Are Medicaid Transportation Brokers Considered Business Associates?

HIPAA Requirements and the Medicaid Transportation Broker 

The Omnibus Rule defined a number of businesses and quasi-governmental agencies that provide services to support public health care safety net programs as HIPAA Business Associates because of the protected health information they receive, create and/or maintain while performing services on behalf of a HIPAA covered entity. The changes to the HIPAA Rules to implement the provisions of the HITECH Act are still being felt. A case in point are Medicaid transportation brokers.

Medicaid is an assistance program enacted to provide health care services to individuals who meet certain income limits, the aged, invalid or disabled and families with children. Started in 1965, it is funded with federal and state monies, and administered by each state. More recently, the Affordable Care Act allowed states to expand access to Medicaid by increasing the income limits that established eligibility for enrollment. The state agencies that administer the Medicaid program, or the state’s Medicaid managed health care organization are considered to be HIPAA covered entities because they are defined as health plans under HIPAA.

Non-Emergency Medical Transportation (NEMT) is a covered service for beneficiaries enrolled in Medicaid programs. Generally, NEMT is provided through contracts between the state agency that administers the Medicaid program, or the state’s Medicaid managed health care organization and local transportation brokers. 

The state Medicaid agency or Medicaid managed care organization contracts with a network of transportation brokers to provide access to transportation for eligible beneficiaries. Brokers screen for eligibility, schedule the least-costly mode of transportation to medical appointment and services. In some states, transportation brokers are paid a contracted fee based on the number of eligible beneficiaries they serve, or a paid on a fee-for-service basis. 

These contractors hired by the state Medicaid agency or the Medicaid managed care organization are classified as HIPAA Business Associates because they receive, create and/or maintain protected health information of the Medicaid beneficiaries to carry out the services on behalf of the Medicaid program.   

Business associates, like Medicaid transportation brokers, are responsible for full compliance with the HIPAA Security Rule and those portions of the Privacy Rule that apply to what they are doing on behalf of the covered entity. Historically, business associates were not directly subject to liability under HIPAA but, instead, were only contractually liable to their covered entities pursuant to the terms of the business associate agreements. The rule changes issued in 2013 codified which provisions of the privacy and security rules apply to business associates as prescribed by the HITECH Act. Notably, the HITECH Act statutorily imposed direct liability on business associates for failure to comply with HIPAA. Business associates may face civil monetary penalties, and in some cases criminal penalties, for failure to comply or for the failure of their agents, including subcontractors, to comply with the following obligations:

  • Meeting all requirements of the security rule, including administering administrative, physical and technical safeguards, such as conducting risk analyses; designating a security official; implementing required security policies and procedures; implementing technical security measures and facility access controls; conducting security awareness and training programs for all staff, including management; and adopting a contingency plan.
  • Adhering to the following privacy rule obligations such as, admitting uses or disclosures of PHI to only those (i) provided for within their business associate agreement or (ii) permitted or required under HIPAA; limiting permissible disclosures or requests for disclosures of PHI to the minimum necessary; providing an accounting of disclosures; providing access to its covered entity or to the individual who is the subject of the PHI to PHI kept in a designated record set; providing PHI to the U.S. Department of Health and Human Services (HHS) to demonstrate compliance during investigations; and entering into business associate agreements with subcontractors that comply with the provisions governing business associate agreements between covered entities and business associates.
  • Maintaining compliance records and submitting reports to HHS when HHS requires such disclosures to determine whether a covered entity or business associate is complying with HIPAA.
  • Providing a breach notification to its covered entity upon discovering a privacy or security “breach,” as defined under HIPAA, and performing a risk assessment, in accordance with the final rule, when determining whether a breach has occurred.
Learn More

Learn more about our vendor security management service.

Manage the risks of your business associates.
Learn More
July 1st, 2014|

About the Author:

David Holtzman

Considered a subject matter expert in health information privacy policy and compliance issues involving the HIPAA Privacy, Security and Breach Notification Rules, David Holtzman was a senior advisor at OCR before joining the team at CynergisTek. He also previously served as the privacy & security officer for Kaiser Permanente’s Mid-Atlantic Region.