The blog post, "You put your right HIPAA in . . ." provides some background on the process that Microsoft has gone through to look at the question of whether they are directly required to comply with HIPAA as a "covered entity" or whether the must enter into "business associate agreement"with other covered entities. Although they don't reach a final definitive conclusion Microsoft does state that they are now prepared to sign a business associate agreement with any covered entity who concludes that it is important as a part of their compliance and responsibility under HIPAA.
The post by also includes a link to the standard Microsoft HealthVault Business Associate Agreement.
The conclusion reached by Microsoft seems like a practical one to this health care lawyer. Anyone who deals with health information has a responsibility to assess whether or not they are a covered entity under HIPAA. They further have a responsibility to be a part of the conversation with those other person that they deal with who are covered entities as to whether a business associate agreement must be in place. However, the final decision of whether a business associate agreement is required must be made by the covered entity who is responsible for complying with the privacy provisions.
The determination of whether a particular party is a business associate under HIPAA is one that largely depends on the unique facts of the relationship that they have with a covered entity under HIPAA. There is not a blanket determination of whether someone is or is not a business associate for purposes of HIPAA compliance. The questions that must be asked to assess whether a business associate relationship exists under 160.103 and 164.502 are:
- Does the person/party "perform or assist" in the performance of a "function or activity" involving the use or dislcosure of individually identifiable health information" OR
- Does the person/party provide certain "professional services to or for the covered entity" involving the disclosure of individually identifiable health information (as these terms are futher defined under the regulations).