March 5, 2013. Today, we continue going through the HIPAA Privacy Rule, section by section, as modified in the Final Rule: Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications of the HIPAA Rules, which was published in the Federal Register on January 25, 2013. The effective date of the Final Rule is March 26, 2013, and covered entities and business associates must comply by September 23, 2013.
Our focus today is on business associates in 45 CFR 164.502: Uses and disclosures of protected health information: General Rules—(a) Standard. A covered entity or business associate may not use or disclose protected health information, except as permitted or required by [the HIPAA Privacy Rule] or by subpart C of part 160 of this subchapter [Compliance and Investigations of General Administrative Requirements of Administrative Data Standards and Related Requirements]. Below we present the modified regulations pertaining to (3) Business associates: Permitted uses and disclosures; and (4) Business associates: Required uses and disclosures. 78 Federal Register 5696
(3) Business associates: Permitted uses and disclosures. A business associate may use or disclose protected health information only as permitted or required by its business associate contract or other arrangement pursuant to 45 CFR 164.504(e) [Uses and disclosures: Organizational requirements—Standard. Business associate contracts: at 78 Federal Register 5697-5698] or as required by law. The business associate may not use or disclose protected health information in a manner that would violate the requirements of [the HIPAA Privacy Rule], if done by the covered entity, except for the purposes specified under 164.504(e)(2)(i)(A) or (B) if such uses or disclosures are permitted by its contract or other arrangement.
Here are 164.504(e)(2)(i)(A) and (B):
164.504(e)(2): Implementation specifications: Business associate contracts. A contract between the covered entity and a business associate must:
(i) Establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of [the HIPAA Privacy Rule], if done by the covered entity, except that;
(A) The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section [Implementation specifications: Other requirements for contracts and other arrangements]; and
(B) The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity.
78 Federal Register 5697
(4) Business associates: Required uses and disclosures. A business associate is required to disclose protected health information:
(i) When required by the Secretary under subpart C of part 160 of this subchapter [Compliance and Investigations of General Administrative Requirements of Administrative Data Standards and Related Requirements] to investigate or determine the business associate’s compliance with this subchapter.
(ii) To the covered entity, individual, or individual’s designee, as necessary to satisfy a covered entity’s obligations under 45 CFR 164.524(c)(2)(ii) and (3)(ii) with respect to an individual’s request for an electronic copy of protected health information.
Here are 164.524(c)(2)(ii) and (3)(ii):
164.524(c): Access of individuals to protected health information— Implementation specifications: Provision of access:
(2)(ii) Form of access requested—Notwithstanding paragraph (c)(2)(i) of this section, if the protected health information that is the subject of a request for access is maintained in one or more designated record sets electronically and if the individual requests an electronic copy of such information, the covered entity must provide the individual with access to the protected health information in the electronic form and format requested by the individual, if it is readily producible in such form and format; or, if not, in a readable electronic form and format as agreed to by the covered entity and the individual.
(3)(ii) Time and manner of access—If an individual’s request for access directs the covered entity to transmit the copy of protected health information directly to another person designated by the individual, the covered entity must provide the copy to the person designated by the individual. The individual’s request must be in writing, signed by the individual, and clearly identify the designated person and where to send the copy of protected health information.
We provide here a selection of the Final Rule preamble that underpins the regulatory provisions above:
“[T]he final rule provides that a business associate is a person who performs functions or activities on behalf of, or certain services for, a covered entity or another business associate that involve the use or disclosure of protected health information. The final rule establishes that a person becomes a business associate by definition, not by the act of contracting with a covered entity or otherwise. Therefore, liability for impermissible uses and disclosures attaches immediately when a person creates, receives, maintains, or transmits protected health information on behalf of a covered entity or business associate and otherwise meets the definition of a business associate.
“Liability also does not depend on the type of protected health information that a business associate creates, receives, maintains, or transmits on behalf of a covered entity or another business associate, or on the type of entity performing the function or service, except to the extent the entity falls within one of the exceptions at paragraph 4 of the definition of business associate. First, protected health information created, received, maintained, or transmitted by a business associate may not necessarily include diagnosis-specific information, such as information about the treatment of an individual, and may be limited to demographic or other information not indicative of the type of health care services provided to an individual. If the information is tied to a covered entity, then it is protected health information by definition since it is indicative that the individual received health care services or benefits from the covered entity, and therefore it must be protected by the business associate in accordance with the HIPAA Rules and its business associate agreement. Second, the definition of business associate is contingent on the fact that the business associate performs certain activities or functions on behalf of, or provides certain services to, a covered entity or another business associate that involve the use or disclosure of protected health information. Therefore, any person, defined in the HIPAA Rules as a natural person, trust or estate, partnership, corporation, professional association or corporation, or other entity, public or private, who performs these functions or activities or services is a business associate for purposes of the HIPAA Rules, regardless of whether such person has other professional or privilege-based duties or responsibilities. …
“In response to comments requesting clarification on which HIPAA provisions a business associate is directly liable for compliance, we provide the following. Business associates are directly liable under the HIPAA Rules for impermissible uses and disclosures, for a failure to provide breach notification to the covered entity, for a failure to provide access to a copy of electronic protected health information to either the covered entity, the individual, or the individual’s designee (whichever is specified in the business associate agreement), for a failure to disclose protected health information where required by the Secretary to investigate or determine the business associate’s compliance with the HIPAA Rules, for a failure to provide an accounting of disclosures, and for a failure to comply with the requirements of the Security Rule. Business associates remain contractually liable for other requirements of the business associate agreement … .
“With respect to a business associate’s direct liability for a failure to provide access to a copy of electronic protected health information, business associates are liable for providing electronic access in accordance with their business associate agreements. Therefore, business associates may provide electronic access directly to individuals or their designees, or may provide the electronic protected health information to the covered entity (which then provides the electronic access to individuals or their designees). As with many other provisions in the HIPAA Rules, the Department leaves the details to the contracting parties, and is concerned only that access is provided to the individual, not with which party provides the access.” 78 Federal Register 5598-5599
Tomorrow, we look at the first of two categories of modified prohibited uses and disclosures regulations: use and disclosure of genetic information for underwriting purposes.