Industries & Practices

Health Care Industry

    Back

    HIPAA Regulations: General Provisions - Definitions - Business Associate - § 160.103

    As Contained in the HHS HIPAA Rules

    HHS Guidance: Business Associates

     

    HHS Regulations as Amended January 2013
    General Provisions: Definitions - Business Associate - § 160.103

     

    (1) Except as provided in paragraph (4) of this definition, business associate means, with respect to a covered entity, a person who:

    (i) On behalf of such covered entity or of an organized health care arrangement (as defined in this section) in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or arrangement, creates, receives, maintains, or transmits protected health information for a function or activity regulated by this subchapter, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities listed at 42 CFR 3.20, billing, benefit management, practice management, and repricing; or

    (ii) Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation (as defined in §164.501 of this subchapter), management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of protected health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.

    (2) A covered entity may be a business associate of another covered entity.

    (3) Business associate includes:

    (i) A Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires access on a routine basis to such protected health information.

    (ii) A person that offers a personal health record to one or more individuals on behalf of a covered entity.

    (iii) A subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.

    (4) Business associate does not include:

    (i) A health care provider, with respect to disclosures by a covered entity to the health care provider concerning the treatment of the individual.

    (ii) A plan sponsor, with respect to disclosures by a group health plan (or by a health insurance issuer or HMO with respect to a group health plan) to the plan sponsor, to the extent that the requirements of §164.504(f) of this subchapter apply and are met.

    (iii) A government agency, with respect to determining eligibility for, or enrollment in, a government health plan that provides public benefits and is administered by another government agency, or collecting protected health information for such purposes, to the extent such activities are authorized by law.

    (iv) A covered entity participating in an organized health care arrangement that performs a function or activity as described by paragraph (1)(i) of this definition for or on behalf of such organized health care arrangement, or that provides a service as described in paragraph (1)(ii) of this definition to or for such organized health care arrangement by virtue of such activities or services.

     

    HHS Description and Commentary From the January 2013 Amendments
    Business Associate Contracts

     

    The HIPAA Privacy and Security Rules permit a covered entity to disclose protected health information to a business associate, and allow a business associate to create, receive, maintain, or transmit protected health information on its behalf, provided the covered entity obtains satisfactory assurances in the form of a contract or other arrangement that the business associate will appropriately safeguard the information. The HIPAA Rules define “business associate” generally to mean a person who performs functions or activities on behalf of, or certain services for, a covered entity that involve the use or disclosure of protected health information. We proposed a number of modifications to the definition of “business associate” to implement the HITECH Act, to conform the term to the statutory provisions of the Patient Safety and Quality Improvement Act of 2005 (PSQIA), 42 U.S.C. 299b–21, et seq., and to make other changes to the definition.

    Inclusion of Patient Safety Organizations

    Proposed Rule

    We proposed to add patient safety activities to the list of functions and activities a person may undertake on behalf of a covered entity that give rise to a business associate relationship. PSQIA, at 42 U.S.C. 299b-22(i)(1), provides that Patient Safety Organizations (PSOs) must be treated as business associates when applying the Privacy Rule. PSQIA provides for the establishment of PSOs to receive reports of patient safety events or concerns from providers and provide analyses of events to reporting providers.

    A reporting provider may be a HIPAA covered entity and, thus, information reported to a PSO may include protected health information that the PSO may analyze on behalf of the covered provider. The analysis of such information is a patient safety activity for purposes of PSQIA and the Patient Safety Rule, 42 CFR 3.10, et seq. While the HIPAA Rules as written would treat a PSO as a business associate when the PSO was performing quality analyses and other activities on behalf of a covered health care provider, we proposed this change to the definition of “business associate” to more clearly align the HIPAA and Patient Safety Rules.

    Overview of Public Comment

    Commenters on this topic supported the express inclusion of patient safety activities within the definition of “business associate.”

    Final Rule

    The final rule adopts the proposed modification.

    Inclusion of Health Information Organizations (HIO), E-Prescribing Gateways, and Other Persons That Facilitate Data Transmission; as well as Vendors of Personal Health Records

    Proposed Rule

    Section 13408 of the HITECH Act provides that an organization, such as a Health Information Exchange Organization, E-prescribing Gateway, or Regional Health Information Organization, that provides data transmission of protected health information to a covered entity (or its business associate) and that requires access on a routine basis to such protected health information must be treated as a business associate for purposes of the Act and the HIPAA Privacy and Security Rules. Section 13408 also provides that a vendor that contracts with a covered entity to allow the covered entity to offer a personal health record to patients as part of the covered entity’s electronic health record shall be treated as a business associate. Section 13408 requires that such organizations and vendors enter into a written business associate contract or other arrangement with the covered entity in accordance with the HIPAA Rules.

    In accordance with the Act, we proposed to modify the definition of “business associate” to explicitly designate these persons as business associates. Specifically, we proposed to include in the definition: (1) A Health Information Organization, Eprescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires routine access to such protected health information; and (2) a person who offers a personal health record to one or more individuals on behalf of a covered entity.

    We proposed to refer to “Health Information Organization” in the NPRM rather than “Health Information Exchange Organization” as used in the Act because it is our understanding that “Health Information Organization” is the more widely recognized and accepted term to describe an organization that oversees and governs the exchange of health-related information among organizations. The Act also specifically refers to Regional Health Information Organizations; however, we did not believe the inclusion of the term in the definition of “business associate” was necessary as a Regional Health Information Organization is simply a Health Information Organization that governs health information exchange among organizations within a defined geographic area.

    Further, the specific terms of “Health Information Organization” and “E-prescribing Gateway” were included as merely illustrative of the types of organizations that would fall within this paragraph of the definition of “business associate.” We requested comment on the use of these terms within the definition and whether additional clarifications or additions were necessary.

    Section 13408 also provides that the data transmission organizations that the Act requires to be treated as business associates are those that require access to protected health information on a routine basis. Conversely, data transmission organizations that do not require access to protected health information on a routine basis would not be treated as business associates. This is consistent with our prior interpretation of the definition of “business associate,” through which we have stated that entities that act as mere conduits for the transport of protected health information but do not access the information other than on a random or infrequent basis are not business associates. See http://www.hhs.gov/ocr/privacy/hipaa/faq/providers/business/245.html. In contrast, entities that manage the exchange of protected health information through a network, including providing record locator services and performing various oversight and governance functions for electronic health information exchange, have more than “random” access to protected health information and thus, would fall within the definition of “business associate.”

