Unless the Department of Health and Human Services (HHS) makes another last-minute, litigation-inspired decision to delay the September 23, 2013 compliance date, we’re well into the 10-day countdown for compliance with most of the Omnibus Rule requirements. Here’s “TIP THREE” —
Covered Entities and Business Associates: make sure you know where your Protected Health Information (PHI) sits, and make sure you have a Business Associate Agreement (BAA) with whoever houses it.
Does your vendor create, receive, maintain, or transmit protected health information (PHI) on your behalf? If so, it’s very likely they are a Business Associate even if they aren’t expected to actually access the PHI. The Omnibus Rule added language to the definition of Business Associate to make it clear that it includes a person who, on behalf of a Covered Entity, provides “data transmission services with respect to a covered entity and that requires access on a routine basis” to the PHI.
In the preamble to the Omnibus Rule, HHS describes what it means for a data transmission service to have “access on a routine basis” to PHI and distinguishes such a vendor from a “mere conduit” (which is not a Business Associate). HHS says that the determination of whether the vendor is a “mere conduit” is “fact specific” and meant to apply narrowly to services like the U.S. Postal Service or United Parcel Service and their “electronic equivalents, such as internet service providers… .” HHS explains that a “mere conduit” does not access PHI “other than on a random or infrequent basis as necessary to provide the transportation service or as required by law.” On the other hand, an entity that maintains PHI on behalf of the Covered Entity is a Business Associate and not a conduit, “even if the entity does not actually view” the PHI.
My tip? If you are a Covered Entity or Business Associate and use a vendor to store electronic or hard copy health information on your behalf in the cloud, on a server, or anywhere else, make sure you have a BAA or Subcontractor Agreement, respectively, in place even if you don’t expect the vendor to access the PHI on a “routine basis.”