Brokers as Business Associates – When is a Business Associate Agreement Required?
Updated: September 2023
It is not uncommon for brokers to wonder if they are acting as business associates for their employer clients, and if so, what their compliance obligations are in this role.
In general, a business associate is any third party that performs plan administration functions on behalf of a covered entity when those functions involve the use and/or disclosure of protected health information (PHI). Often, brokers will provide services to their clients such as health plan administration assistance, coordination with third-party administrators and/or carriers to resolve employee benefits and claims issues; data analytics, and other activities related to the creation, renewal, or replacement of a health insurance contract. Sometimes brokers will even provide software platforms to clients for their use in managing/administering their health plans and those platforms store PHI. When any of these services involve the use of PHI, the broker is almost certainly acting as a business associate on behalf of the client’s health plan.
Under HIPAA’s privacy requirements, employers (on behalf of their health plans) must enter into business associate agreements (BAAs) with any business associates before disclosing PHI to the business associate. A BAA essentially passes down the same privacy and security protections that apply to the health plan to the business associate. It is a way for employers to ensure that any PHI they entrust to third parties remains protected and secured.
Technically, it is the employer’s responsibility to ensure that any required BAAs are put in place on behalf of the health plans they sponsor for their employees. But employers may not realize that a BAA is necessary or understand when it is required. Therefore, a broker may want to consider a practice of proactively providing a BAA to its clients when it knows it is providing business associate services to that client. Adopting this practice may also help address the following potential issues:
- An employer may misunderstand how much PHI they actually interact with or share with their vendors. Unless an employer is truly limiting the amount of information it shares with third parties to enrollment data and/or highly aggregated data (summary health information”), a BAA will be necessary. As compliance advisors to their clients, brokers provide valuable protection to their clients by proactively providing a BAA. The Office for Civil Rights (OCR), which provides regulatory oversight of HIPAA’s compliance requirements, has stated in its most recent HIPAA audit protocol that audits will include reviews of a covered entity’s process for identifying and entering into BAAs with business associates. Therefore, ensuring that clients are covered from this perspective, at least with respect to their brokers, is a good idea.
- The regulators have been clear that a business associate relationship exists even in the absence of a written contract. In other words, a vendor does not avoid business associate status by failing to execute a written agreement. If a broker is interacting with PHI on its client’s behalf, then it is by definition acting as a business associate (and a written agreement is required). Since business associates are directly liable for ensuring that they do not use or disclose PHI beyond what the terms of a business associate agreement permits, having a BAA in place (and abiding by its terms/limitations) is crucial for compliance.
- From a practical perspective, it is administratively easier for a broker to comply with a standard set of requirements in a single template BAA than trying to manage the different terms provided in a disparate set of BAAs provided by individual clients. Brokers that have a standard BAA template that they are familiar with and provide proactively to their clients will have a much easier time ensuring that they are abiding by the terms of the BAA.
- Finally, sometimes vendors will ask brokers whether or not there is a BAA in place between the broker and their employer clients and may even refuse to provide a broker with data unless there is one in place, whether it was technically necessary or not. To avoid this, many brokers find it easiest to just procure a BAA up front.
Some brokers may wonder if a BAA is necessary in cases where a client only has fully-insured plans and has adopted a “hands-off” approach to administration – i.e., is truly limited to just interacting with enrollment information and/or summary health information (which is highly aggregated and by definition almost completely de-identified). While a BAA is technically not required in this instance, it may still be prudent to consider entering into a BAA. As noted above, employers may misunderstand the extent to which they are interacting with PHI. Or they may only think about certain health plans (e.g., a fully insured medical plan) and fail to consider other self-funded health plans such as health FSAs or HRAs, where additional HIPAA compliance obligations exist. In addition, plan designs change regularly, and if an employer switches to a funding mechanism/plan design that does entail additional access to PHI down the road, having a BAA already in place eases future administration burdens. For these reasons, it is usually safest for brokers to put a compliant BAA in place with their employer clients regardless of plan funding. Doing so will protect the employer, as plan sponsor, if the employer were to inadvertently share information with its broker that goes beyond the allowable enrollment/disenrollment and/or summary health information. (And remember to keep in mind that if employers do have more extensive PHI, they will also need to consider additional compliance obligations under HIPAA.)
For assistance in drafting a compliant BAA, a link to the model HHS BAA may be found here.
While every effort has been taken in compiling this information to ensure that its contents are totally accurate, neither the publisher nor the author can accept liability for any inaccuracies or changed circumstances of any information herein or for the consequences of any reliance placed upon it. This publication is distributed on the understanding that the publisher is not engaged in rendering legal, accounting, or other professional advice or services. Readers should always seek professional advice before entering into any commitments.