    Overview of Public Comments

    Commenters generally supported the inclusion of Health Information Organizations, personal health record vendors, and similar entities in the definition of “business associate.” However, commenters sought various clarifications as discussed below.

    Commenters generally supported use of the term Health Information Organization in lieu of more restrictive terms, such as Regional Health Information Organization. Some commenters suggested that the term Health Information Organization be defined, so as to avoid confusion as the industry develops, and suggested various alternatives for doing so. Several commenters recommended that the Office for Civil Rights (OCR) maintain a website link that lists current terms for entities that OCR considers to be Health Information Organizations.

    Other commenters requested clarification on what it means to have “access on a routine basis” to protected health information for purposes of the definition and determining whether certain entities are excluded as mere conduits. For example, commenters asked whether the definition of business associate would include broadband suppliers or internet service providers, vendors that only have the potential to come into contact with protected health information, or entities contracted on a contingency basis that may at some point in the future have access to protected health information. Several document storage companies argued that entities like theirs should be characterized as conduits, as they do not view the protected health information they store.

    Several commenters sought clarification regarding when personal health record vendors would be considered business associates. For example, commenters asked whether personal health record vendors would be business associates when the vendor provided the personal health record in collaboration with the covered entity, when the personal health record is linked to a covered entity’s electronic health record, or when the personal health record is offered independently to the individual, among other scenarios.

    One commenter suggested that a vendor offering a personal health record to a patient on behalf of a covered entity only acts as a conduit because there is no access by the vendor to protected health information; another commenter suggested that personal health record vendors be business associates only when they have routine access to protected health information.

    Final Rule

    The final rule adopts the language that expressly designates as business associates: (1) a Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires routine access to such protected health information; and (2) a person who offers a personal health record to one or more individuals on behalf of a covered entity.

    We decline to provide a definition for Health Information Organization. We recognize that the industry continues to develop and thus the type of entities that may be considered Health Information Organizations continues to evolve. For this reason, we do not think it prudent to include in the regulation a specific definition at this time. We anticipate continuing to issue guidance in the future on our web site on the types of entities that do and do not fall within the definition of business associate, which can be updated as the industry evolves.

    Regarding what it means to have “access on a routine basis” to protected health information with respect to determining which types of data transmission services are business associates versus mere conduits, such a determination will be fact specific based on the nature of the services provided and the extent to which the entity needs access to protected health information to perform the service for the covered entity. The conduit exception is a narrow one and is intended to exclude only those entities providing mere courier services, such as the U.S. Postal Service or United Parcel Service and their electronic equivalents, such as internet service providers (ISPs) providing mere data transmission services. As we have stated in prior guidance, a conduit transports information but does not access it other than on a random or infrequent basis as necessary to perform the transportation service or as required by other law. For example, a telecommunications company may have occasional, random access to protected health information when it reviews whether the data transmitted over its network is arriving at its intended destination. Such occasional, random access to protected health information would not qualify the company as a business associate. In contrast, an entity that requires access to protected health information in order to perform a service for a covered entity, such as a Health Information Organization that manages the exchange of protected health information through a network on behalf of covered entities through the use of record locator services for its participants (and other services), is not considered a conduit and, thus, is not excluded from the definition of business associate. We intend to issue further guidance in this area as electronic health information exchange continues to evolve.

    We note that the conduit exception is limited to transmission services (whether digital or hard copy), including any temporary storage of transmitted data incident to such transmission. In contrast, an entity that maintains protected health information on behalf of a covered entity is a business associate and not a conduit, even if the entity does not actually view the protected health information. We recognize that in both situations, the entity providing the service to the covered entity has the opportunity to access the protected health information. However, the difference between the two situations is the transient versus persistent nature of that opportunity. For example, a data storage company that has access to protected health information (whether digital or hard copy) qualifies as a business associate, even if the entity does not view the information or only does so on a random or infrequent basis.

    Thus, document storage companies maintaining protected health information on behalf of covered entities are considered business associates, regardless of whether they actually view the information they hold. To help clarify this point, we have modified the definition of “business associate” to generally provide that a business associate includes a person who “creates, receives, maintains, or transmits” (emphasis added) protected health information on behalf of a covered entity.

    Several commenters sought clarification on when a personal health record vendor would be providing a personal health record “on behalf of” a covered entity and thus, would be a business associate for purposes of the HIPAA Rules. As with data transmission services, determining whether a personal health record vendor is a business associate is a fact specific determination. A personal health record vendor is not a business associate of a covered entity solely by virtue of entering into an interoperability relationship with a covered entity. For example, when a personal health record vendor and a covered entity establish the electronic means for a covered entity’s electronic health record to send protected health information to the personal health record vendor pursuant to the individual’s written authorization, it does not mean that the personal health record vendor is offering the personal health record on behalf of the covered entity, even if there is an agreement between the personal health record vendor and the covered entity governing the exchange of data (such as an agreement specifying the technical specifications for exchanging of data or specifying that such data shall be kept confidential). In contrast, when a covered entity hires a vendor to provide and manage a personal health record service the covered entity wishes to offer its patients or enrollees, and provides the vendor with access to protected health information in order to do so, the personal health record vendor is a business associate.

    A personal health record vendor may offer personal health records directly to individuals and may also offer personal health records on behalf of covered entities. In such cases, the personal health record vendor is only subject to HIPAA as a business associate with respect to personal health records that are offered to individuals on behalf of covered entities.

    We also clarify that, contrary to one commenter’s suggestion, a personal health record vendor that offers a personal health record to a patient on behalf of a covered entity does not act merely as a conduit. Rather, the personal health record vendor is maintaining protected health information on behalf of the covered entity (for the benefit of the individual). Further, a personal health record vendor that operates a personal health record on behalf of a covered entity is a business associate if it has access to protected health information, regardless of whether the personal health record vendor actually exercises this access. We believe the revisions to the definition of “business associate” discussed above clarify these points. As with other aspects of the definition of “business associate,” we intend to provide future guidance on when a personal health record vendor is a business associate for purposes of the HIPAA Rules.

    Response to Other Public Comments

    Comment: One commenter recommended that the term “person” used in describing who provides transmission services to a covered entity be clarified to apply also to entities and organizations.

    Response: The term “person” as defined at § 160.103 includes entities as well as natural persons.

