Skip to main content

Think You Know Your HIPAA-Related Obligations? Read the ONC’s New Privacy and Security Guide to Find Out

In 2013, we alerted you to the expansion of the definition of the term “business associate” under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Now, the Office of the National Coordinator for Health Information Technology (ONC), a subdivision of the U.S. Department of Health and Human Services, has clarified when a business associate relationship forms and explains the precautions business associates should take to secure protected health information (PHI).

Business Associates Under HIPAA

In Chapter 2 of the new version of its Guide to Privacy and Security of Electronic Health Information, the ONC defines a business associate as a “a person or entity, other than a workforce member (e.g., a member of your office staff), who performs certain functions or activities on your behalf, or provides certain services to or for you, when the services involve the access to, or the use or disclosure of, PHI.” The work that business associates perform may include “legal, actuarial, accounting, consulting, data aggregation, information technology (IT) management, administrative, accreditation, or financial services.” The Guide enumerates typical business associate functions as including “claims processing, data analysis, quality assurance, certain patient safety activities, utilization review, and billing.”

To illustrate these functions, the Guide describes several informative scenarios: for example, it shows how web designers become business associates when they have regular access to patient records as part of their duty to ensure a website is working properly. These examples suggest that law firms, e-discovery specialists, and other legal service providers who may have access to, use, or disclose PHI all can possibly qualify as business associates under HIPAA. In an e-discovery context, providers will need to get their arms around the possible issues, such as client confidentiality restrictions that may be at odds of notification requirements, exceptions for disclosure and the proactive flagging of PHI.

Data Security and Privacy

Business associates must take steps to protect patient information under the HIPAA Security Rule, such as instituting physical safeguards and policies and procedures. They must analyze the risks and vulnerabilities to any PHI, including electronic PHI, that they create, receive, maintain, or transmit. Helpfully, the new Guide details a seven-stop security management process for protecting PHI, including electronic PHI:

  1. Lead your culture, select your team, and learn;
  2. Document your process, findings, and actions;
  3. Review existing security of ePHI;
  4. Develop an action plan;
  5. Manage and mitigate risks;
  6. Attest for meaningful use security-related objective; and
  7. Monitor, audit, and update security on an ongoing basis.

The Guide also offers tips on how to respond to a data breach. Importantly, it reveals when business associates must notify affected individuals if a data breach occurs: no notice is necessary where business associates can show there is a low probability that the breach compromised unsecured PHI and where business associates encrypt the PHI so it is unusable, unreadable, or indecipherable.

The Guide specifically addresses smaller healthcare providers, but its practical contents are useful guidance for any business associate. Organizations should review the Guide and assess whether they qualify as business associates for two primary reasons. First, under the HITECH Act, the Department of Health and Human Services can audit organizations at any time for compliance. Second, a failure to comply with these rules can trigger an investigation and lead to substantial civil penalties and criminal prosecution.

Chris O’Brien is senior vice president at Conduent. He can be reached at