HIPAA regs
HIPAA dvisory
HIPAAdvisory > HIPAAregs > Modified Final Privacy Rule Phoenix Health Systems
news
regs
action
tech
wares
alert
live
latest
online HIPAA training
HIPAAstore
HIPAA help desk
search
contact us
site map

Standards for Privacy of Individually Identifiable Health Information

J. Section 164.532--Transition Provisions

2. Business Associates

December 2000 Privacy Rule

The Privacy Rule at Sec. 164.502(e) permits a covered entity to disclose protected health information to a business associate who performs a function or activity on behalf of, or provides a service to, the covered entity that involves the creation, use, or disclosure of, protected health information, provided that the covered entity obtains satisfactory assurances that the business associate will appropriately safeguard the information. The Department recognizes that most covered entities do not perform or carry out all of their health care activities and functions by themselves, but rather use the services of, or receive assistance from, a variety of other persons or entities. Given this framework, the Department intended these provisions to allow such business relationships to continue while ensuring that identifiable health information created or shared in the course of the relationships was protected.

The Privacy Rule requires that the satisfactory assurances obtained from the business associate be in the form of a written contract (or other written arrangement, as between governmental entities) between the covered entity and the business associate that contains the elements specified at Sec. 164.504(e). For example, the agreement must identify the uses and disclosures of protected health information the business associate is permitted or required to make, as well as require the business associate to put in place appropriate safeguards to protect against a use or disclosure not permitted by the contract or agreement.

The Privacy Rule also provides that, where a covered entity knows of a material breach or violation by the business associate of the contract or agreement, the covered entity is required to take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, to terminate the contract or arrangement. If termination of the contract or arrangement is not feasible, a covered entity is required to report the problem to the Secretary of HHS. A covered entity that violates the satisfactory assurances it provided as a business associate of another covered entity is in noncompliance with the Privacy Rule.

The Privacy Rule's definition of "business associate" at Sec. 160.103 includes the types of functions or activities, and list of services, that make a person or entity who engages in them a business associate, if such activity or service involves protected health information. For example, a third party administrator (TPA) is a business associate of a health plan to the extent the TPA assists the health plan with claims processing or another covered function. Similarly, accounting services performed by an outside consultant give rise to a business associate relationship when provision of the service entails access to the protected health information held by a covered entity.

The Privacy Rule excepts from the business associate standard certain uses or disclosures of protected health information. That is, in certain situations, a covered entity is not required to have a contract or other written agreement in place before disclosing protected health information to a business associate or allowing protected health information to be created by the business associate on its behalf. Specifically, the standard does not apply to: disclosures by a covered entity to a health care provider for treatment purposes; disclosures to the plan sponsor by a group health plan, or a health insurance issuer or HMO with respect to a group health plan, to the extent that the requirements of Sec. 164.504(f) apply and are met; or to the collection and sharing of protected health information by a health plan that is a public benefits program and an agency other than the agency administering the health plan, where the other agency collects protected health information for, or determines eligibility or enrollment with respect to, the government program, and where such activity is authorized by law. See Sec. 164.502(e)(1)(ii).

March 2002 NPRM

The Department heard concerns from many covered entities and others about the business associate provisions of the Privacy Rule. The majority expressed some concern over the anticipated administrative burden and cost to implement the business associate provisions. Some stated that many covered entities have existing contracts that are not set to terminate or expire until after the compliance date of the Privacy Rule. Others expressed specific concern that the two-year compliance period does not provide enough time to reopen and renegotiate what could be hundreds or more contracts for large covered entities. These entities went on to urge the Department to grandfather in existing contracts until such contracts come up for renewal instead of requiring that all contracts be in compliance with the business associate provisions by the compliance date of the Privacy Rule.

In response to these concerns, the Department proposed to relieve some of the burden on covered entities in complying with the business associate provisions by both adding a transition provision to grandfather certain existing contracts for a specified period of time, as well as publishing sample contract language in the proposed Rule. The following discussion addresses the issue of the business associate transition provisions. A discussion of the business associate sample contract language is included in Part X of the preamble.

