HIPAA Final Rule: Business Associates–Permitted and Required Uses & Disclosures

March 5, 2013.  Today, we continue going through the HIPAA Privacy Rule, section by section, as modified in the Final Rule:  Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications of the HIPAA Rules, which was published in the Federal Register on January 25, 2013.  The effective date of the Final Rule is March 26, 2013, and covered entities and business associates must comply by September 23, 2013.

Our focus today is on business associates in 45 CFR 164.502: Uses and disclosures of protected health information:  General Rules­—(a) Standard.  A covered entity or business associate may not use or disclose protected health information, except as permitted or required by [the HIPAA Privacy Rule] or by subpart C of part 160 of this subchapter [Compliance and Investigations of General Administrative Requirements of Administrative Data Standards and Related Requirements].  Below we present the modified regulations pertaining to (3) Business associates:  Permitted uses and disclosures; and (4) Business associates:  Required uses and disclosures.  78 Federal Register 5696

(3) Business associates:  Permitted uses and disclosures.  A business associate may use or disclose protected health information only as permitted or required by its business associate contract or other arrangement pursuant to 45 CFR 164.504(e) [Uses and disclosures:  Organizational requirements—Standard.  Business associate contracts: at 78 Federal Register 5697-5698] or as required by law.  The business associate may not use or disclose protected health information in a manner that would violate the requirements of [the HIPAA Privacy Rule], if done by the covered entity, except for the purposes specified under 164.504(e)(2)(i)(A) or (B) if such uses or disclosures are permitted by its contract or other arrangement.

Here are 164.504(e)(2)(i)(A) and (B):

164.504(e)(2):  Implementation specifications:  Business associate contracts.  A contract between the covered entity and a business associate must:

(i) Establish the permitted and required uses and disclosures of protected health information by the business associate.  The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of [the HIPAA Privacy Rule], if done by the covered entity, except that;

(A) The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section [Implementation specifications:  Other requirements for contracts and other arrangements]; and

(B) The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity.

78 Federal Register 5697

(4) Business associates:  Required uses and disclosures.  A business associate is required to disclose protected health information:

(i) When required by the Secretary under subpart C of part 160 of this subchapter [Compliance and Investigations of General Administrative Requirements of Administrative Data Standards and Related Requirements] to investigate or determine the business associate’s compliance with this subchapter.

(ii) To the covered entity, individual, or individual’s designee, as necessary to satisfy a covered entity’s obligations under 45 CFR 164.524(c)(2)(ii) and (3)(ii) with respect to an individual’s request for an electronic copy of protected health information.

Here are 164.524(c)(2)(ii) and (3)(ii):

164.524(c):  Access of individuals to protected health information— Implementation specifications: Provision of access:

(2)(ii) Form of access requestedNotwithstanding paragraph (c)(2)(i) of this section, if the protected health information that is the subject of a request for access is maintained in one or more designated record sets electronically and if the individual requests an electronic copy of such information, the covered entity must provide the individual with access to the protected health information in the electronic form and format requested by the individual, if it is readily producible in such form and format; or, if not, in
a readable electronic form and format as agreed to by the covered entity and the individual.

(3)(ii) Time and manner of accessIf an individual’s request for access directs the covered entity to transmit the copy of protected health information directly to another person designated by the individual, the covered entity must provide the copy to the person designated by the individual. The individual’s request must be in writing, signed by the individual, and clearly identify the designated person and where to send the copy of protected health information.

We provide here a selection of the Final Rule preamble that underpins the regulatory provisions above:

“[T]he final rule provides that a business associate is a person who performs functions or activities on behalf of, or certain services for, a covered entity or another business associate that involve the use or disclosure of protected health information. The final rule establishes that a person becomes a business associate by definition, not by the act of contracting with a covered entity or otherwise. Therefore, liability for impermissible uses and disclosures attaches immediately when a person creates, receives, maintains, or transmits protected health information on behalf of a covered entity or business associate and otherwise meets the definition of a business associate.

“Liability also does not depend on the type of protected health information that a business associate creates, receives, maintains, or transmits on behalf of a covered entity or another business associate, or on the type of entity performing the function or service, except to the extent the entity falls within one of the exceptions at paragraph 4 of the definition of business associate. First, protected health information created, received, maintained, or transmitted by a business associate may not necessarily include diagnosis-specific information, such as information about the treatment of an individual, and may be limited to demographic or other information not indicative of the type of health care services provided to an individual. If the information is tied to a covered entity, then it is protected health information by definition since it is indicative that the individual received health care services or benefits from the covered entity, and therefore it must be protected by the business associate in accordance with the HIPAA Rules and its business associate agreement. Second, the definition of business associate is contingent on the fact that the business associate performs certain activities or functions on behalf of, or provides certain services to, a covered entity or another business associate that involve the use or disclosure of protected health information. Therefore, any person, defined in the HIPAA Rules as a natural person, trust or estate, partnership, corporation, professional association or corporation, or other entity, public or private, who performs these functions or activities or services is a business associate for purposes of the HIPAA Rules, regardless of whether such person has other professional or privilege-based duties or responsibilities. …