    Comment: One commenter asked whether subcontractors that support business associates with personal health record related functions are subject to the breach notification requirements under the HIPAA Breach Notification Rule or that of the FTC.

    Response: As discussed below, a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of a business associate, including with respect to personal health record functions, is a HIPAA business associate and thus, is subject to the HIPAA Breach Notification Rule and not that of the FTC. The analysis of whether a subcontractor is acting on behalf of a business associate is the same analysis as discussed above with respect to whether a business associate is acting on behalf of a covered entity.

    Inclusion of Subcontractors

    Proposed Rule

    We proposed in the definition of “business associate” to provide that subcontractors of a covered entity, i.e., those persons that perform functions for or provide services to a business associate other than in the capacity as a member of the business associate’s workforce, are also business associates to the extent that they require access to protected health information. We also proposed to define “subcontractor” in § 160.103 as a person who acts on behalf of a business associate, other than in the capacity of a member of the workforce of such business associate. Even though we used the term “subcontractor,” which implies there is a contract in place between the parties, the definition would apply to an agent or other person who acts on behalf of the business associate, even if the business associate has failed to enter into a business associate contract with the person. We requested comment on the use of the term “subcontractor” and its proposed definition.

    The intent of the proposed extension of the Rules to subcontractors was to avoid having privacy and security protections for protected health information lapse merely because a function is performed by an entity that is a subcontractor rather than an entity with a direct relationship with a covered entity. Allowing such a lapse in privacy and security protections could allow business associates to avoid liability imposed upon them by sections 13401 and 13404 of the Act. Further, applying HIPAA privacy and security requirements directly to subcontractors also ensures that the privacy and security protections of the HIPAA Rules extend beyond covered entities to those entities that create or receive protected health information in order for the covered entity to perform its health care functions. Therefore, we proposed that downstream entities that work at the direction of or on behalf of a business associate and handle protected health information would also be required to comply with the applicable Privacy and Security Rule provisions in the same manner as the primary business associate, and likewise would incur liability for acts of noncompliance.

    This proposed modification would not require the covered entity to have a contract with the subcontractor; rather, the obligation would remain on each business associate to obtain satisfactory assurances in the form of a written contract or other arrangement that a subcontractor will appropriately safeguard protected health information. For example, if a business associate, such as a third party administrator, hires a company to handle document and media shredding to securely dispose of paper and electronic protected health information, then the shredding company would be directly required to comply with the applicable requirements of the HIPAA Security Rule (e.g., with respect to proper disposal of electronic media) and the Privacy Rule (e.g., with respect to limiting its uses and disclosures of the protected health information in accordance with its contract with the business associate).

    Overview of Public Comments

    While some commenters generally supported extending the business associate provisions of the Rules to subcontractors, many opposed such an extension arguing, among other things, that doing so was not the intent of Congress and beyond the statutory authority of the Department, that confusion may ensue with covered entities seeking to establish direct business associate contracts with subcontractors or prohibiting business associates from establishing subcontractor relationships altogether, and/or that creating direct liability for subcontractors will discourage such entities from operating and participating in the health care industry. Some commenters asked how far down the “chain” of subcontractors do the HIPAA Rules apply – i.e., do the Rules apply only to the first tier subcontractor or to all subcontractors down the chain.

    In response to our request for comment on this issue, several commenters were concerned that use of the term subcontractor was confusing and instead suggested a different term be used, such as business associate contractor or downstream business associate, to avoid confusion between primary business associates of a covered entity and subcontractors. Other commenters suggested changes to the definition of subcontractor itself to better clarify the scope of the definition.

    Several commenters requested specific guidance on who is and is not a subcontractor under the definitions of “business associate” and “subcontractor.” For example, one commenter asked whether an entity that shreds documents for a business associate for the business associate’s activities and not for the covered entity, would qualify as a subcontractor. Another commenter asked whether disclosures by a business associate of protected health information for its own management and administration or legal needs creates a subcontractor relationship. Other commenters recommended that subcontractors without routine access to protected health information, or who do not access protected health information at all for their duties, not be considered business associates.

    Final Rule

    The final rule adopts the proposal to apply the business associate provisions of the HIPAA Rules to subcontractors and thus, provides in the definition of “business associate” that a business associate includes a “subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.” In response to comments, we clarify the definition of “subcontractor” in § 160.103 to provide that subcontractor means: “a person to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such business associate.” Thus, a subcontractor is a person to whom a business associate has delegated a function, activity, or service the business associate has agreed to perform for a covered entity or business associate. A subcontractor is then a business associate where that function, activity, or service involves the creation, receipt, maintenance, or transmission of protected health information. We also decline to replace the term “subcontractor” with another, as we were not persuaded by any of the alternatives suggested by commenters (e.g., “business associate contractor,” “downstream business associate,” or “downstream entity”).

    We disagree with the commenters that suggested that applying the business associate provisions of the HIPAA Rules to subcontractors is beyond the Department’s statutory authority. In the HITECH Act, Congress created direct liability under the HIPAA Privacy and Security Rules for persons that are not covered entities but that create or receive protected health information in order for a covered entity to perform its health care functions, to ensure individuals’ personal health information remains sufficiently protected in the hands of these entities. As stated in the NPRM, applying the business associate provisions only to those entities that have a direct relationship with a covered entity does not achieve that intended purpose. Rather, it allows privacy and security protections for protected health information to lapse once a subcontractor is enlisted to assist in performing a function, activity, or service for the covered entity, while at the same time potentially allowing certain primary business associates to avoid liability altogether for the protection of the information the covered entity has entrusted to the business associate.

    Further, section 13422 of the HITECH Act provides that each reference in the Privacy subtitle of the Act to a provision of the HIPAA Rules refers to such provision as in effect on the date of enactment of the Act or to the most recent update of such provision (emphasis added). Thus, the Act does not bar the Department from modifying definitions of terms in the HIPAA Rules to which the Act refers. Rather, the statute expressly contemplates that modifications to the terms may be necessary to carry out the provisions of the Act or for other purposes.

