Can you be a covered entity and a business associate?

Yes, it is possible to be both a covered entity and a business associate under certain circumstances. For example, an entity may engage in healthcare services subject to HIPAA as a covered entity while also providing services that involve handling PHI for another covered entity, requiring compliance with HIPAA regulations as a business associate.

What are covered entities under HIPAA?

Covered entities under HIPAA are organizations or individuals involved in providing healthcare services and are subject to HIPAA regulations. This category includes:

• healthcare providers such as doctors,
• hospitals,
• clinics,
• pharmacies,
• health plans,
• and healthcare clearinghouses that process nonstandard health information.

As covered entities, these organizations must comply with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. They are responsible for safeguarding patient information, ensuring the confidentiality and integrity of PHI, and providing individuals with certain rights regarding their health information. 

Related: How to know if you're a covered entity

HIPAA business associates

Business associates, under HIPAA, are individuals or entities that perform functions or activities on behalf of covered entities that involve the use or disclosure of PHI. This category includes:

• third-party service providers,
• consultants,
• health information exchange organizations,
• and electronic health record vendors.

Business associates are not directly subject to all HIPAA regulations but must comply with certain provisions outlined in the HIPAA Rules. They are required to have business associate agreements (BAAs) with covered entities, outlining their responsibilities in safeguarding PHI and ensuring compliance.

Related: How to know if you're a business associate

Can you be both?

Surprisingly, entities can play dual roles as both a covered entity and a business associate, depending on the situation. This can also apply to some hybrid entities. The HHS clarifies that "Some public agencies perform both covered entity functions and other functions. These agencies may choose to be hybrid entities, so the information held by the non-covered component would not be subject to the Privacy Rule."

Scenarios illustrating dual roles

1. Healthcare provider offering additional services: Transitions between being a covered entity while delivering healthcare services and acting as a business associate when providing specialized services to another healthcare provider.
2. Data processing support by health insurance company: Traditional covered entity providing insurance services but takes on the role of a business associate when assisting another health plan with data processing tasks.
3. A healthcare provider in a dual capacity: While operating as a covered entity, it may concurrently act as a business associate by offering specialized services like billing or data analysis to another healthcare provider.
4. Data-related tasks by health insurance company: In this scenario, the health insurance company steps into the role of a business associate, handling data-related tasks for another health plan.

How to navigate dual responsibilities

Navigating the dual responsibilities demands adept handling of distinct duties for entities. While serving as a covered entity, the primary focus is ensuring patient rights and the appropriate use of PHI. This encompasses maintaining confidentiality, facilitating individuals' access to their medical records, and guaranteeing that all uses of PHI are both necessary and minimal.

On the flip side, when taking on the role of a business associate, you must strictly adhere to the terms laid out in the BAA. This involves using PHI strictly as specified in the agreement, ensuring any additional disclosures or uses align with the initial purpose, and implementing necessary safeguards to protect the confidentiality and integrity of PHI.

The unique case of a self-BAA

Entities may find themselves in the unique position of needing a BAA with themselves to maintain clarity in their dual role. This self-BAA is a formal acknowledgment that different departments or units within the entity have distinct duties and obligations under HIPAA.

In practical terms, large organizations with separate departments or units handling covered entity and business associate functions may formalize this internal division through a self-BAA. For instance, the department providing healthcare services acts as the covered entity, while the unit handling billing services acts as the business associate. The agreement specifies how data flows between these internal functions, ensuring that PHI is accessed and used appropriately based on the role. 

Potential challenges and considerations

• Clear delineation for compliance: There must be clear roles for compliance. Staff must understand when to act as a covered entity or business associate. Targeted training ensures appropriate handling of PHI based on specific roles.
• Complex compliance landscape: Operating in dual roles creates complexity. Meeting standards for both requires meticulous policies, procedures, and safeguards. Overlapping obligations add intricacy, demanding vigilant oversight to prevent breaches.

FAQs

Are there specific guidelines for self-BAA agreements within large healthcare organizations?

While HIPAA doesn't provide explicit guidelines for self-BAA agreements, large organizations should ensure clarity in internal divisions, specifying how PHI flows between departments handling covered entity and business associate functions.

Are business associates subject to the same HIPAA penalties as covered entities?

While business associates are not directly subject to all HIPAA penalties, they can face penalties for non-compliance with specific provisions. The extent of liability is outlined in the BAA with the covered entity.

Can a hybrid entity have distinct privacy policies for its covered entity and business associate functions?

Yes, a hybrid entity can develop separate privacy policies for its covered entity and business associate functions, aligning each with the specific requirements and responsibilities associated with their respective roles under HIPAA.