The Department proposed new transition provisions at Sec. 164.532(d) and (e) to allow covered entities, other than small health plans, to continue to operate under certain existing contracts with business associates for up to one year beyond the April 14, 2003, compliance date of the Privacy Rule. The additional transition period would be available to a covered entity, other than a small health plan, if, prior to the effective date of the transition provision, the covered entity had an existing contract or other written arrangement with a business associate, and such contract or arrangement was not renewed or modified between the effective date of this provision and the Privacy Rule's compliance date of April 14, 2003. The proposed provisions were intended to allow those covered entities with contracts that qualified as described above to continue to disclose protected health information to the business associate, or allow the business associate to create or receive protected health information on its behalf, for up to one year beyond the Privacy Rule's compliance date, regardless of whether the contract meets the applicable contract requirements in the Privacy Rule. The Department proposed to deem such contracts to be compliant with the Privacy Rule until either the covered entity had renewed or modified the contract following the compliance date of the Privacy Rule (April 14, 2003), or April 14, 2004, whichever was sooner. In cases where a contract simply renewed automatically without any change in terms or other action by the parties (also known as "evergreen contracts"), the Department intended that such evergreen contracts would be eligible for the extension and that deemed compliance would not terminate when these contracts automatically rolled over.

These transition provisions would apply to covered entities only with respect to written contracts or other written arrangements as specified above, and not to oral contracts or other arrangements. In addition, the proposed transition provisions would not apply to small health plans, as defined in the Privacy Rule. Small health plans would be required to have all business associate contracts be in compliance with the Privacy Rule's applicable provisions, by the compliance deadline of April 14, 2004, for such covered entities.

In proposed Sec. 164.532(e)(2), the Department provided that the new transition provisions would not relieve a covered entity of its responsibilities with respect to making protected health information available to the Secretary, including information held by a business associate, as necessary for the Secretary to determine compliance. Similarly, these provisions would not relieve a covered entity of its responsibilities with respect to an individual's rights to access or amend his or her protected health information held by a business associate, or receive an accounting of disclosures by a business associate, as provided for by the Privacy Rule's requirements at Secs. 164.524, 164.526, and 164.528. Covered entities still would be required to fulfill individuals' rights with respect to their protected health information, including information held by a business associate of the covered entity. Covered entities would have to ensure, in whatever manner effective, the appropriate cooperation by their business associates in meeting these requirements.

The Department did not propose modifications to the standards and implementation specifications that apply to business associate relationships as set forth at Secs. 164.502(e) and 164.504(e), respectively, of the Privacy Rule.

Overview of Public Comments

The following discussion provides an overview of the public comment received on this proposal. Additional comments received on this issue are discussed below in the section entitled, "Response to Other Public Comments."

Most commenters on this issue expressed general support for a transition period for business associate contracts. Of these commenters, however, many requested that the Department modify the proposal in a number of different ways. For example, a number of commenters urged the Department to modify which contracts qualify for the transition period, such as by making the transition period available to contracts existing as of the compliance date of the Privacy Rule, rather than as of the effective date of the transition modification. Others requested that the Department apply the transition period to all business associate arrangements, even those arrangements for which there was no existing written contract.

Some commenters urged the Department to modify the end date of the transition period. A few of these commenters requested that the transition period apply to existing business associate contracts until they expired or were renewed, with no specified end date in the regulation. It was also suggested that the Department simply provide one extra year, until April 14, 2004, for compliance with the business associate contract provisions, without the provision that a renewal or modification of the contract would trigger an earlier transition period end date. A few commenters requested further guidance as to the types of actions the Department would or would not consider to be a "renewal or modification" of the contract.