    Further, we do not agree that covered entities will be confused and seek to establish direct business associate contracts with subcontractors or will prohibit business associates from engaging subcontractors to perform functions or services that require access to protected health information. The final rule makes clear that a covered entity is not required to enter into a contract or other arrangement with a business associate that is a subcontractor. See §§ 164.308(b)(1) and 164.502(e)(1)(i). In addition, as commenters did not present direct evidence to the contrary, we do not believe that covered entities will begin prohibiting business associates from engaging subcontractors as a result of the final rule, in cases where they were not doing so before. Rather, we believe that making subcontractors directly liable for violations of the applicable provisions of the HIPAA Rules will help to alleviate concern on the part of covered entities that protected health information is not adequately protected when provided to subcontractors.

    The Department also believes that the privacy and security protections for an individual’s personal health information and associated liability for noncompliance with the Rules should not lapse beyond any particular business associate that is a subcontractor. Thus, under the final rule, covered entities must ensure that they obtain satisfactory assurances required by the Rules from their business associates, and business associates must do the same with regard to subcontractors, and so on, no matter how far “down the chain” the information flows. This ensures that individuals’ health information remains protected by all parties that create, receive, maintain, or transmit the information in order for a covered entity to perform its health care functions. For example, a covered entity may contract with a business associate (contractor), the contractor may delegate to a subcontractor (subcontractor 1) one or more functions, services, or activities the business associate has agreed to perform for the covered entity that require access to protected health information, and the subcontractor may in turn delegate to another subcontractor (subcontractor 2) one or more functions, services, or activities it has agreed to perform for the contractor that require access to protected health information, and so on. Both the contractor and all of the subcontractors are business associates under the final rule to the extent they create, receive, maintain, or transmit protected health information.

    With respect to requests for specific guidance on who is and is not a subcontractor, we believe the above changes to the definition provide further clarity. We also provide the following in response to specific comments. Disclosures by a business associate pursuant to § 164.504(e)(4) and its business associate contract for its own management and administration or legal responsibilities do not create a business associate relationship with the recipient of the protected health information because such disclosures are made outside of the entity’s role as a business associate. However, for such disclosures that are not required by law, the Rule requires that the business associate obtain reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person and the person notifies the business associate of any instances of which it is aware that the confidentiality of the information has been breached. See § 164.504(e)(4)(ii)(B).

    In contrast, disclosures of protected health information by the business associate to a person who will assist the business associate in performing a function, activity, or service for a covered entity or another business associate may create a business associate relationship depending on the circumstances. For example, an entity hired by a business associate to appropriately dispose of documents that contain protected health information is also a business associate and subject to the applicable provisions of the HIPAA Rules.

    If the documents to be shredded do not contain protected health information, then the entity is not a business associate. We also clarify that the same interpretations that apply to determining whether a first tier contractor is a business associate also apply to determining whether a subcontractor is a business associate. Thus, our interpretation of who is and is not excluded from the definition of business associate as a conduit also applies in the context of subcontractors as well. We refer readers to the above discussion regarding transmission services and conduits.

    Exceptions to Business Associate

    Proposed Rule

    Sections 164.308(b)(2) and 164.502(e)(1)(ii) of the HIPAA Rules currently describe certain circumstances, such as when a covered entity discloses protected health information to a health care provider concerning the treatment of an individual, in which a covered entity is not required to enter into a business associate contract or other arrangement with the recipient of the protected health information. We proposed to move these provisions to the definition of “business associate” itself as exceptions to make clear that the Department does not consider the recipients of the protected health information in these circumstances to be business associates. The movement of these exceptions also was intended to help clarify that a person or an entity is a business associate if the person or entity meets the definition of “business associate,” even if a covered entity, or business associate with respect to a subcontractor, fails to enter into the required business associate contract with the person or entity.

    Final Rule

    The Department did not receive substantive public comment on this proposal. The final rule includes the exceptions within the definition of “business associate.”

    Technical Changes to the Definition

    Proposed Rule

    For clarity and consistency, we also proposed to change the term “individually identifiable health information” in the current definition of “business associate” to “protected health information,” since a business associate has no obligation under the HIPAA Rules with respect to individually identifiable health information that is not protected health information.

    Final Rule

    The Department did not receive substantive public comment on this proposal. The final rule adopts the proposed modification to the definition. Additionally, as indicated above, we have revised the definition of business associate to clarify that a business associate includes an entity that “creates, receives, maintains, or transmits” protected health information on behalf of a covered entity. This change is intended to make the definition more consistent with language at § 164.308(b) of the Security Rule and § 164.502(e) of the Privacy Rule, as well as to clarify that entities that maintain or store protected health information on behalf of a covered entity are business associates, even if they do not actually view the protected health information.

     

    Response to Other Public Comments

    Comment: One commenter suggested that some covered entities do not treat third party persons that handle protected health information onsite as a business associate.

    Response: A covered entity may treat a contractor who has his or her duty station onsite at a covered entity and who has more than incidental access to protected health information as either a member of the covered entity’s workforce or as a business associate for purposes of the HIPAA Rules.

    Comment: A few commenters asked for confirmation that researchers are not considered business associates. In addition, the Secretary’s Advisory Committee on Human Research Protections, in its November 23, 2010, letter to the Secretary providing comments on the NPRM, asked the Department to confirm that outsourced research review, approval, and continuing oversight functions (such as through using an external or independent Institutional Review Board) similarly do not give rise to a business associate relationship.

    Response: A person or entity is a business associate only in cases where the person or entity is conducting a function or activity regulated by the HIPAA Rules on behalf of a covered entity, such as payment or health care operations, or providing one of the services listed in the definition of “business associate,” and in the performance of such duties the person or entity has access to protected health information. Thus, an external researcher is not a business associate of a covered entity by virtue of its research activities, even if the covered entity has hired the researcher to perform the research. See http://www.hhs.gov/ocr/privacy/hipaa/faq/business_associates/239.html. Similarly, an external or independent Institutional Review Board is not a business associate of a covered entity by virtue of its performing research review, approval, and continuing oversight functions.

    However, a researcher may be a business associate if the researcher performs a function, activity, or service for a covered entity that does fall within the definition of business associate, such as the health care operations function of creating a de-identified or limited data set for the covered entity. See paragraph (6)(v) of the definition of “health care operations.” Where the researcher is also the intended recipient of the de-identified data or limited data set, the researcher must return or destroy the identifiers at the time the business associate relationship to create the data set terminates and the researcher now wishes to use the de-identified data or limited data set (subject to a data use agreement) for a research purpose.

    Comment: A few commenters asked for clarification as to whether the business associate provisions applied to banking and financial institutions. Commenters sought clarification as to whether the exemption at § 1179 of the HIPAA statute for financial institutions was applicable to subcontractors.

