Physician groups, hospitals, and practitioners would do well to remember the following maxim: All rights of a business associate derive from the rights and restrictions set by the covered entity. Business associates (sometimes referred to as a “BA” or “BAs”) all too often play fast and loose with certain HIPAA exceptions in their quest to use and mine PHI for the business associate’s own purposes. The patient data and PHI of a health care provider is a precious resource and should be protected as such.
Given the rise of machine learning and data science, it is inherent that business associates would want to use a covered entity’s (sometimes referred to as a “CE”) protected health information (“PHI”) for a BA’s product development, data aggregation, or to assist in the BA’s marketing activities. Afterall this is typically how a business associate improves the product or service they are offering to a covered entity. However, HIPAA prohibits business associates from using PHI without the patient’s written authorization, except in some very limited circumstances on express statutory exceptions. Any misuse of PHI could expose a BA to HIPAA fines, criminal penalties, breach of contract claims, and perhaps civil liability to individuals whose PHI was improperly used. (See, e.g., 42 U.S.C. § 1320d-6; 45 C.F.R. § 160.404).
A business associate’s authority to use or disclose PHI derives from the CE’s express authorization, usually provided for in a business associate agreement (sometimes referred to as a “BAA”). A covered entity may only use the patient’s PHI for certain purposes without the patient’s authorization (i.e., the HIPAA Privacy Rule permits a covered entity to use and disclose protected health information, with certain limits and protections, for treatment, payment, and health care operations activities). (45 C.F.R. § 164.502). HIPAA allows a covered entity to share PHI with a business associate to assist the covered entity in performing authorized activities for or on behalf of the covered entity, but with very limited exceptions. These same limitations that apply to a covered entity also apply to the business associate (e.g., absent the patient’s written authorization, it may only use the information for purposes of the covered entity’s treatment, payment, healthcare operations, or other permitted use (Id.)).
HIPAA identifies only two exceptions in which the business associate may use PHI for its own purposes without the patient’s authorization: (a) to perform data aggregation services and (b) for the business associate’s own management and administration. (65 F.R. 82505-06). As such, a business associate may only aggregate a covered entity’s PHI for the healthcare operations of the covered entity or payment. The “data aggregation” exception requires that such services be done at the specific request and for the benefit of the covered entity only. The business associate may not perform data aggregation of PHI of several covered entities (or a single covered entity) unless each of those covered entities expressly authorizes it, and those services specifically benefit each CE (or that single CE). BAs frequently abuse this exception in their quest to monetize the PHI of a covered entity, and BAAs are drafted against the covered entity to exploit their ignorance of this issue. Furthermore, there is no federal guidance from the Depart of Health and Human Services (“HHS”) or the Office for Civil Rights (“OCR”) or commentary which affirmatively addresses or authorizes a business associate to use PHI for its own “product development” under the HIPAA exception that allows the business associate to use PHI for its own “management and administration” functions.
The Data Aggregation Exception.
The HIPAA regulations set out the definition of “data aggregation” as the following:
Data aggregation means, with respect to protected health information created or received by a business associate in its capacity as the business associate of a CE, the combining of such protected health information by the business associate with the protected health information received by the business associate in its capacity as a business associate of another CE, to permit data analyses that relate to the health care operations of the respective covered entities. (45 C.F.R. § 164.501, emphasis added).
Per the regulation, a business associate may only aggregate the PHI for the healthcare operations of the CE, not for the BA’s own purposes. The HHS commentary explains the purpose and scope of the exception:
…we permit a covered entity to authorize the business associate to provide data aggregation services to the covered entity. As discussed above in § 164.501, data aggregation, with respect to protected health information received by a business associate in its capacity as the business associate of a covered entity, is the combining of such protected health information by the business associate with protected health information received by the business associate in its capacity as a business associate of another covered entity, to permit the creation of data for analyses that relate to the health care operations of the respective covered entities. We added this service to the business associate definition to clarify the ability of covered entities to contract with business associates to undertake quality assurance and comparative analyses that involve the protected health information of more than one contracting covered entity. We except data aggregation from the general requirement that a business associate contract may not authorize a business associate to use or further disclose protected health information in a manner that would violate the requirements of this subpart if done by the covered entity in order to permit the combining or aggregation of protected health information received in its capacity as a business associate of different covered entities when it is performing this service. In many cases, the combining of this information for the respective health care operations of the covered entities is not something that the covered entities could do—a covered entity cannot generally disclose protected health information to another covered entity for the disclosing covered entity’s health care operations. However, we permit covered entities that enter into business associate contracts with a business associate for data aggregation to permit the business associate to combine or aggregate the protected health information they disclose to the business associate for their respective health care operations. (65 F.R. 82505-06, emphasis added).
Per the regulations and commentary, the “data aggregation” exception would not apply unless (1) the data aggregation is for the covered entity’s healthcare operations; and (2) the BAA expressly authorizes the business associate to perform the data aggregation services for the CE.