Additionally, numerous commenters requested that the Department further clarify a covered entity's responsibilities with regard to their business associates during the transition period. Commenters expressed concerns with the proposal's requirement that the transition provisions would not have relieved a covered entity of its responsibilities with respect to an individual's rights to access or amend his or her protected health information held by business associates, or receive an accounting of disclosures by a business associate. Similarly, commenters raised concerns that the transition provisions would not have relieved a covered entity of its responsibilities to make information available to the Secretary, including information held by a business associate, as necessary for the Secretary to determine compliance. Commenters also expressed concerns about the fact that it appeared that covered entities still would have been required to obtain satisfactory assurances from a business associate that protected health information not be used improperly by the business associate, or that the covered entity still would have been required to mitigate any known harmful effects of a business associate's improper use or disclosure of protected health information during the transition period. It was stated that cooperation by a business associate with respect to the covered entity's obligations under the Rule would be difficult, if not impossible, to secure without a formal agreement.

A few commenters opposed the proposal, one of whom raised concerns that the proposed transition period would encourage covered entities to enter into "stop gap" contracts instead of compliant business associate contracts. This commenter urged that the Department maintain the original compliance date for business associate contracts.

Final Modifications

In the final Rule, the Department adopts the transition period for certain business associate contracts as proposed in the NPRM. The final Rule's transition provisions at Sec. 164.532(d) and (e) permit covered entities, other than small health plans, to continue to operate under certain existing contracts with business associates for up to one year beyond the April 14, 2003, compliance date of the Privacy Rule. The transition period is available to covered entities who have an existing contract (or other written arrangement) with a business associate prior to the effective date of this modification, provided that the contract is not renewed or modified prior to the April 14, 2003, compliance date of the Privacy Rule. (See the "Dates" section above for the effective date of this modification.) Covered entities with contracts that qualify are permitted to continue to operate under those contracts with their business associates until April 14, 2004, or until the contract is renewed or modified, whichever is sooner. During the transition period, such contracts are deemed to be compliant with the Privacy Rule regardless of whether the contract meets the Rule's applicable contract requirements at Secs. 164.502(e) and 164.504(e).

The transition provisions are intended to address the concerns of covered entities that the two-year period between the effective date and compliance date of the Privacy Rule is insufficient to reopen and renegotiate all existing contracts for the purposes of bringing them into compliance with the Rule. These provisions also provide covered entities with added flexibility to incorporate the business associate contract requirements at the time they would otherwise modify or renew the existing contract.

Given the intended purpose of these provisions, the Department is not persuaded by the comments that it is necessary to modify the provision to make the transition period available to those contracts existing prior to the Rule's compliance date of April 14, 2003, rather than the effective date of the modification, or, even less so, to any business associate arrangement regardless of whether a written contract currently exists.

A covered entity that does not have a written contract with a business associate prior to the effective date of this modification does not encounter the same burdens described by other commenters associated with having to reopen and renegotiate many existing contracts at once. The Department believes that such a covered entity should be able to enter into a compliant business associate contract by the compliance date of the Rule. Further, those covered entities whose business associate contracts come up for renewal or modification prior to the compliance date have the opportunity to bring such contracts into compliance by April 14, 2003. Thus, a covered entity that enters into a business associate contract after the effective date of this modification, or that has a contract that is renewed or modified prior to the compliance date of the Rule, is not eligible for the transition period and is required to have a business associate contract in place that meets the applicable requirements of Secs. 164.502(e) and 164.504(e) by the Privacy Rule's compliance date of April 14, 2003. Further, as in the proposed Rule, the transition provisions apply only to written contracts or other written arrangements. Oral contracts or other arrangements are not eligible for the transition period. The Department clarifies, however, that nothing in these provisions requires a covered entity to come into compliance with the business associate contract provisions prior to April 14, 2003.

Similarly, in response to those commenters who requested that the Department permit existing contracts to be transitioned until April 14, 2004, regardless of whether such contracts are renewed or modified prior to that date, the Department considers a renewal or modification of the contract to be an appropriate, less burdensome opportunity to bring such contracts into compliance with the Privacy Rule. The Department, therefore, does not modify the proposal in such a way. Further, in response to commenters who requested that the Rule grandfather in existing business associate contracts until they expire or are renewed, with no specified end date in the regulation, the Department believes that limiting the transition period to one year beyond the Rule's compliance date is the proper balance between individuals' privacy interests and alleviating burden on the covered entity. All existing business associate contracts must be compliant with the Rule's business associate contract provisions by April 14, 2004.