    Response: This final rule is not intended to affect the status of financial institutions with respect to whether they are business associates. The HIPAA Rules, including the business associate provisions, do not apply to banking and financial institutions with respect to the payment processing activities identified in § 1179 of the HIPAA statute, for example, the activity of cashing a check or conducting a funds transfer. Section 1179 of HIPAA exempts certain activities of financial institutions from the HIPAA Rules, to the extent that these activities constitute authorizing, processing, clearing, settling, billing, transferring, reconciling, or collecting payments for health care or health plan premiums. However, a banking or financial institution may be a business associate where the institution performs functions above and beyond the payment processing activities identified above on behalf of a covered entity, such as performing accounts receivable functions on behalf of a health care provider.

    We clarify that our inclusion of subcontractors in the definition of business associate does not impact the exclusion of financial institutions from the definition of “business associates” when they are only conducting payment processing activities that fall under § 1179 of the HIPAA statute. Accordingly, a business associate need not enter into a business associate agreement with a financial institution that is solely conducting payment activities that are excluded under § 1179.

    Comment: One commenter sought clarification of the status of a risk management group or malpractice insurance company that receives protected health information when contracted with a covered entity to mitigate the covered entity’s risk and then contracts with legal groups to represent the covered entity during malpractice claims.

    Response: A business associate agreement is not required where a covered entity purchases a health plan product or other insurance, such as medical liability insurance, from an insurer. However, a business associate relationship could arise if the insurer is performing a function on behalf of, or providing services to, the covered entity that does not directly relate to the provision of insurance benefits, such as performing risk management or assessment activities or legal services for the covered entity, that involve access to protected health information.

     

    Supplemental Comments and HHS Responses in the August 2002 Revisions
    Business Associate Contracts

     

    Comment: Many commenters continued to recommend various modifications to the business associate standard, unrelated to the proposed modifications. For example, some commenters urged that the Department eliminate the business associate requirements entirely. Several commenters urged that the Department exempt covered entities from having to enter into contracts with business associates who are also covered entities under the Privacy Rule. Alternatively, one commenter suggested that the Department simplify the requirements by requiring a covered entity that is a business associate to specify in writing the uses and disclosures the covered entity is permitted to make as a business associate.

    Other commenters requested that the Department allow business associates to self-certify or be certified by a third party or HHS as compliant with the Privacy Rule, as an alternative to the business associate contract requirement.

    Certain commenters urged the Department to modify the Rule to eliminate the need for a contract with accreditation organizations. Some commenters suggested that the Department do so by reclassifying private accreditation organizations acting under authority from a government agency as health oversight organizations, rather than as business associates.

    Response: The proposed modifications regarding business associates were intended to address the concerns of commenters with respect to having insufficient time to reopen and renegotiate what could be thousands of contracts for some covered entities by the compliance date of the Privacy Rule. The proposed modifications did not address changes to the definition of, or requirements for, business associates generally. The Department has, in previous guidance, as well as in the preamble to the December 2000 Privacy Rule, explained its position with respect to most of the above concerns. However, the Department summarizes its position in response to such comments briefly below.

    The Department recognizes that most covered entities acquire the services of a variety of other persons or entities to assist in carrying covered entities’ health care activities. The business associate provisions are necessary to ensure that individually identifiable health information created or shared in the course of these relationships is protected. Further, without the business associate provisions, covered entities would be able to circumvent the requirements of the Privacy Rule simply by contracting out certain of its functions.

    With respect to a contract between a covered entity and a business associate who is also a covered entity, the Department restates its position that a covered entity that is a business associate should be restricted from using or disclosing the protected health information it creates or receives as a business associate for any purposes other than those explicitly provided for in its contract. Further, to modify the provisions to require or permit a type of written assurance, other than a contract, by a covered entity would add unnecessary complexity to the Rule.

    Additionally, the Department at this time does not believe that a business associate certification process would provide the same kind of protections and guarantees with respect to a business associate’s actions that are available to a covered entity through a contract under State law. With respect to certification by a third party, it is unclear whether such a process would allow for any meaningful enforcement (such as termination of a contract) for the actions of a business associate. Further, the Department could not require that a business associate be certified by a third party. Thus, the Privacy Rule still would have to allow for a contract between a covered entity and a business associate.

    The Privacy Rule explicitly defines organizations that accredit covered entities as business associates. See the definition of “business associate” at § 160.103. The Department defined such organizations as business associates because, like other business associates, they provide a service to the covered entity during which much protected health information is shared.

    The Privacy Rule treats all organizations that provide accreditation services to covered entities alike. The Department has not been persuaded by the comments that those accreditation organizations acting under grant of authority from a government agency should be treated differently under the Rule and relieved of the conditions placed on other such relationships. However, the Department understands concerns regarding the burdens associated with the business associate contract requirements. The Department clarifies that the business associate provisions may be satisfied by standard or model contract forms which could require little or no modification for each covered entity. As an alternative to the business associate contract, these final modifications permit a covered entity to disclose a limited data set of protected health information, not including direct identifiers, for accreditation and other health care operations purposes subject to a data use agreement. See § 164.514(e).

    Comment: A number of commenters continued to express concern over a covered entity’s perceived liability with respect to the actions of its business associate. Some commenters requested further clarification that a covered entity is not responsible for or required to monitor the actions of its business associates. It also was suggested that such language expressly be included in the Rule’s regulatory text. One commenter recommended that the Rule provide that business associates are directly liable for their own failure to comply with the Privacy Rule. Another commenter urged that the Department eliminate a covered entity’s obligation to mitigate any harmful effects caused by a business associate’s improper use or disclosure of protected health information.

    Response: The Privacy Rule does not require a covered entity to actively monitor the actions of its business associates nor is the covered entity responsible or liable for the actions of its business associates. Rather, the Rule only requires that, where a covered entity knows of a pattern of activity or practice that constitutes a material breach or violation of the business associate’s obligations under the contract, the covered entity take steps to cure the breach or end the violation. See § 164.504(e)(1). The Department does not believe a regulatory modification is necessary in this area. The Department does not have the statutory authority to hold business associates, that are not also covered entities, liable under the Privacy Rule.