“In response to comments requesting clarification on which HIPAA provisions a business associate is directly liable for compliance, we provide the following. Business associates are directly liable under the HIPAA Rules for impermissible uses and disclosures, for a failure to provide breach notification to the covered entity,  for a failure to provide access to a copy of electronic protected health information to either the covered entity, the individual, or the individual’s designee (whichever is specified in the business associate agreement), for a failure to disclose protected health information where required by the Secretary to investigate or determine the business associate’s compliance with the HIPAA Rules, for a failure to provide an accounting of disclosures, and for a failure to comply with the requirements of the Security Rule.  Business associates remain contractually liable for other requirements of the business associate agreement … .

“With respect to a business associate’s direct liability for a failure to provide access to a copy of electronic protected health information, business associates are liable for providing electronic access in accordance with their business associate agreements. Therefore, business associates may provide electronic access directly to individuals or their designees, or may provide the electronic protected health information to the covered entity (which then provides the electronic access to individuals or their designees). As with many other provisions in the HIPAA Rules, the Department leaves the details to the contracting parties, and is concerned only that access is provided to the individual, not with which party provides the access.”  78 Federal Register 5598-5599

Tomorrow, we look at the first of two categories of modified prohibited uses and disclosures regulations: use and disclosure of genetic information for underwriting purposes.

3 comments on “HIPAA Final Rule: Business Associates–Permitted and Required Uses & Disclosures”

  1. Hello I am an RN in NJ, prior participant in RAMP ( Recovery and Monitoring Program ). I habe requested my records of their documentation of my case and all affiliated forms. They have answered that they don’t know what I am looking for, they only have records that I submitted of outside evaluations. However I was evaluated by RAMP on admission and every 90 after and upon Discharge is this a HIPAA.
    Violation and what can my my lawyer do!?

  2. Hello I am an RN in NJ, prior participant in RAMP ( Recovery and Monitoring Program ). I have requested my records of their documentation of my case and all affiliated forms. They have answered that they don’t know what I am looking for, they only have records that I submitted of outside evaluations. However I was evaluated by a RAMP Nurse on admission and every 90 after for next almost 5 years.and upon Discharge is this a HIPAA.
    Violation and what can my my lawyer do!?

  3. my 28 year old daughter and her husband were both shot and killed recently and because they had a 3, 6, and 12 year old children we are now dealing with social services and custody/kinship/guardianship. Long story short I had a 7 year sobriety that went to the wayside after hearing about her death and how she died. During this time my daughter was living on the streets and I kept begging for them to get her and her husband in treatment so that I could just be gma and they could be parents. She never spoke with them or offered them treatment like she said she was and instead of the family healing and reuniting they were shot and left like trash left in the bushes behind an abandoned warehouse. Not even 1 month after this tragedy I tested positive for methamphetamines. I am also diagnosed with adult ADHD so when I use methamphetamines it doesn’t have the effect most people expect. Having said this I agreed to treatment at an outpatient facility approved by social services and that I would get a prescription and a psych doctor. So my thereapist says due to past serious trauma I have PTSD and anxiety issues that are the source of said drug use as a way to ignore or mute the emotional pain i am in. So my therapist and I agreed that for right now we will concentrate on getting the trauma treated and possibly the drug use will fade away or at least decline. Well my caseworker kept forgetting to order my U/A so when we had our meeting on how progress is coming along I had to admit I hadn’t completly quit even thou this was the professional opinion 0f my therapist to not focus on absolute sobriety and try to get the trauma under control so I don’t need so much “help” from the drugs. When this meeting was over the supervisor was irate that I hadn’t completly quit so he says to me and my mom that they are going to now try to find other family members who can take care of the 3 kids instead of us. Well my daughter had a Will that is going to probate and she named my mom as the PR and guardian but in the meantime social services sent out a letter notifying 28 people that if they have any desire to apply for guardianship to go ahead and contact her either by email or phone. When my brother in law spoke to this supervisor on the phone he instructed my brother in law to go ahead and come pick up the oldest and take her to his house for now…but that he should not take any of her possesions as they have “meth” all over them…I was shocked that the supervisor with out any proof of my use told a handful of these people who are no relation to me but are now fighting me for custody and making accusations regarding my daughters death and her using drugs. I am wondering if he had a right to share my hot UA info which was about 4 months ago and that was the second one I did, the first one was negative for meth and they haven’t requested anymore since then. Now nobody will help us take care of these 3 kids, me and my 76 yr old mom and on top of it all I had to arrange for my own treatment and counseling even when my caseworker said she would take care of it for me. Nobody even asked the supervisor what the circumstances were for the kids to be moved because they thought it was voluntary that we were temporary help so for him to tell anyone that I thought was a violation of my privacy. Can you help me please

Leave a Reply

Your email address will not be published. Required fields are marked *