In a post today, Sean Nolan, Chief Architect of Microsoft Health Solutions and blogger at Family Health Guy explains Microsoft’s position regarding whether Microsoft HealthVault is required to comply with the privacy standards under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
The blog post, “You put your right HIPAA in . . .” provides some background on the process that Microsoft has gone through to look at the question of whether they are directly required to comply with HIPAA as a “covered entity” or whether the must enter into “business associate agreement”with other covered entities. Although they don’t reach a final definitive conclusion Microsoft does state that they are now prepared to sign a business associate agreement with any covered entity who concludes that it is important as a part of their compliance and responsibility under HIPAA.
The post by also includes a link to the standard Microsoft HealthVault Business Associate Agreement.
The conclusion reached by Microsoft seems like a practical one to this health care lawyer. Anyone who deals with health information has a responsibility to assess whether or not they are a covered entity under HIPAA. They further have a responsibility to be a part of the conversation with those other person that they deal with who are covered entities as to whether a business associate agreement must be in place. However, the final decision of whether a business associate agreement is required must be made by the covered entity who is responsible for complying with the privacy provisions.
The determination of whether a particular party is a business associate under HIPAA is one that largely depends on the unique facts of the relationship that they have with a covered entity under HIPAA. There is not a blanket determination of whether someone is or is not a business associate for purposes of HIPAA compliance. The questions that must be asked to assess whether a business associate relationship exists under 160.103 and 164.502 are:
- Does the person/party “perform or assist” in the performance of a “function or activity” involving the use or dislcosure of individually identifiable health information” OR
- Does the person/party provide certain “professional services to or for the covered entity” involving the disclosure of individually identifiable health information (as these terms are futher defined under the regulations).
As stated in the post there is still unclear areas as a result of the ARRA HITECH privacy provisions that will still need to be sorted out as we move forward. However, the important issue is to continue to move forward.