    With respect to mitigation, the Department does not accept the commenter’s suggestion. When protected health information is used or disclosed inappropriately, the harm to the individual is the same, regardless of whether the violation was caused by the covered entity or a by business associate. Further, this provision is not an absolute standard intended to require active monitoring of the business associate or mitigation of all harm caused by the business associate. Rather, the provision applies only if the covered entity has actual knowledge of the harm, and requires mitigation only “to the extent practicable” by the covered entity. See § 164.530(f).

    Comment: Several commenters asked the Department to provide additional clarification as to who is and is not a business associate for purposes of the Rule. For example, commenters questioned whether researchers were business associates. Other commenters requested further clarification as to when a health care provider would be the business associate of another health care provider. One commenter asked the Department to clarify whether covered entities that engage in joint activities under an organized health care arrangement (OHCA) are required to have a business associate contract. Several commenters asked the Department to clarify that a business associate agreement is not required with organizations or persons where contact with protected health information would result inadvertently (if at all), for example, janitorial services.

    Response: The Department provides the following guidance in response to commenters. Disclosures from a covered entity to a researcher for research purposes as permitted by the Rule do not require a business associate contract. This remains true even in those instances where the covered entity has hired the researcher to perform research on the covered entity’s own behalf because research is not a covered function or activity. However, the Rule does not prohibit a covered entity from entering into a business associate contract with a researcher if the covered entity wishes to do so. Notwithstanding the above, a covered entity must enter into a data use agreement, as required by § 164.514(e), prior to disclosing a limited data set for research purposes to a researcher.

    With respect to business associate contracts between health care providers, the Privacy Rule explicitly excepts from the business associate requirements disclosures by a covered entity to a health care provider for treatment purposes. See § 164.502(e)(1). Therefore, any covered health care provider (or other covered entity) may share protected health information with a health care provider for treatment purposes without a business associate contract. The Department does not intend the Rule to interfere with the sharing of information among health care providers for treatment. However, this exception does not preclude one health care provider from establishing a business associate relationship with another health care provider for some other purpose. For example, a hospital may enlist the services of another health care provider to assist in the hospital’s training of medical students. In this case, a business associate contract would be required before the hospital could allow the health care provider access to patient health information.

    As to disclosures among covered entities who participate in an organized health care arrangement, the Department clarifies that no business associate contract is needed to the extent the disclosure relates to the joint activities of the OHCA.

    The Department also clarifies that a business associate contract is not required with persons or organizations whose functions, activities, or services do not involve the use or disclosure of protected health information, and where any access to protected health information by such persons would be de minimus, if at all. For example, a health care provider is not required to enter into a business associate contract with its janitorial service because the performance of such service does not involve the use or disclosure of protected health information. In this case, where a janitor has contact with protected health information incidentally, such disclosure is permissible under § 164.502(a)(1)(iii) provided reasonable safeguards are in place.

    The Department is aware that similar questions still remain with respect to the business associate provisions of the Privacy Rule and intends to provide technical assistance and further clarifications as necessary to address these questions.

    Comment: A few commenters urged that the Department modify the Privacy Rule’s requirement for a covered entity to take reasonable steps to cure a breach or end a violation of its business associate contract by a business associate. One commenter recommended that the requirement be modified instead to require a covered entity who has knowledge of a breach to ask its business associate to cure the breach or end the violation. Another commenter argued that a covered entity only should be required to take reasonable steps to cure a breach or end a violation if the business associate or a patient reports to the privacy officer or other responsible employee of the covered entity that a misuse of protected health information has occurred.

    Response: It is expected that a covered entity with evidence of a violation will ask its business associate, where appropriate, to cure the breach or end the violation. Further, the Department intends that whether a covered entity “knew” of a pattern or practice of the business associate in breach or violation of the contract will be consistent with common principles of law that dictate when knowledge can be attributed to a corporate entity. Regardless, a covered entity’s training of its workforce, as required by § 164.530(b), should address the recognition and reporting of violations to the appropriate responsible persons with the entity.

    Comment: Several commenters requested clarification as to whether a business associate is required to provide individuals with access to their protected health information as provided by § 164.524 or an accounting of disclosures as provided by § 164.528, or amend protected health information as required by § 164.526. Some commenters wanted clarification that the access and amendment provisions apply to the business associate only if the business associate maintains the original designated record set of the protected health information.

    Response: Under the Rule, the covered entity is responsible for fulfilling all of an individual’s rights, including the rights of access, amendment, and accounting, as provided for by '§ 164.524, 164.526, and 164.528. With limited exceptions, a covered entity is required to provide an individual access to his or her protected health information in a designated record set. This includes information in a designated record set of a business associate, unless the information held by the business associate merely duplicates the information maintained by the covered entity. However, the Privacy Rule does not prevent the parties from agreeing through the business associate contract that the business associate will provide access to individuals, as may be appropriate where the business associate is the only holder of the, or part of the, designated record set.

    As governed by § 164.526, a covered entity must amend protected health information about an individual in a designated record set, including any designated record sets (or copies thereof) held by a business associate. Therefore, the Rule requires covered entities to specify in the business associate contract that the business associate will make protected health information available for amendment and will incorporate amendments accordingly. The covered entity itself is responsible for addressing requests from individuals for amendment and coordinating such requests with its business associate. However, the Privacy Rule also does not prevent the parties from agreeing through the contract that the business associate will receive and address requests for amendment on behalf of the covered entity.

    With respect to accounting, § 164.528 requires a covered entity to provide an accounting of certain disclosures, including certain disclosures by its business associate, to the individual upon request. The business associate contract must provide that the business associate will make such information available to the covered entity in order for the covered entity to fulfill its obligation to the individual. As with access and amendment, the parties can agree through the business associate contract that the business associate will provide the accounting to individuals, as may be appropriate given the protected health information held by, and the functions of, the business associate.

    Comment: One commenter asked whether a business associate agreement in electronic form, with an electronic signature, would satisfy the Privacy Rule’s business associate requirements.

    Response: The Privacy Rule generally allows for electronic documents to qualify as written documents for purposes of meeting the Rule’s requirements. This also applies with respect to business associate agreements. However, currently, no standards exist under HIPAA for electronic signatures. Thus, in the absence of specific standards, covered entities should ensure any electronic signature used will result in a legally binding contract under applicable State or other law.