As in the proposal, evergreen or other contracts that renew automatically without any change in terms or other action by the parties and that exist by the effective date of this modification are eligible for the transition period. The automatic renewal of such contracts itself does not terminate qualification for, or deemed compliance during, the transition period. Renewal or modification for the purposes of these transition provisions requires action by the parties involved. For example, the Department does not consider an automatic inflation adjustment to the price of a contract to be a renewal or modification for purposes of these provisions. Such an adjustment will not trigger the end of the transition period, nor make the contract ineligible for the transition period if the adjustment occurs before the compliance date of the Rule.

The transition provisions do not apply to "small health plans," as defined at Sec. 160.103. Small health plans are required to have business associate contracts that are compliant with Secs. 164.502(e) and 164.504(e) by the April 14, 2004, compliance date for such entities. As explained in the proposal, the Department believes that the additional year provided by the statute for these entities to comply with the Privacy Rule provides sufficient time for compliance with the Rule's business associate provisions. In addition, the sample contract provisions provided in the Appendix to the preamble will assist small health plans and other covered entities in their implementation of the Privacy Rule's business associate provisions by April 14, 2004.

Like the proposal, the final Rule at Sec. 164.532(e)(2) provides that, during the transition period, covered entities are not relieved of their responsibilities to make information available to the Secretary, including information held by a business associate, as necessary for the Secretary to determine compliance by the covered entity. Similarly, the transition period does not relieve a covered entity of its responsibilities with respect to an individual's rights to access or amend his or her protected health information held by a business associate, or receive an accounting of disclosures by a business associate, as provided for by the Privacy Rule's requirements at Secs. 164.524, 164.526, and 164.528. In addition, unlike the proposed Rule, the final Rule at Sec. 164.532(e)(3) explicitly provides that with respect to those business associate contracts that qualify for the transition period as described above, a covered entity is not relieved of its obligation under Sec. 164.530(f) to mitigate, to the extent practicable, any harmful effect that is known to the covered entity of a use or disclosure of protected health information by its business associate in violation of the covered entity's policies and procedures or the requirements of this subpart, as required by Sec. 164.530(f).

The Department does not believe that a covered entity should be relieved during the transition period of its responsibilities with respect to cooperating with the Secretary or fulfilling an individual's rights with respect to protected health information held by the business associate, or mitigating any harmful effects of an inappropriate use or disclosure by the business associate. The transition period is intended to alleviate some of the burden on covered entities, but not at the expense of individuals' privacy rights. Eliminating these privacy protections and rights would severely weaken the Rule with respect to those covered entities with contracts that qualify for the transition period.

Further, the Rule provides covered entities some discretion in implementing these requirements with respect to their business associates. For example, a covered entity does not need to provide an individual with access to protected health information held by a business associate if the only information the business associate holds is a duplicate of what the covered entity maintains and to which it has provided the individual access. Covered entities are required to ensure, in whatever manner deemed effective by the covered entity, the appropriate cooperation by their business associates in meeting these requirements.

In response to other concerns from commenters, the Department clarifies that a covered entity is not required to obtain satisfactory assurances (in any form), as required by Sec. 164.502(e)(1), from a business associate to which the transition period applies. The transition period effectively deems such qualified contracts to fulfill the requirement for satisfactory assurances from the business associate.

The Department is aware that the transition provisions may encourage some covered entities to enter into contracts before the effective date of the modification solely to take advantage of the transition period, rather than encourage such entities to execute fully compliant business associate contracts. However, the Department believes that the provision appropriately limits the potential for such misuse by requiring that qualified contracts exist prior to the modification effective date rather than the Privacy Rule's compliance date. Further, the transition provisions do not relieve the covered entity of its obligations with respect to protected health information held by the business associate and, therefore, ensures that an individual's rights, as provided for by the Rule, remain intact during the transition period.

Response to Other Public Comments

Comment: One commenter requested that the transition period also be applied to the requirement that a group health plan amend plan documents pursuant to Sec. 164.504(f) before protected health information may be disclosed to the plan sponsor.

