Under HIPAA, Carriers such as insurers or HMOs do not become Business Associates of OEB simply by providing health insurance or health coverage for OEB. OEB shall ensure that any Disclosures to OEB by a Carrier providing health insurance or health coverage on behalf of OEB is made compliance with this Manual.
6.3(1) Determination of Business Associate Status.
Prior to entering into any agreement with a Carrier for Group Health Plan services or activities, OEB shall determine whether the Issuer or HMO shall become a Business Associate as a result of such services or activities. The Carrier does not become a Business Associate simply by providing health insurance or health coverage for OEB.
6.3(2) Contracting With Carriers.
If the Carrier is a Business Associate due to services or activities other than providing Fully-Insured Group Health Plan insurance or health coverage for OEB, OEB shall comply with Section 6.1 of this Policy in connection with such Issuer or HMO. If the Carrier is providing Fully-Insured Group Health Plan insurance or health coverage for OEB, OEB shall comply with Policy 5 which are the policies applicable to OEB as a Plan Sponsor.
6.3(3) Monitoring Carriers.
If OEB learns that a Carrier providing Group Health Plan insurance or health coverage for or on behalf of OEB has Disclosed PHI concerning its Members, which Disclosure, if performed by OEB, would be a violation of a Policy in this Manual, OEB shall take reasonable steps to stop such Disclosure and mitigate any harmful effects from such Disclosure in accordance with Section 8.4 of this Manual. If OEB’s steps to end such Disclosures and mitigate their effects are unsuccessful, OEB shall terminate the contract or arrangement with the Carrier. If it is determined that such termination is not reasonable or feasible, the Privacy Officer shall report the problem to the Secretary.
45 C.F.R. § 164.504(f)(3)(ii)
65 Fed. Reg. at 82,642 (Dec. 28, 2000)