HIPAA Blog

Can a Business Associate be Liable for a HIPAA Breach When Its Client Isn't a Covered Entity?

That may be the hidden question in what seems like an otherwise unsatisfying medical record breach problem that seems immune from official action by OCR because the medical provider who originally generated the PHI is not an actual HIPAA covered entity.

Here's the case.  Basically, a New Jersey psychology office has filed a lot of collection actions against patients for past-due bills.  The legal filings, which are public records and can be obtained by anyone who asks the court and pays copying costs, include patient bills and other documentation.  The bills include the patient name (of course, which presumably is in the style of the case as well), but also include CPT codes (which define the type of services provided) and diagnosis codes.  These codes are just numbers, but it's easy to look them up on the internet and see what they stand for.  In other words, when the practice sued the patients, it filed with the court, in public records, the psychological evaluation of the patient.  Frightening, no?

The psychology practice needs to file documentation to prove the debt, so the bills generally are appropriate filings.  But the diagnosis information is not needed prove the debt; therefore, including it is probably beyond the "minimum necessary" restriction of HIPAA's Privacy Rule, which says that even though a use or disclosure is allowed, it must be limited to the minimum necessary (unless it's a use or disclosure for treatment, in which case there's no minimum necessary restriction).

Sounds like a HIPAA violation, right?  Not so fast.

HIPAA only applies to "covered entities" (the whole enchilada) and "business associates" (most all of the Security Rule and the parts of the Privacy Rule that derive from the HITECH Act).  "Covered entities" include healthcare clearinghouses, health plans, and healthcare providers who conduct electronic transactions for which HIPAA establishes standards.  Almost every healthcare provider in the country is a HIPAA covered entity, but not all -- if a healthcare provider never conducts an electronic transaction, or only conducts electronic transactions that are not HIPAA transactions (most payment, enrollment, and eligibility transactions), it isn't covered by HIPAA, so it can't breach HIPAA.

Most HIPAA experts believe that if an entity conducts a single HIPAA transaction electronically, it's a covered entity and subject to HIPAA, not only with regard to the patient for which it did the one electronic transaction, but for all patients.  In other words, once a CE, always a CE.  And if you are a covered entity, HIPAA says you shall not use or disclose PHI unless it is an allowed use or disclosure; any PHI, not just the PHI of your patients.  If you are a doctor and hear about a celebrity's health problem, and you then discuss the celebrity's health issue with your friends, you are technically violating HIPAA.  The celebrity isn't your patient?  The health data is public knowledge?  That doesn't matter.  HIPAA says thou shall not.

Apparently, the Short Hills psychology practice is not a HIPAA covered entity, as determined by OCR when a patient complained about the legal filings.  End of story, right?

Not necessarily.  First, the practice may have other privacy obligations, under state law or other regulations like Gramm-Leach-Bliley.  And even though the psychology practice isn't a covered entity, there may be other parties involved in the litigation on the practice's side that could be covered by HIPAA, not as covered entities but as business associates.  I'm thinking specifically of the collection agency and the law firm, but there could be others.

A vendor that provides a service for a covered entity that involves the creation, receipt, maintenance or transmission of PHI is by definition a "business associate."  HITECH made most of the HIPAA Security Rule directly applicable to business associates, and parts of the Privacy Rule as well.  Just providing a service to a healthcare provider usually makes you a business associate, but not always: if the provider one of those rare providers that isn't a HIPAA covered entity, then the vendor providing services to the provider isn't a business associate.

At least with respect to that particular provider.  The vendor could provide services to another provider that IS a covered entity, in which case the vendor is a business associate, and must comply with the Security Rule and parts of the Privacy Rule.  Must a business associate comply with the Security Rule and applicable parts of the Privacy Rule with respect to the non-covered entity client's PHI as well as the covered entity clients?  I can't say absolutely, but I don't see how you can avoid it.

If I, as a lawyer, provide services to a covered entity involving PHI, I'm obligated under HIPAA as a business associate.  At that point I need policies and procedures, and all the safeguards required by the Security Rule.  Those safeguards address how I must protect PHI; it doesn't by definition limit that to PHI I receive from a covered entity, but seems to apply to all PHI.  Might some health data be PHI and other data not?  I don't think so.  That doesn't mean all health data must be equally protected, and perhaps similar data from different clients can be treated differently, but the policies and procedures (including any differences) must be rational and reasonable.

So, the question now is this: is there a collection agency involved here?  Does the collection agency also serve covered entities?  If so, the collection agency is a business associate, and therefore subject to parts of HIPAA: most of the Security Rule, some of the Privacy Rule.  I don't think a business associate is subject to the minimum necessary rule per se (that's in the Privacy Rule, and predates HITECH), but should it be addressed in the business associate's policies and procedures (that are required by the Security Rule)?  If it is addressed there, did the business associate collection agency violate its HIPAA policies?

Same with the law firm.  I suspect the law firm and the collection agency both have some clients who are HIPAA covered entities, thus making each of them a business associate.  Which could be problematic.

As I noted on Twitter earlier today, this is a bit of a gray area, and you'd really have to tease out the facts and run these theories to their logical conclusions.  And, as always, #TINLA ("this is not legal advice").  But, it does raise some interesting angles:

1. If you can't un-become a covered entity, you probably can't un-become a business associate either (in other words, you only get to lose your HIPAA virginity once).
2. If you're covered for this but not for that, you may actually be covered for that too.
3. The fact that you might be able to treat PHI you got from one source differently than PHI you got from another source doesn't mean you should (especially since it's probably not true anyway).

And who said HIPAA was dull?