everythingpossible - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

What qualifies as a HIPAA business associate?

It's hard to tell if a company is a HIPAA business associate, but a closer look at HHS documents helps. Expert Mike Chapple discusses a specific case of compliance confusion.

My company is an IT services firm that specifies, installs and maintains computer networks for small to medium-sized businesses. There are opportunities in the healthcare market for such installations and maintenance at doctors' offices. If my company were to service such accounts the technicians could come into contact with PHI in the course of server maintenance or performing data backups and data checks. But at no time would any tech be allowed to leave a client's premises with PHI in any form. Would we be considered a HIPAA business associate and therefore need to be HIPAA compliant?

This is a tricky question and the final answer is going to be highly dependent upon the specific circumstances of the covered entity's business and the services your company provides. Before I give you a few informative examples, remember that this is not legal advice and you should run your specific situation by a qualified HIPAA attorney before deciding whether your company must have a HIPAA business associate arrangement.

The Department of Health and Human Services (HHS) is responsible for implementing HIPAA and provides detailed guidance and examples to help covered entities determine when a business associate relationship is necessary. Unfortunately, none of the examples it provides apply directly to this particular situation.

Let's start with the HHS definition of a HIPAA business associate, which is "a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity." The HHS goes on to provide examples of those "certain functions or activities," and list "data analysis, processing or administration" as one of those activities. That's a fairly vague description, but an argument could be made that your organization performing backups and "data checks" falls under the umbrella of data administration.

Elsewhere on its site, the HHS does address whether a software vendor is a business associate of a covered entity". The conclusion it reaches states, in part that "If the vendor does need access to the protected health information of the covered entity in order to provide its service, the vendor would be a business associate of the covered entity."

My instinct says that your situation would fall under this same reasoning. If your company is performing backups and other tasks that gives it access to protected health information, you would fall under the definition of a HIPAA business associate.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

Learn more about how to know if your organization is a HIPAA business associate

Find out what happens if an organization ignores compliance regulations

Learn who should perform HIPAA and HITECH compliance assessments

This was last published in January 2016

Dig Deeper on Security audit, compliance and standards