Response: The Department does not make such a modification. The intent of the business associate transition provisions is to alleviate burden on those covered entities with many existing contracts, where as a result, the two-year period between the effective date and compliance date of the Privacy Rule may be insufficient to reopen and renegotiate all such contracts for the purposes of bringing them into compliance with the Rule. The Privacy Rule does not require a business associate contract for disclosure of protected health information from a group health plan to a plan sponsor. Rather, the Rule permits a group health plan to disclose protected health information to a plan sponsor if, among other requirements, the plan documents are amended to appropriately reflect and restrict the plan sponsor's uses and disclosures of such information. As the group health plan should only have one set of plan documents that must be amended, the same burdens described above do not exist with respect to this activity. Thus, the Department expects that group health plans will be able to modify plan documents in accordance with the Rule by the Rule's compliance date.

Comment: Many commenters continued to recommend various modifications to the business associate standard, unrelated to the proposed modifications. For example, some commenters urged that the Department eliminate the business associate requirements entirely. Several commenters urged that the Department exempt covered entities from having to enter into contracts with business associates who are also covered entities under the Privacy Rule. Alternatively, one commenter suggested that the Department simplify the requirements by requiring a covered entity that is a business associate to specify in writing the uses and disclosures the covered entity is permitted to make as a business associate.

Other commenters requested that the Department allow business associates to self-certify or be certified by a third party or HHS as compliant with the Privacy Rule, as an alternative to the business associate contract requirement.

Certain commenters urged the Department to modify the Rule to eliminate the need for a contract with accreditation organizations. Some commenters suggested that the Department do so by reclassifying private accreditation organizations acting under authority from a government agency as health oversight organizations, rather than as business associates.

Response: The proposed modifications regarding business associates were intended to address the concerns of commenters with respect to having insufficient time to reopen and renegotiate what could be thousands of contracts for some covered entities by the compliance date of the Privacy Rule. The proposed modifications did not address changes to the definition of, or requirements for, business associates generally. The Department has, in previous guidance, as well as in the preamble to the December 2000 Privacy Rule, explained its position with respect to most of the above concerns. However, the Department summarizes its position in response to such comments briefly below.

The Department recognizes that most covered entities acquire the services of a variety of other persons or entities to assist in carrying covered entities' health care activities. The business associate provisions are necessary to ensure that individually identifiable health information created or shared in the course of these relationships is protected. Further, without the business associate provisions, covered entities would be able to circumvent the requirements of the Privacy Rule simply by contracting out certain of its functions.

With respect to a contract between a covered entity and a business associate who is also a covered entity, the Department restates its position that a covered entity that is a business associate should be restricted from using or disclosing the protected health information it creates or receives as a business associate for any purposes other than those explicitly provided for in its contract. Further, to modify the provisions to require or permit a type of written assurance, other than a contract, by a covered entity would add unnecessary complexity to the Rule.

Additionally, the Department at this time does not believe that a business associate certification process would provide the same kind of protections and guarantees with respect to a business associate's actions that are available to a covered entity through a contract under State law. With respect to certification by a third party, it is unclear whether such a process would allow for any meaningful enforcement (such as termination of a contract) for the actions of a business associate. Further, the Department could not require that a business associate be certified by a third party. Thus, the Privacy Rule still would have to allow for a contract between a covered entity and a business associate.

The Privacy Rule explicitly defines organizations that accredit covered entities as business associates. See the definition of "business associate" at Sec. 160.103. The Department defined such organizations as business associates because, like other business associates, they provide a service to the covered entity during which much protected health information is shared. The Privacy Rule treats all organizations that provide accreditation services to covered entities alike. The Department has not been persuaded by the comments that those accreditation organizations acting under grant of authority from a government agency should be treated differently under the Rule and relieved of the conditions placed on other such relationships. However, the Department understands concerns regarding the burdens associated with the business associate contract requirements. The Department clarifies that the business associate provisions may be satisfied by standard or model contract forms which could require little or no modification for each covered entity. As an alternative to the business associate contract, these final modifications permit a covered entity to disclose a limited data set of protected health information, not including direct identifiers, for accreditation and other health care operations purposes subject to a data use agreement. See Sec. 164.514(e).

