March 8, 2013. Today, we continue going through the HIPAA Privacy Rule, section by section, as modified in the Final Rule: Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications of the HIPAA Rules, which was published in the Federal Register on January 25, 2013. The effective date of the Final Rule is March 26, 2013, and covered entities and business associates must comply by September 23, 2013.
Our focus this week has been on 45 CFR 164.502: Uses and disclosures of protected health information: General Rules. Today, we focus on the modified provisions at 164.502(e): Standard: Disclosures to business associates:
45 CFR 164.502(e): “(1) Standard: Disclosures to business associates.
(i) A covered entity may disclose protected health information to a business associate and may allow a business associate to create, receive, maintain, or transmit protected health information on its behalf, if the covered entity obtains satisfactory assurance that the business associate will appropriately safeguard the information. A covered entity is not required to obtain such satisfactory assurances from a business associate that is a subcontractor.
(ii) A business associate may disclose protected health information to a business associate that is a subcontractor and may allow the subcontractor to create, receive, maintain, or transmit protected health information on its behalf, if the business associate obtains satisfactory assurances, in accordance with 45 CFR 164.504(e)(1)(i) [Uses and disclosures: Organizational requirements—Standard: Business associate contracts (see below)], that the subcontractor will appropriately safeguard the information.
(2) Implementation specification: Documentation. The satisfactory assurances required by paragraph (e)(1) of this section must be documented through a written contract or other written agreement or arrangement with the business associate that meets the applicable requirements of 45 CFR164.504(e).”
Here is the language for 45 CFR 164.504(e)(1)(i) referenced in (1)(ii) above, as modified in the January 25, 2013, Final Rule:
“(e)(1) Standard: Business associate contracts. (i) The contract or other arrangement required by 45 CFR 164.502(e)(2) must meet the requirements of paragraph (e)(2) [Implementation specifications: Business associate contracts], (e)(3) [Implementation specifications: Other arrangements], or (e)(5) [Implementation specifications: Business associate contracts with subcontractors] of 45 CFR 164.504, as applicable.” 78 Federal Register 5697
On Monday, March 11, we shall present the content of 45 CFR 164.504(e), referenced in the preceding paragraph. On Tuesday, we close the presentation of 45 CFR 164.502 with 164.502(f): Standard: Deceased individuals.