The HIPAA workforce definition is critical to understanding which entities a covered entity must enter into business associate agreements with. The HIPAA workforce definition is discussed below.
The HIPAA Workforce Definition: What is it?
The HIPAA workforce definition, if properly understood, will make it easier for covered entities to determine whom they need to enter into business associate agreements with.
The “workforce” of a covered entity consists of:
- Trainees, and
- Other persons
whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such covered entity. Both individuals who are paid for their work, as well as those who are not, are considered to be “workforce members.”
To be under the “direct control” of a covered entity, the individual must typically perform his or her work at the covered entity’s workplace. In addition, to be under “direct control,” the individual typically must have his or her work performance significantly supervised by the covered entity (that is, the covered entity has the right to direct the manner of job performance, and the individual is given little to no discretion as to how to perform his or her job duties).
Are Members of a Workforce Considered Business Associates?
Under HIPAA, business associates are individuals or entities, other than members of a covered entity’s workforce, who create, receive, maintain, or transmit protected health information (PHI) for the covered entity.
Since members of a covered entity’s workforce are excluded from the definition of “business associates,” covered entities need not and do not enter into business associate agreements with these members.
Sometimes, an independent contractor – that is, a person who is not a workforce member – may seek to be classified as a member of the covered entity’s workforce. An independent contractor might seek this classification to avoid the need for a business associate agreement. The HIPAA Privacy Rule permits a covered entity to treat a non-workforce member as a workforce member – and therefore, as someone who does not need to sign a business associate agreement – if the service provider seeking “workforce” classification agrees to perform its work under the covered entity’s “direct control,” as that phrase is defined above. Once the service provider is treated as a workforce member, the service provider must continue to act as one (to allow its work performance to be directly controlled) to maintain “workforce member” status.