaches. Now, business associates and subcontractors are liable under civil and criminal penalties for any impermissible use and disclosure of protected health information. This means that business associates and subcontractors must comply with HIPAA's technical, administrative, physical safeguard, and disclosure requirements—even if there is no contractual agreement in place with the health provider or plan or between the business associate and its subcontractor.

Business associates are now required to implement written agreements with all subcontractors who have access to protected health information, even if the subcontractors do not access or view the information. It is important to note, business associates are liable for the acts or omissions of subcontractors acting within the scope of the agency relationship.

The rule changes will be effective on March 26, 2013, and business associates must comply with a majority of the provisions by September 23, 2013. By that time, business associates and subcontractors should develop work plans for coming into compliance, including a review of their operations, IT systems, HIPAA policies, training procedures, and vendor assessment practices. Business associates should update and implement agreements with health care providers and subcontractors consistent with the recent changes to HIPAA.

HIPAA is technical and complex. If you suspect you may be a business associate or a subcontractor, it is important that you contact an attorney about your obligations under the recent rule changes.

©2014 von Briesen & Roper, s.c

About the Author

Diane M. Welsh, Health Care Attorney, Von Briesen Law Firm

Diane Welsh is a Shareholder in the Health Law Section and the Litigation Practice Group. Diane chairs the Government Relations and Regulatory Law Section, HIPAA and Health Information Systems, and is also a member of the firm’s Strategic Risk and Crisis Management Team.

Diane advises clients on a variety of matters, including: federal and state privacy laws; regulatory compliance (ranging from health, gaming, education and more); program integrity; and, crisis management. Diane has fifteen years of experience in government, administrative, and health care law. Her substantial...

(608) 661-3961

About the Author

Meghan C. O'Connor, Health Care Attorney, Von Briesen Law Firm

Meghan O’Connor is a member of the Health Care Section and the Government Relations and Regulatory Law Section. She advises clients on a wide range of regulatory compliance, corporate, and transactional matters, including: HIPAA, HITECH, and other federal and state confidentiality laws; provider and vendor contracting; health care reform, Medicare, and Medicaid compliance; patient care and risk management issues; managed care; insurance regulation; and clinical integration and accountable care networks.

Prior to joining von Briesen, Meghan worked for the U.S. Department of...


Boost: AJAX core statistics

Legal Disclaimer

You are responsible for reading, understanding and agreeing to the National Law Review's (NLR’s) and the National Law Forum LLC's  Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.  

Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. The National Law Review is not a law firm nor is  intended to be  a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional.  NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us. 

Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.

The National Law Review - National Law Forum LLC 4700 Gilbert Ave. Suite 47 #230 Western Springs, IL 60558  Telephone  (708) 357-3317 If you would ike to contact us via email please click here.