    Comment: Certain commenters raised concerns with the Rule’s classification of attorneys as business associates. A few of these commenters urged the Department to clarify that the Rule’s requirement at § 164.504(e)(2)(ii)(H), which requires a contract to state the business associate must make information relating to the use or disclosure of protected health information available to the Secretary for purposes of determining the covered entity’s compliance with the Rule, not apply to protected health information in possession of a covered entity’s lawyer. Commenters argued that such a requirement threatens to impact attorney-client privilege. Others expressed concern over the requirement that the attorney, as a business associate, must return or destroy protected health information at termination of the contract. It was argued that such a requirement is inconsistent with many current obligations of legal counsel and is neither warranted nor useful.

    Response: The Department does not modify the Rule in this regard. The Privacy Rule is not intended to interfere with attorney-client privilege. Nor does the Department anticipate that it will be necessary for the Secretary to have access to privileged material in order to resolve a complaint or investigate a violation of the Privacy Rule. However, the Department does not believe that it is appropriate to exempt attorneys from the business associate requirements.

    With respect to the requirement for the return or destruction of protected health information, the Rule requires the return or destruction of all protected health information at termination of the contract only where feasible or permitted by law. Where such action is not feasible, the contract must state that the information will remain protected after the contract ends for as long as the information is maintained by the business associate, and that further uses and disclosures of the information will be limited to those purposes that make the return or destruction infeasible.

    Comment: One commenter was concerned that the business associate provisions regarding the return or destruction of protected health information upon termination of the business associate agreement conflict with various provisions of the Bank Secrecy Act, which require financial institutions to retain certain records for up to five years. The commenter further noted that there are many State banking regulations that require financial institutions to retain certain records for up to ten years. The commenter recommended that the Department clarify, in instances of conflict with the Privacy Rule, that financial institutions comply with Federal and State banking regulations.

    Response: The Department does not believe there is a conflict between the Privacy Rule and the Bank Secrecy Act retention requirements or that the Privacy Rule would prevent a financial institution that is a business associate of a covered entity from complying with the Bank Secrecy Act. The Privacy Rule generally requires a business associate contract to provide that the business associate will return or destroy protected health information upon the termination of the contract; however, it does not require this if the return or destruction of protected health information is infeasible. Return or destruction would be considered “infeasible” if other law, such as the Bank Secrecy Act, requires the business associate to retain protected health information for a period of time beyond the termination of the business associate contract. The Privacy Rule would require that the business associate contract extend the protections of the contract and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible. In this case, the business associate would have to limit the use or disclosure of the protected health information to purposes of the Bank Secrecy Act or State banking regulations.

    Comment: A commenter requested clarification concerning the economic impact on business associates of the cost-based copying fees allowed to charged to individuals who request a copy of their medical record under the right of access provided by the Privacy Rule. See § 164.524. According to the commenter, many hospitals and other covered entities currently outsource their records reproduction function for fees that often include administrative costs over and above the costs of copying. In some cases, the fees may be set in accordance with State law. The Privacy Rule, at § 164.524(c)(4), however, permits only reasonable, cost-based copying fees to be charged to individuals seeking to obtain a copy of their medical record under their right of access. The commenter was concerned that others seeking copies of all or part of the medical record, such as payers, attorneys, or entities that have the individual’s authorization, would try to claim the limited copying fees provided in § 164.524(c)(4). The commenter asserted that such a result would drastically alter the economics of the outsourcing industry, driving outsourcing companies out of business, and raising costs for the health industry as a whole. A clarification that the fee structure in § 164.524(c)(4) applies only to individuals exercising their right of access was sought.

    Response: The Department clarifies that the Rule, at § 164.524(c)(4), limits only the fees that may be charged to individuals, or to their personal representatives in accordance with § 164.502(g), when the request is to obtain a copy of protected health information about the individual in accordance with the right of access. The fee limitations in § 164.524(c)(4) do not apply to any other permissible disclosures by the covered entity, including disclosures that are permitted for treatment, payment or health care operations, disclosures that are based on an individual’s authorization that is valid under § 164.508, or other disclosures permitted without the individual’s authorization as specified in § 164.512.

    The fee limitation in § 164.524(c)(4) is intended to assure that the right of access provided by the Privacy Rule is available to all individuals, and not just to those who can afford to do so. Based on the clarification provided, the Department does not anticipate that this provision will cause any significant disruption in the way that covered entities do business today. To the extent hospitals and other entities outsource this function because it is less expensive than doing it themselves, the fee limitation for individuals seeking access under § 164.524 will affect only a portion of this business; and, in these cases, hospitals should still find it economical to outsource these activities, even if they can only pass on a portion of the costs to the individual.

     

    HHS Description from Original Rulemaking
    General Provisions: Definitions - Business Associate

     

    We proposed to define the term “business partner” to mean, with respect to a covered entity, a person to whom the covered entity discloses protected health information so that the person can carry out, assist with the performance of, or perform on behalf of, a function or activity for the covered entity. “Business partner” would have included contractors or other persons who receive protected health information from the covered entity (or from another business partner of the covered entity) for the purposes described in the previous sentence, including lawyers, auditors, consultants, third-party administrators, health care clearinghouses, data processing firms, billing firms, and other covered entities. “Business partner” would have excluded persons who are within the covered entity’s workforce, as defined in this section.

    This rule reflects the change in the name from “business partner” to “business associate,” included in the Transactions Rule.

    In the final rule, we change the definition of “business associate” to clarify the circumstances in which a person is acting as a business associate of a covered entity. The changes clarify that the business association occurs when the right to use or disclose the protected health information belongs to the covered entity, and another person is using or disclosing the protected health information (or creating, obtaining and using the protected health information) to perform a function or activity on behalf of the covered entity. We also clarify that providing specified services to a covered entity creates a business associate relationship if the provision of the service involves the disclosure of protected health information to the service provider. In the proposed rule, we had included a list of persons that were considered to be business partners of the covered entity. However, it is not always clear whether the provision of certain services to a covered entity is “for” the covered entity or whether the service provider is acting “on behalf of” the covered entity. For example, a person providing management consulting services may need protected health information to perform those services, but may not be acting “on behalf of” the covered entity. This we believe led to some general confusion among the commenters as to whether certain arrangements fell within the definition of a business partner under the proposed rule. The construction of the final rule clarifies that the provision of the specified services gives rise to a business associate relationship if the performance of the service involves disclosure of protected health information by the covered entity to the business associate. The specified services are legal, actuarial, accounting, consulting, management, administrative accreditation, data aggregation, and financial services. The list is intended to include the types of services commonly provided to covered entities where the disclosure of protected health information is routine to the performance of the service, but when the person providing the service may not always be acting “on behalf of” the covered entity.

