[author: Michael L. Nichols*]
A business associate agreement (BAA) is a written contract between a covered entity (CE) and a business associate (BA) that—among other requirements—(1) establishes the permitted and required uses and disclosures of protected health information (PHI) by the BA; (2) provides that the BA will not use or further disclose the information other than as permitted or required by the contract or as required by law; and (3) requires the BA to implement appropriate safeguards to prevent unauthorized use or disclosure of the information.[1]
A CE is a health plan, a healthcare clearinghouse, or a healthcare provider that transmits health information in electronic form in connection with a transaction covered by HIPAA.[2] A BA is an individual or entity—other than a member of a CE’s workforce—that creates, receives, maintains, or transmits PHI in order to perform certain “covered functions” on behalf of a CE.
In general, compliance professionals and their respective legal counsels know that HIPAA defines the circumstances in which CEs and BAs must enter into a BAA. Specifically, CEs understand a BAA is required when an individual or entity creates, receives, maintains, or transmits PHI to perform a covered function on behalf of the CE.
Perhaps due to an overinterpretation of HIPAA or general practice of risk aversion, some CEs—including academic medical centers and research institutes—routinely require execution of a BAA whenever they disclose PHI to third parties to perform research or clinical research services involving disclosed PHI. Research and its related services is defined in the HIPAA Privacy Rule as “a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.”[3] However, not all third parties that receive PHI from a CE to conduct research or clinical research services are BAs under HIPAA.
Nonetheless, some CEs insist on requiring a BAA when disclosing PHI to a third party to perform research or clinical research services. This generally stems from their efforts to mitigate a mistaken assumption that they are vicariously liable for the third party’s HIPAA violations. But HIPAA clearly states CEs are only liable for their third party’s actions if the third party is acting as an agent of the CE, i.e., the CE had the right to control the third party’s actions.[4] Consequently, unnecessary execution of BAAs may actually work against the CE because it may suggest an agency relationship by giving the CE too much control over the actions of the third party.[5]
Also, unnecessary execution of BAAs may subject third parties to contractual liabilities they would not have but for the agreement, including the costs of complying with regulations that do not otherwise apply, and damages for failure to comply. The purpose of this article is to clarify the extent to which external third parties receiving disclosed PHI to perform research services qualify as BAs under HIPAA, requiring an executed BAA.
BAs are generally not third parties receiving PHI for research
As previously stated, a BA is an individual or entity creating, receiving, maintaining, or transmitting PHI on behalf of a CE to perform a covered function. A covered function is any function the performance of which makes the performer a health plan, healthcare provider, or healthcare clearinghouse.[6] Under the HIPAA Privacy Rule, covered functions performed by BAs include claims processing or administration, utilization review, quality assurance, patient safety activities, billing, benefit management, practice management, repricing, legal, actuarial, accounting, data aggregation, data analysis, management accreditation, or financial services.[7] Research is not listed among the covered functions performed by BAs under the HIPAA Privacy Rule.
Thus, a third party’s performance of research or clinical research services on behalf of a CE does not render the third party a BA of the CE under HIPAA. This is true even if the research services performed by a third party involve disclosed PHI. Accordingly, third parties receiving PHI pursuant to a permissible disclosure from a CE to perform or assist a CE with performing research or clinical research services are not engaged in an activity recognized by the HIPAA Privacy Rule as a BA (for examples of permissible disclosures for research purposes). Also, the question of whether authorization is required to disclose PHI is distinct from the question of whether the use of PHI to perform services on behalf of a CE necessitates the execution of a BAA.[8]
The final amendment to the HIPAA Standards for Privacy of Individually Identifiable Health Information, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) illustrates this point by addressing the question of whether research activities are covered functions under HIPAA. Specifically, OCR stated, “Research is not a covered function or activity.”[9] OCR further clarified that “disclosures from a covered entity to a researcher for research purposes as permitted by the [Privacy] Rule do not require a business associate contract. This remains true even in those instances where the covered entity has hired the researcher to perform research on the covered entity’s own behalf because research is not a covered function or activity.”
OCR reiterated these positions in the Omnibus Final Rule when implementing the Health Information Technology for Economic and Clinical Health Act. In the Omnibus Rule, OCR clarified that a “person or entity is a business associate only in cases where the person or entity is conducting a function or activity regulated by the HIPAA Rules on behalf of a covered entity, [and] [t]hus, an external researcher is not a business associate of a covered entity by virtue of its research activities, even if the covered entity has hired the researcher to perform the research (emphasis added).”[10]
Still, some CEs will require third-party vendors, academic medical centers, and research institutes hosting a clinical research data repository on their behalf to enter into a BAA. However, these third parties may push back because even if the data elements in the registry are identifiable and the registry is being maintained for the purposes of current or future research, the third parties hosting the data repository on behalf of a CE do not qualify as a BA under HIPAA.[11] Thus, given the cost of compliance and penalties for noncompliance, these third parties will likely point out they are not performing as BAs and, therefore, an executed BAA is not required.[12]
Relatedly, CEs such as academic medical centers or research institutions participating in a clinical trial may hire a third-party vendor to perform certain phlebotomy activities for required laboratory testing. Subsequently, the third-party vendor may receive or gather PHI regarding the research participants. Although the vendor’s receipt or collection of PHI, as applicable, is integral to the research and clinical trial, the vendor’s activities do not constitute the performance of a covered function or other activity that would render the vendor a BA.[13] Therefore, the CE and the vendor are not required to enter into a BAA.