Comment: A number of commenters continued to express concern over a covered entity's perceived liability with respect to the actions of its business associate. Some commenters requested further clarification that a covered entity is not responsible for or required to monitor the actions of its business associates. It also was suggested that such language expressly be included in the Rule's regulatory text. One commenter recommended that the Rule provide that business associates are directly liable for their own failure to comply with the Privacy Rule. Another commenter urged that the Department eliminate a covered entity's obligation to mitigate any harmful effects caused by a business associate's improper use or disclosure of protected health information.

Response: The Privacy Rule does not require a covered entity to actively monitor the actions of its business associates nor is the covered entity responsible or liable for the actions of its business associates. Rather, the Rule only requires that, where a covered entity knows of a pattern of activity or practice that constitutes a material breach or violation of the business associate's obligations under the contract, the covered entity take steps to cure the breach or end the violation. See Sec. 164.504(e)(1). The Department does not believe a regulatory modification is necessary in this area. The Department does not have the statutory authority to hold business associates, that are not also covered entities, liable under the Privacy Rule.

With respect to mitigation, the Department does not accept the commenter's suggestion. When protected health information is used or disclosed inappropriately, the harm to the individual is the same, regardless of whether the violation was caused by the covered entity or a by business associate. Further, this provision is not an absolute standard intended to require active monitoring of the business associate or mitigation of all harm caused by the business associate. Rather, the provision applies only if the covered entity has actual knowledge of the harm, and requires mitigation only "to the extent practicable" by the covered entity. See Sec. 164.530(f).

Comment: Several commenters asked the Department to provide additional clarification as to who is and is not a business associate for purposes of the Rule. For example, commenters questioned whether researchers were business associates. Other commenters requested further clarification as to when a health care provider would be the business associate of another health care provider. One commenter asked the Department to clarify whether covered entities that engage in joint activities under an organized health care arrangement (OHCA) are required to have a business associate contract. Several commenters asked the Department to clarify that a business associate agreement is not required with organizations or persons where contact with protected health information would result inadvertently (if at all), for example, janitorial services.

Response: The Department provides the following guidance in response to commenters. Disclosures from a covered entity to a researcher for research purposes as permitted by the Rule do not require a business associate contract. This remains true even in those instances where the covered entity has hired the researcher to perform research on the covered entity's own behalf because research is not a covered function or activity. However, the Rule does not prohibit a covered entity from entering into a business associate contract with a researcher if the covered entity wishes to do so. Notwithstanding the above, a covered entity must enter into a data use agreement, as required by Sec. 164.514(e), prior to disclosing a limited data set for research purposes to a researcher.

With respect to business associate contracts between health care providers, the Privacy Rule explicitly excepts from the business associate requirements disclosures by a covered entity to a health care provider for treatment purposes. See Sec. 164.502(e)(1). Therefore, any covered health care provider (or other covered entity) may share protected health information with a health care provider for treatment purposes without a business associate contract. The Department does not intend the Rule to interfere with the sharing of information among health care providers for treatment. However, this exception does not preclude one health care provider from establishing a business associate relationship with another health care provider for some other purpose. For example, a hospital may enlist the services of another health care provider to assist in the hospital's training of medical students. In this case, a business associate contract would be required before the hospital could allow the health care provider access to patient health information.

As to disclosures among covered entities who participate in an organized health care arrangement, the Department clarifies that no business associate contract is needed to the extent the disclosure relates to the joint activities of the OHCA.

The Department also clarifies that a business associate contract is not required with persons or organizations whose functions, activities, or services do not involve the use or disclosure of protected health information, and where any access to protected health information by such persons would be de minimus, if at all. For example, a health care provider is not required to enter into a business associate contract with its janitorial service because the performance of such service does not involve the use or disclosure of protected health information. In this case, where a janitor has contact with protected health information incidentally, such disclosure is permissible under Sec. 164.502(a)(1)(iii) provided reasonable safeguards are in place.

The Department is aware that similar questions still remain with respect to the business associate provisions of the Privacy Rule and intends to provide technical assistance and further clarifications as necessary to address these questions.