    In the final rule, we reorganize the list of examples of the functions or activities that may be conducted by business associates. We place a part of the proposed list in the portion of the definition that addresses when a person is providing functions or activities for or on behalf of a covered entity. We place other parts of the list in the portion of the definition that specifies the services that give rise to a business associate relationship, as discussed above. We also have expanded the examples to provide additional guidance and in response to questions from commenters.

    We have added data aggregation to the list of services that give rise to a business associate relationship. Data aggregation, as discussed below, is where a business associate in its capacity as the business associate of one covered entity combines the protected health information of such covered entity with protected health information received by the business associate in its capacity as a business associate of another covered entity in order to permit the creation of data for analyses that relate to the health care operations of the respective covered entities. Adding this service to the business associate definition clarifies the ability of covered entities to contract with business associates to undertake quality assurance and comparative analyses that involve the protected health information of more than one contracting covered entity. For example, a state hospital association could act as a business associate of its member hospitals and could combine data provided to it to assist the hospitals in evaluating their relative performance in areas such as quality, efficiency and other patient care issues. As discussed below, however, the business associate contracts of each of the hospitals would have to permit the activity, and the protected health information of one hospital could not be disclosed to another hospital unless the disclosure is otherwise permitted by the rule.

    The definition also states that a business associate may be a covered entity, and that business associate excludes a person who is part of the covered entity’s workforce.

    We also clarify in the final rule that a business association arises with respect to a covered entity when a person performs functions or activities on behalf of, or provides the specified services to or for, an organized health care health care arrangement in which the covered entity participates. This change recognizes that where covered entities participate in certain joint arrangements for the financing or delivery of health care, they often contract with persons to perform functions or to provide services for the joint arrangement. This change is consistent with changes made in the final rule to the definition of health care operations, which permits covered entities to use or disclose protected health information not only for their own health care operations, but also for the operations of an organized health care arrangement in which the covered entity participates. By making these changes, we avoid the confusion that could arise in trying to determine whether a function or activity is being provided on behalf of (or if a specified service is being provided to or for) a covered entity or on behalf of or for a joint enterprise involving the covered entity. The change clarifies that in either instance the person performing the function or activity (or providing the specified service) is a business associate.

    We also add language to the final rule that clarifies that the mere fact that two covered entities participate in an organized health care arrangement does not make either of the covered entities a business associate of the other covered entity. The fact that the entities participate in joint health care operations or other joint activities, or pursue common goals through a joint activity, does not mean that one party is performing a function or activity on behalf of the other party (or is providing a specified services to or for the other party).

    In general under this provision, actions relating to the protected health information of an individual undertaken by a business associate are considered, for the purposes of this rule, to be actions of the covered entity, although the covered entity is subject to sanctions under this rule only if it has knowledge of the wrongful activity and fails to take the required actions to address the wrongdoing. For example, if a business associate maintains the medical records or manages the claims system of a covered entity, the covered entity is considered to have protected health information and the covered entity must ensure that individuals who are the subject of the information can have access to it pursuant to § 164.524.

    The business associate relationship does not describe all relationships between covered entities and other persons or organizations. While we permit uses or disclosures of protected health information for a variety of purposes, business associate contracts or other arrangements are only required for those cases in which the covered entity is disclosing information to someone or some organization that will use the information on behalf of the covered entity, when the other person will be creating or obtaining protected health information on behalf of the covered entity, or when the business associate is providing the specified services to the covered entity and the provision of those services involves the disclosure of protected health information by the covered entity to the business associate. For example, when a health care provider discloses protected health information to health plans for payment purposes, no business associate relationship is established. While the covered provider may have an agreement to accept discounted fees as reimbursement for services provided to health plan members, neither entity is acting on behalf of or providing a service to the other.

    Similarly, where a physician or other provider has staff privileges at an institution, neither party to the relationship is a business associate based solely on the staff privileges because neither party is providing functions or activities on behalf of the other. However, if a party provides services to or for the other, such as where a hospital provides billing services for physicians with staff privileges, a business associate relationship may arise with respect to those services. Likewise, where a group health plan purchases insurance or coverage from a health insurance issuer or HMO, the provision of insurance by the health insurance issuer or HMO to the group health plan does not make the issuer a business associate. In such case, the activities of the health insurance issuer or HMO are on their own behalf and not on the behalf of the group health plan. We note that where a group health plan contracts with a health insurance issuer or HMO to perform functions or activities or to provide services that are in addition to or not directly related to the provision of insurance, the health insurance issuer or HMO may be a business associate with respect to those additional functions, activities or services. We also note that covered entities are permitted to disclose protected health information to oversight agencies that act to provide oversight of federal programs and the health care system. These oversight agencies are not performing services for or on behalf of the covered entities and so are not business associates of the covered entities. Therefore HCFA, the federal agency that administers Medicare, is not required to enter into a business associate contract in order to disclose protected health information to the Department's Office of Inspector General.

    We do not require a covered entity to enter into a business associate contract with a person or organization that acts merely as a conduit for protected health information (e.g., the US Postal Service, certain private couriers and their electronic equivalents). A conduit transports information but does not access it other than on a random or infrequent basis as may be necessary for the performance of the transportation service, or as required by law. Since no disclosure is intended by the covered entity and the probability of exposure of any particular protected health information to a conduit is very small, we do not consider a conduit to be a business associate of the covered entity.

    We do not consider a financial institution to be acting on behalf of a covered entity, and therefore no business associate contract is required, when it processes consumer-conducted financial transactions by debit, credit or other payment card, clears checks, initiates or processes electronic funds transfers, or conducts any other activity that directly facilitates or effects the transfer of funds for compensation for health care. A typical consumer-conducted payment transaction is when a consumer pays for health care or health insurance premiums using a check or credit card. In these cases the identity of the consumer is always included and some health information (e.g., diagnosis or procedure) may be implied through the name of the health care provider or health plan being paid. Covered entities that initiate such payment activities must meet the minimum necessary disclosure requirements described in the preamble to § 164.514.

     

    HHS Response to Comments Received from Original Rulemaking
    General Provisions: Definitions - Business Associate

     

    The response to comments on the definition of “business partner,” renamed in this rule as “business associate,” is included in the response to comments on the requirements for business associates in the preamble discussion of § 164.504.