It should be noted, however, that even if no BAA is required, the HIPAA Privacy Rule still restricts the use or disclosure of PHI by a CE. Specifically, a CE and its employees may not use or disclose individually identifiable health information (or PHI) for research except in one of the following circumstances:
(a) The patient/research participant has signed a written authorization containing all the elements specified in the Privacy Rule;
(b) An institutional review board or privacy board has waived or altered the requirement for HIPAA authorization;
(c) The CE has “de-identified” the data prior to its use or disclosure for research; or
(d) The data is in the form of a “limited data set” containing no HIPAA “direct identifiers,” and the researcher (or researcher’s institution) has signed a data use agreement.[14]
Can third parties obtaining PHI for research be BAs and require a BAA?
The short answer is yes. There are circumstances when third parties performing certain research services may fall within the definition of BA and must execute a BAA. Here are some examples:
When third-party entities or individuals create a CE de-identified data set
The HIPAA Privacy Rule regulates the creation of de-identified information. Specifically, de-identification falls within the scope of CE’s “health care operations.”[15] Accordingly, the process of de-identifying PHI constitutes the performance of a covered function or activity that the HIPAA Privacy Rule regulates. So, if CEs use a vendor to de-identify PHI on their behalf—even when the purpose is to use the de-identified data for research purposes—then a BA relationship is created, and the CE and vendor are required to execute a BAA.
Similarly, if an academic medical center discloses PHI to a data analytics firm so that the data analytics firm may de-identify the data to allow the academic medical center to assess patient outcomes or use the de-identified data for some other operational purpose, a BA relationship is created, and the academic medical center and the data analytics firm must enter into a BAA.[16]
When external researchers create an LDS for a CE
An external researcher is a BA if the researcher creates a limited data set (LDS) on behalf of a CE. Forming an LDS falls within the scope of a CE’s healthcare operations under the HIPAA Privacy Rule. Thus, the CE and external researcher must execute a BAA if the external researcher creates an LDS for the CE.
Takeaways
-
In general, research is not a covered function or activity. So, protected health information (PHI) disclosures from a covered entity (CE) to a researcher for research purposes, as permitted by the HIPAA Privacy Rule, do not require a business associate agreement (BAA).
-
While it is important to know when a BAA is not required, it is equally (if not more) critical for compliance professionals to know when third-party researchers receiving PHI qualify as business associates (BAs), and, therefore, must execute a BAA.
-
Third-party researchers qualify as BAs when they create, receive, maintain, or transmit PHI to perform a “covered function,” and thus must execute a BAA.
-
CEs should require a BAA only to the extent required—i.e., when a third-party entity or individual creates, receives, maintains, or transmits PHI to conduct a covered function or performs one of the services listed in the definition of BA in the HIPAA Privacy Rule.
-
Third parties should generally avoid executing a BAA when they are not performing a “covered function,” as doing so may subject them to contractual liabilities they would not have, including the costs of complying with regulations that do not otherwise apply.
*Michael Nichols is the Assistant General Counsel at the H. Lee Moffitt Cancer Center and Research Institute, Inc. in Tampa, FL.
1 U.S. Department of Health and Human Services, Office for Civil Rights, “Health Information Privacy: Business Associate Contracts,” content last reviewed June 16, 2017, https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html.
2 45 C.F.R. §160.103
3 See 45 C.F.R. § 164.501.
4 45 C.F.R. § 160.402(c); Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules, 78 Fed. Reg. 5,566, 5,581 (Jan. 25, 2013), https://www.govinfo.gov/content/pkg/FR-2013-01-25/pdf/2013-01073.pdf.
5 Kim Stanger, “To BAA or Not to BAA: Must You Have One?” Holland & Hart: Insight, October 24, 2023, https://www.hollandhart.com/avoiding-business-associate-agreements.
6 U.S. Department of Health and Human Services, National Institutes of Health, “To Whom Does the Privacy Rully Apply and Whom Will It Affect?” accessed September 4, 2024, https://privacyruleandresearch.nih.gov/pr_06.asp.
7 See 45 C.F.R. § 160.103.
8 See U.S. Department of Health and Human Services, Office for Civil Rights, “Research,” content last reviewed August 21, 2024, https://www.hhs.gov/hipaa/for-professionals/special-topics/research/index.html.
9 Standards for Privacy of Individually Identifiable Health Information, 67 Fed. Reg. 53,182, 53,252 (Aug. 14, 2002), https://www.govinfo.gov/content/pkg/FR-2002-08-14/pdf/02-20554.pdf.
10 Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules, 78 Fed. Reg. 5,575 (Jan. 25, 2013).
11 Kimberly J. Kannensohn and Paige Dowdakin, “Business Associates and Clinical Research: Resolving a HIPAA Compliance Conundrum,” Bloomberg Law, Health Law & Business (blog), August 15, 2017, https://news.bloomberglaw.com/health-law-and-business/business-associates-and-clinical-research-resolving-a-hipaa-compliance-conundrum-1.
12 See National Institutes of Health, “Research Repositories, Databases, and the HIPAA Privacy Rule” Jan. 2004
13 Kannensohn and Dowdakin, Business Associates and Clinical Research: Resolving a HIPAA Compliance Conundrum.”
14 U.S. Department of Health and Human Services, Office for Civil Rights, “Research.”
15 See 45 C.F.R. §§ 164.501, 164.514.
16 Kannensohn and Dowdakin, “Business Associates and Clinical Research: Resolving a HIPAA Compliance Conundrum.”