The Management and Administration Exception.
At present, HHS has not defined “management and administration,” nor has it delineated the boundaries of the exception applicable to business associates. The HIPAA Privacy Rule does allow covered entities to use PHI for their “health care operations,” which is defined to include:
Business management and general administrative activities of the covered entity, such as:
(i) Management activities relating to the implementation of and compliance with the requirements of this subchapter;
(ii) Customer service, including the provision of data analyses for policyholders, plan sponsors, or other customers, provided that protected health information is not disclosed to such policyholder, plan sponsor, or customer.
(iii) Resolution of internal grievances;
(iv) The sale, transfer, merger, or consolidation of all or part of the covered entity with another covered entity, or an entity that following such activity will become a covered entity and due diligence related to such activity; and
(v) Consistent with the applicable requirements of §164.514, creating de-identified health information or a limited data set, and fundraising for the benefit of the covered entity. (45 C.F.R. § 164.501, the definition of health care operations, emphasis added).
HHS’s use of similar terms arguably suggests that the business associate may use PHI for similar internal operations. However, the limited commentary provided suggests that “management and administration” should be construed relatively narrowly. For example, the OCR has explained: “Covered entities may disclose protected health information to an entity in its role as a business associate only to help the covered entity carry out its health care functions – not for the business associate’s independent use or purposes, except as needed for the proper management and administration of the business associate.” (https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/coveredentities/businessassociates.pdf).
The OCR guidance provides that permitted uses relate closely to the services the business associate performs for the covered entities. HHS has also confirmed that the “management and administration” exception does not extend to data mining for the business associate’s own purposes (See, 65 F.R. 82644), and the OCR similarly states a business associate may not use PHI for the BA’s independent marketing purposes (See, OCR FAQs at https://www.hhs.gov/hipaa/for-professionals/faq/276/can-business-associates-use-protected-health-information-for-marketing/index.html).
Similarly, there is no HHS or OCR commentary authorizing a business associate to use PHI for product development purposes under the “management and administration” function. Absent such commentary, a business associate’s use of PHI for product development purposes exposes the business associate (and potentially the covered entity) to liability under HIPAA.
Although HIPAA limits the Business Associate’s use of PHI, the BAA may authorize the business associate to de-identify PHI on behalf of the Covered Entity client. (See 45 C.F.R. § 164.502(d)). Once de-identified, the information is no longer protected by HIPAA and, unless otherwise limited by the agreements between the parties or other law, the Business Associate may use the de-identified information for its own purposes without violating HIPAA. The HHS Office for Civil Rights published the following FAQ addressing this issue:
Q: May a health information organization (“HIO”), acting as a business associate of a covered entity, de-identify information, and then use it for the business associate’s own independent purposes?
A: An HIO, as a business associate, may only use or disclose PHI as authorized by its business associate agreement with the covered entity. (See 45 C.F.R. § 164.504(e)). The process of de-identifying PHI constitutes the use of PHI. Thus, an HIO may only de-identify PHI it has on behalf of a CE to the extent that the BAA authorizes the HIO to do so. However, once PHI is de-identified in accordance with the HIPAA Privacy Rule, it is no longer PHI and, thus, may be used and disclosed by the covered entity or HIO for any purpose (subject to any other applicable laws).
Covered entities should be aware of the risk and exposure of permitting a business associate to use PHI to develop a purchased product or service, or another product or service that the business associate offers unless that product development activity is precisely within the scope of the services performed or provided under the service agreement or is specified in the BAA. This nuance is critical and might apply to various business associate arrangements with vendors that want to use the data they received under the service agreement for product improvement/development (such as “machine learning” and development of algorithms to improve accuracy, or to fine-tune their software and application services, or to develop new product).
The general rule remains that a business associate may not use the PHI for its own purposes without the patient’s authorization, and PHI in the hands of the business associate is still protected. To use PHI for the business associate’s independent purposes, the business associate should ensure that the BAA authorizes the use, HIPAA permits the business associate to use the PHI to perform a function on behalf of the covered entity, or the application fits within the relatively limited “management and administration” exception or the business associate secures the authorization of the patient.
Covered entities should be especially careful in navigating (and negotiating) these arrangements and should be very wary of vendors who push hard for expanded rights to use PHI “for internal purposes.” Unless there is a specific benefit to the covered entity in the underlying service arrangement, internal use of PHI by the business associate for ill-defined or vague reasons should be restricted or prohibited unless the data is first de-identified (which itself is a totally separate consideration and has its own set of risks, issues, and commercial impacts, since once PHI is de-identified, it is no longer subject to HIPAA or within the control of the covered entity). In this regard, it is important that the covered entity probe and understand the reasons given by service vendors who want to use PHI for product development, and determine if there is any inconsistency or misalignment in those reasons or explanations. Given the stakes, a covered entity’s vigilance is a business and regulatory compliance necessity.