All terms used but not otherwise defined herein shall have the meaning(s) given to them in the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations set forth at 45 CFR Parts 160, 162 and 164, as amended from time to time (collectively, “HIPAA”).
Indigo Insure LLC, and its affiliated entities (collectively, “Indigo”) have reviewed the applicable provisions of HIPAA and guidance related thereto, and determined that business associate agreements (“BAAs”) are not required in connection with Indigo’s provision of malpractice and cyber insurance products to our health care provider policyholders. Although Indigo may receive, transmit, and/or maintain Protected Health Information in the course of providing malpractice and cyber insurance products, it does so on its own behalf in paying and processing claims under the insured’s policy, rather than on behalf of the insured. Accordingly, such uses and disclosures of PHI do not require a BAA between Indigo and its policyholder clients.
The Department of Health and Human Services’ Office for Civil Rights (“OCR”), the governmental body that enforces HIPAA, has long maintained a carve-out to the definition of “business associate” for an insurer or reinsurer. For example, in the preamble to the HIPAA final rule, OCR stated that where a covered entity purchases insurance from an insurance issuer, the insurer’s uses and disclosures of PHI necessary for such functions are undertaken on its own behalf, rather than on behalf of the covered entity. This commentary notes that to the extent the insurer performs functions or activities “in addition to or not directly related to the provision of insurance,” a BAA may become necessary with respect to such additional services. See 65 Fed. Reg. 82462, 82476 (Dec. 28, 2000).
OCR repeated this reasoning in 2013 commentary, statingthat the provision of insurance products alone does not create a business associate relationship:
A person or entity is a business associate only in cases where the person or entity is conducting a function or activity regulated by the HIPAA Rules on behalf of a covered entity. . . A business associate agreement is not required where a covered entity purchases a health plan product or other insurance, such as medical liability insurance, from an insurer. However, a business associate relationship could arise if the insurer is performing a function on behalf of, or providing services to, the covered entity that does not directly relate to the provision of insurance benefits, such as performing risk management or assessment activities or legal services for the covered entity, that involve access to protected health information. 78 Fed. Reg. 5566, 5575 (Jan 25, 2013).
An FAQ written by OCR repeats the reasoning above with respect to reinsurers:
A reinsurer does not become a business associate of a health plan simply by selling a reinsurance policy to a health plan and paying claims under the reinsurance policy. Each entity is acting on its own behalf when the health plan purchases the reinsurance benefits, and when the health plan submits a claim to a reinsurer and the reinsurer pays the claim. (FAQ created by OCR: December 19, 2002; last reviewed by OCR: January 9, 2023).
Here, Indigo’s services are limited to its own purposes directly related to obtaining or maintaining liability coverage on its own behalf (e.g., selling insurance policies, assessing and paying claims, and other related purposes), rather than the types of ancillary indirect services that would require a BAA, as described by OCR (e.g., performing risk management services on behalf of policyholders).
Although Indigo is not required by HIPAA to enter BAAs with its policyholder clients in order to provide its services to clients, Indigo nevertheless complies with all applicable federal and state laws regarding the confidentiality of records andpatient health information.
If you have questions regarding this position statement, please contact Indigo at firstname.lastname@example.org.