Comment: A few commenters urged that the Department modify the Privacy Rule's requirement for a covered entity to take reasonable steps to cure a breach or end a violation of its business associate contract by a business associate. One commenter recommended that the requirement be modified instead to require a covered entity who has knowledge of a breach to ask its business associate to cure the breach or end the violation. Another commenter argued that a covered entity only should be required to take reasonable steps to cure a breach or end a violation if the business associate or a patient reports to the privacy officer or other responsible employee of the covered entity that a misuse of protected health information has occurred.

Response: It is expected that a covered entity with evidence of a violation will ask its business associate, where appropriate, to cure the breach or end the violation. Further, the Department intends that whether a covered entity "knew" of a pattern or practice of the business associate in breach or violation of the contract will be consistent with common principles of law that dictate when knowledge can be attributed to a corporate entity. Regardless, a covered entity's training of its workforce, as required by Sec. 164.530(b), should address the recognition and reporting of violations to the appropriate responsible persons with the entity.

Comment: Several commenters requested clarification as to whether a business associate is required to provide individuals with access to their protected health information as provided by Sec. 164.524 or an accounting of disclosures as provided by Sec. 164.528, or amend protected health information as required by Sec. 164.526. Some commenters wanted clarification that the access and amendment provisions apply to the business associate only if the business associate maintains the original designated record set of the protected health information.

Response: Under the Rule, the covered entity is responsible for fulfilling all of an individual's rights, including the rights of access, amendment, and accounting, as provided for by Secs. 164.524, 164.526, and 164.528. With limited exceptions, a covered entity is required to provide an individual access to his or her protected health information in a designated record set. This includes information in a designated record set of a business associate, unless the information held by the business associate merely duplicates the information maintained by the covered entity. However, the Privacy Rule does not prevent the parties from agreeing through the business associate contract that the business associate will provide access to individuals, as may be appropriate where the business associate is the only holder of the, or part of the, designated record set.

As governed by Sec. 164.526, a covered entity must amend protected health information about an individual in a designated record set, including any designated record sets (or copies thereof) held by a business associate. Therefore, the Rule requires covered entities to specify in the business associate contract that the business associate will make protected health information available for amendment and will incorporate amendments accordingly. The covered entity itself is responsible for addressing requests from individuals for amendment and coordinating such requests with its business associate. However, the Privacy Rule also does not prevent the parties from agreeing through the contract that the business associate will receive and address requests for amendment on behalf of the covered entity.

With respect to accounting, Sec. 164.528 requires a covered entity to provide an accounting of certain disclosures, including certain disclosures by its business associate, to the individual upon request. The business associate contract must provide that the business associate will make such information available to the covered entity in order for the covered entity to fulfill its obligation to the individual. As with access and amendment, the parties can agree through the business associate contract that the business associate will provide the accounting to individuals, as may be appropriate given the protected health information held by, and the functions of, the business associate.

Comment: One commenter asked whether a business associate agreement in electronic form, with an electronic signature, would satisfy the Privacy Rule's business associate requirements.

Response: The Privacy Rule generally allows for electronic documents to qualify as written documents for purposes of meeting the Rule's requirements. This also applies with respect to business associate agreements. However, currently, no standards exist under HIPAA for electronic signatures. Thus, in the absence of specific standards, covered entities should ensure any electronic signature used will result in a legally binding contract under applicable State or other law.

Comment: Certain commenters raised concerns with the Rule's classification of attorneys as business associates. A few of these commenters urged the Department to clarify that the Rule's requirement at Sec. 164.504(e)(2)(ii)(H), which requires a contract to state the business associate must make information relating to the use or disclosure of protected health information available to the Secretary for purposes of determining the covered entity's compliance with the Rule, not apply to protected health information in possession of a covered entity's lawyer. Commenters argued that such a requirement threatens to impact attorney-client privilege. Others expressed concern over the requirement that the attorney, as a business associate, must return or destroy protected health information at termination of the contract. It was argued that such a requirement is inconsistent with many current obligations of legal counsel and is neither warranted nor useful.

