NaviNet BAA Position Statement

Business Associate Agreements are not required between NaviNet and health care providers.

What does NaviNet do?

NaviNet is a healthcare communications network, which allows Healthcare Providers to communicate with healthcare payers, pharmacy benefit managers, and their business associates (collectively, Health Plans) to streamline payment and healthcare operations activities.

Who are NaviNet’s clients?

NaviNet is engaged by Health Plans to provide this communications network to facilitate the exchange of Protected Health Information between Health Plans and Health Care Providers. NaviNet provides this service as a HIPAA Business Associate of the Health Plans. Health Care Providers share Protected Health Information with Health Plans for payment and healthcare operations purposes. Because both Health Care Providers and Health Plans are both Covered Entities, no Business Associate Agreement is required in order for Health Care Providers and Health Plans to share Protected Health Information for this purpose. 45 C.F.R. § 164.506(c).

Does NaviNet act as a Business Associate to Health Plans?

Yes. NaviNet is a Business Associate of Health Plans and has a Business Associate Agreement in place with each Health Plan participating in the NaviNet communications network. NaviNet is a vendor and provides this service on behalf of Health Plans.

Does NaviNet act as a Business Associate to Health Care Providers?

Typically, no. Health Care Providers do not engage NaviNet to provide the NaviNet communications network. Health Care Providers could communicate with Health Plans directly, but may also choose to communicate with Health Plans using the NaviNet communications network. NaviNet provides Health Care Providers with access to its communication network as a service to the Health Plans.

What if a Health Care Provider uses the AllPayer Services?

From time to time, a Health Care Provider engages NaviNet (and pays NaviNet) to provide a service on the Health Care Provider’s behalf; in those instances NaviNet is acting as Business Associate to Health Care Providers. One time when this happens is when a Health Care Provider uses the AllPayer Services. NaviNet’s Use Agreement includes Business Associate contract terms which are legally binding upon acceptance of the User Agreement. Individuals must attest that they are authorized to accept this Use Agreement on behalf of the Health Care Provider in order to access the NaviNet system.

How is NaviNet permitted to receive Protected Health Information from Health Care Providers without a Business Associate Agreement?

The HIPAA regulations are clear that a Covered Entity is permitted to share Protected Health Information with a Business Associate of another Covered Entity. The Department of Health and Human Services has stated that : “If the HIPAA Privacy Rule permits a covered entity to share protected health information with another covered entity, the covered entity is permitted to make the disclosure directly to a business associate acting on behalf of that other covered entity” (http://www.hhs.gov/ocr/privacy/hipaa/faq/business_associates/241.html).

NaviNet is a Business Associate of each Health Plan that participates in the NaviNet communications network. Health Care Providers are permitted to provide Protected Health Information to Health Plans for payment and health care operations purposes without a Business Associate Agreement. Health Care Providers are equally permitted to provide this Protected Health Information for the same purposes to the Health Plan’s Business Associate, NaviNet.