NRPM: Standards for Privacy of Individually Identifiable Health Information. a. Who is a business partner?


Under this proposed rule, a business partner would be a person to whom the covered entity discloses protected health information so that the person can carry out, assist with the performance of, or perform on behalf of, a function or activity for the covered entity. This would include contractors or other persons who receive protected health information from the covered entity (or from another business partner of the covered entity) for the purposes described in the previous sentence, including lawyers, auditors, consultants, third-party administrators, health care clearinghouses, data processing firms, billing firms, and other covered entities. This would not include persons who would be members of the covered entity’s workforce. The key features of the relationship would be that the business partner is performing an activity or function for or on behalf of the covered entity and that the business partner receives protected health information from the covered entity as part of providing such activity or function.

Many critical functions are performed every day by individuals and organizations that we would define as business partners. Under the proposal, billing agents, auditors, third-party administrators, attorneys, private accreditation organizations, clearinghouses, accountants, data warehouses, consultants and many other actors would be considered business partners of a covered entity. Most covered entities will use one or more business partners, to assist with functions such as claims filing, claims administration, utilization review, data storage, or analysis. For example, if a covered entity seeks accreditation from a private accreditation organization and provides such organization with protected health information as part of the accreditation process, the private accreditation organization would be a business partner of the covered entity. This would be true even if a third party, such as an employer or a public agency, required accreditation as a condition of doing business with it. The accreditation is being performed for the covered entity, not the third party, in such cases.

The covered entity may have business relationships with organizations that would not be considered to be business partners because protected health information is not shared or because services are not provided to the covered entity. For example, a covered entity could contract with another organization for facility management or food services; if these organizations do not receive protected health information for these functions or activities, they would not be considered business partners. In the case where a covered entity provides management services to another organization, the other organization would not be a business partner because it would be receiving, not providing, a service or function.

Under the proposal, a covered entity could become a business partner of another covered entity, such as when a health plan acts as a third-party administrator to an insurance arrangement or a self-funded employee benefit plan. In such cases, we propose that the authority of the covered entity acting as a business partner to use and disclose protected health information be constrained to the authority that any business partner in the same situation would have. Thus, the authority of a covered entity acting as a business partner to use and disclose protected health information obtained as a business partner would be limited by the contract or arrangement that created the business partner relationship.

In most cases, health care clearinghouses would fall under our definition of "business partner” because they receive protected health information in order to provide payment processing and other services to health plans, health care providers and their business partners, a case that would fall under our definition of "business partner." Therefore, although health care clearinghouses would be covered entities, in many instances under this proposed rule they would also be treated as business partners of the health care providers or health plans for whom they are performing a service. We would note that because health care clearinghouses would generally be operating as business partners, we are proposing not to apply several requirements to health care clearinghouses that we otherwise would apply to covered plans and providers, such as requiring a notice of information practices, access for inspection and copying, and accommodation of requests for amendment or correction. See proposed §§ 164.512, 164.514 and 164.516.