Response: The Department does not modify the Rule in this regard. The Privacy Rule is not intended to interfere with attorney-client privilege. Nor does the Department anticipate that it will be necessary for the Secretary to have access to privileged material in order to resolve a complaint or investigate a violation of the Privacy Rule. However, the Department does not believe that it is appropriate to exempt attorneys from the business associate requirements.

With respect to the requirement for the return or destruction of protected health information, the Rule requires the return or destruction of all protected health information at termination of the contract only where feasible or permitted by law. Where such action is not feasible, the contract must state that the information will remain protected after the contract ends for as long as the information is maintained by the business associate, and that further uses and disclosures of the information will be limited to those purposes that make the return or destruction infeasible.

Comment: One commenter was concerned that the business associate provisions regarding the return or destruction of protected health information upon termination of the business associate agreement conflict with various provisions of the Bank Secrecy Act, which require financial institutions to retain certain records for up to five years. The commenter further noted that there are many State banking regulations that require financial institutions to retain certain records for up to ten years. The commenter recommended that the Department clarify, in instances of conflict with the Privacy Rule, that financial institutions comply with Federal and State banking regulations.

Response: The Department does not believe there is a conflict between the Privacy Rule and the Bank Secrecy Act retention requirements or that the Privacy Rule would prevent a financial institution that is a business associate of a covered entity from complying with the Bank Secrecy Act. The Privacy Rule generally requires a business associate contract to provide that the business associate will return or destroy protected health information upon the termination of the contract; however, it does not require this if the return or destruction of protected health information is infeasible. Return or destruction would be considered "infeasible" if other law, such as the Bank Secrecy Act, requires the business associate to retain protected health information for a period of time beyond the termination of the business associate contract. The Privacy Rule would require that the business associate contract extend the protections of the contract and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible. In this case, the business associate would have to limit the use or disclosure of the protected health information to purposes of the Bank Secrecy Act or State banking regulations.

Comment: A commenter requested clarification concerning the economic impact on business associates of the cost-based copying fees allowed to be charged to individuals who request a copy of their medical record under the right of access provided by the Privacy Rule. See Sec. 164.524. According to the commenter, many hospitals and other covered entities currently outsource their records reproduction function for fees that often include administrative costs over and above the costs of copying. In some cases, the fees may be set in accordance with State law. The Privacy Rule, at Sec. 164.524(c)(4), however, permits only reasonable, cost-based copying fees to be charged to individuals seeking to obtain a copy of their medical record under their right of access. The commenter was concerned that others seeking copies of all or part of the medical record, such as payers, attorneys, or entities that have the individual's authorization, would try to claim the limited copying fees provided in Sec. 164.524(c)(4). The commenter asserted that such a result would drastically alter the economics of the outsourcing industry, driving outsourcing companies out of business, and raising costs for the health industry as a whole. A clarification that the fee structure in Sec. 164.524(c)(4) applies only to individuals exercising their right of access was sought.

Response: The Department clarifies that the Rule, at Sec. 164.524(c)(4), limits only the fees that may be charged to individuals, or to their personal representatives in accordance with Sec. 164.502(g), when the request is to obtain a copy of protected health information about the individual in accordance with the right of access. The fee limitations in Sec. 164.524(c)(4) do not apply to any other permissible disclosures by the covered entity, including disclosures that are permitted for treatment, payment or health care operations, disclosures that are based on an individual's authorization that is valid under Sec. 164.508, or other disclosures permitted without the individual's authorization as specified in Sec. 164.512.

The fee limitation in Sec. 164.524(c)(4) is intended to assure that the right of access provided by the Privacy Rule is available to all individuals, and not just to those who can afford to do so. Based on the clarification provided, the Department does not anticipate that this provision will cause any significant disruption in the way that covered entities do business today. To the extent hospitals and other entities outsource this function because it is less expensive than doing it themselves, the fee limitation for individuals seeking access under Sec. 164.524 will affect only a portion of this business; and, in these cases, hospitals should still find it economical to outsource these activities, even if they can only pass on a portion of the costs to the individual.

[Top of Page] [Previous] [Next: ]