HIPAA

Defining business associate

  • 1.  Defining business associate

    Posted 03-14-2019 06:29 PM
    Good afternoon,

    I've encountered an interesting interpretation of what constitutes a business associate and I would like to get some input from others.

    We recently had an outside entity conduct an information security assessment for us.  Relating to @ 164.314(a)(2)(ii)(B) they state that if we release records to fulfill a court order, summons, subpoena, etc. we are required to obtain reasonable assurances from the courts that they will safeguard the PHI.  They recommended that before we release information we ask courts to sign a memorandum of understanding with us stating they understand that the information is protected, etc.  They acknowledge that the court could certainly refuse, but feel that we are obligated to attempt it.

    Now, the basis for this recommendation is that they are considering the courts to be a business associate because we are sharing information with them.

    When I look at the HHS definition of a business associate, it reads:
     A "business associate" is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information.  A "business associate" also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate.

    I'm having difficulty with the idea that the courts would be a business associate of ours.  They are not performing activities or functions on our behalf and are not acting as a subcontractor.

    I welcome your interpretations!


    ------------------------------
    Emily Roberts CCEP
    Compliance/Privacy Manager
    Morrow County Health District
    Hermiston,OR

    The opinions expressed are my own and are not intended to represent the positions, strategies or opinions of my employer.
    ------------------------------
    Protenus May


  • 2.  RE: Defining business associate

    Posted 03-14-2019 07:27 PM
    ​Without too much disparagement, I would say that your "outside entity conducting an information security assessment lacks a basic understanding of what constitutes a Business Associate. Pretty poor, if that is their line of business, in my opinion. But besides that glaringly poor recommendation, courts are not Business Associate; and I would also take into account any State laws or regulations which might have more restrictions to a subpoena, as California does.

    ------------------------------
    David Rothery, CHC
    Compliance Officer
    Marin County, CA


    These are my personal opinions and not those of the County of Marin
    ------------------------------

    Protenus May


  • 3.  RE: Defining business associate

    Posted 03-15-2019 08:25 AM
    Agreed; the courts are not a BA. In my experience, asking the courts to do something such as sign a BAA would only serve to damage the relationship between the CE and the courts.

    ------------------------------
    Anthony Ambrose, MBA, CHC, CHPC
    Compliance Officer
    Service Access and Management, Inc.
    Lewisburg, PA
    ------------------------------

    Protenus May


  • 4.  RE: Defining business associate

    Posted 03-15-2019 03:04 PM
    ​I agree with the comments made by  David Rothery. Sounds like a teachable moment (if they are open to it) to the Security Company on what defines a BA.

    ------------------------------
    Marcella Henry
    Compliance Officer
    Sunrise Community Inc
    Miami, Florida
    USA
    ------------------------------

    Protenus May


  • 5.  RE: Defining business associate

    Posted 03-16-2019 12:42 PM
    I completely agree with the statements that the court is not a BA; however, I think there is still value in their recommendation.  There recommendation was:
    • "that before we release information we ask courts to sign a memorandum of understanding with us stating they understand that the information is protected, etc.  They acknowledge that the court could certainly refuse, but feel that we are obligated to attempt it."
    I am a foster and adoptive parent and I have been amazed at the number of court employees including judges that are oblivious to the identify protection that the law gives to foster and adoptive parents.  Having my first and last name used in the court room in front of birth parents, including some that are serving time in prison for murder, can't be undone.  Therefore, I see nothing wrong with an attempt to remind them of the protected nature of the data.

    Sorry, I realize that is slightly off topic but related enough that I wanted to share it.  Thanks




    ------------------------------
    Bruce Groen
    President
    InTegriLogic Corporation
    Tucson,AZ
    ------------------------------

    Protenus May