DATA SHARING & BREACH PROTOCOLS UNDER THE FINAL HIPAA PRIVACY RULE I. INTRODUCTION: The Health Insurance Portability and Accountability Act (HIPAA) Administrative Simplification provisions apply to three types of entities, which are known as ‘‘covered entities’’: (1) health care providers who conduct covered health care transactions electronically, (2) health plans, and (3) health care clearinghouses. The HIPAA Privacy Rule, 45 CFR Part 160 and Subparts A and E of Part 164, requires covered entities to (1) implement safeguards to ensure that the privacy of protected health information is maintained, (2) provides the parameters under which covered entities may use or disclose an individual’s protected health information (“PHI”), and (3) notify individuals of their rights to examine and obtain a copy of their health records and to request corrections. Covered entities that engage “business associates” to perform functions/work on their behalf must have contracts or other data sharing arrangements in place with their business associates to ensure that the business associates safeguard PHI, and use and disclose the information only as permitted or required by the Privacy Rule. II. HITECH ACT: The Health Information Technology for Economic and Clinical Health (HITECH) Act, which was enacted in 2009 is designed to promote the widespread adoption and integration of health information technology. It includes provisions designed to strengthen the privacy and security protections for health information established by HIPAA. These provisions include: extending the applicability of certain of the Privacy and Security Rules’ requirements to the business associates of covered entities; requiring that Health Information Exchange Organizations and similar organizations, as well as personal health record vendors that provide services to covered entities, shall be treated as business associates; requiring HIPAA covered entities and business associates to provide for notification of breaches of ‘‘unsecured” PHI; establishing new limitations on the use and disclosure of PHI; prohibiting the sale of PHI; and expanding individuals’ rights to access their PHI, and to obtain restrictions on certain disclosures of PHI to health plans. In addition, its provisions are designed to strengthen and expand HIPAA’s enforcement provisions. III. OMNIBUS RULE: On January 25, 2013 the Department of Health and Human Services (HHS) issued the final changes to the Privacy Rule. ( See , 78 Fed. Reg. 5566, et. seq. ) This constituted the adoption of 1
the “final” privacy, security and breach notification provisions of HIPAA, HITECH and the Genetic Information Nondiscrimination Act (GINA). As of the 23 rd of September 2013, this rule is in full effect and other than certain “grandfathered” agreements, all covered entities and their business associates fall under its provisions. The Final Privacy Rule makes business associates of covered entities directly liable for compliance with certain of the HIPAA Privacy and Security Rules’ requirements. It strengthens the limitations on the use and disclosure of PHI and prohibits the sale of PHI without individual authorization. It expands individuals’ rights to receive electronic copies of their health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full. It requires modifications to, and redistribution of, a covered entity’s notice of privacy practices. It modifies the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools, and to enable access to decedent information by family members or others. It also adopts additional HITECH enhancements to the Enforcement Rule like the provisions addressing enforcement of noncompliance with the HIPAA Rules due to willful neglect. The Omnibus Rule also incorporates the increased and tiered civil money penalty structure provided by the HITECH Act, and replaces the breach notification rule’s “harm” threshold in an attempt to provide a more objective standard. Finally, it prohibits most health plans from using or disclosing genetic information for underwriting purposes. A. Business Associates HIPAA permits a covered entity to disclose PHI to a business associate, and allow a business associate to create, receive, maintain, or transmit PHI on its behalf, provided the covered entity obtains satisfactory assurances in the form of a contract or other arrangement that the business associate will appropriately safeguard the information. ‘‘Business associate’’ is defined to include a person/entity who performs functions or activities on behalf of, or certain services for, a covered entity that involve the use or disclosure of PHI. Such entities include, inter alia , billing companies, electronic records management companies, Patient Safety Organizations, Health Information Organizations (HIO), E-Prescribing Gateways, other entities that provide data transmission services with respect to protected health information to a covered entity whose activities require routine access to such protected health information; and entities who offer a personal health record to one or more individuals on behalf of a covered entity. The definitions of HIO and “routine access” are purposefully vague. The former is seen as an evolving one based on practice and technology, and the latter is to be determined on a case-by-case basis. Accordingly, an entity that acts as a conduit for PHI, but does sample the data for integrity purposes may, or may not be a business associate, depending on its relationship to covered entities, how often in accesses the PHI and what its responsibility for maintaining the data may be. However, both the guidance and prudence suggest that the “conduit” exception is a narrow one designed for internet service providers and the like. An entity that maintains a covered 2
entities data base, for example, but does not access PHI in performing this task is still a business associate and not a conduit. To avoid having HIPAA’s protections for PHI lapse merely because a function is performed by an entity that is a subcontractor rather than an entity with a direct relationship with a covered entity, a subcontractor that acts on behalf of a business associate, other than in the capacity of a member of the workforce of such business associate, including an agent or other person who acts on behalf of the business associate, is also a business associate; even if the business associate has failed to enter into a business associate contract with the person/entity. As such the subcontractor must comply with the Privacy Rule. In other words, the analysis is the same for the business associate and its subcontractor(s). This does not mean that a covered entity has to have a contract with a business associate’s subcontractor(s). The obligation is on each business associate (sub or direct) to obtain satisfactory assurances in the form of a written contract or other arrangement that its subcontractor will appropriately safeguard PHI. Thus the requirements of HIPAA are “pushed down the chain” along with the PHI. The Privacy Rule provides that disclosures by a business associate for its own management and administration or legal responsibilities do not create a business associate relationship with the recipient of the PHI because such disclosures are made outside of the entity’s role as a business associate. However, for such disclosures that are not required by law, the Privacy Rule requires that the business associate obtain “reasonable assurances” from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person and the person notifies the business associate of any instances of which it is aware that the confidentiality of the information has been breached. The determination of when the disclosure of PHI by the business associate to a person who will assist the business associate in performing a function, activity, or service for a covered entity or another business associate creates a business associate relationship verses being solely for its own management is to be made on a case-by-case basis. a. Internal Business Associates – N.Y.C. HRA as an example of a Hybrid Entity The Omnibus Rule promotes a shift toward direct liability for business associates of covered entities in the event of an unauthorized disclosure or breach of protected health information and synchronizes rules for both internal and external business associates. Internal business associates are components of a hybrid entity and perform business associate, rather than covered, functions. HRA is a hybrid entity because it is “a covered entity; [w]hose business activities include both covered and non-covered functions; and… designates health care components in accordance with [HIPAA regulations].” The old rule allowed hybrid entities to subject only their healthcare components to HIPAA regulations while cordoning internal business associate functions. The new rule removes this flexibility by providing that “if the covered entity designates one or more health care components, it must include any component that would meet the definition of a covered entity or business associate if it were a separate legal entity….” 45 C.F.R. § 164.105(iii)(D). There is some ambiguity regarding the extent of the changes. Some scholars argue that the new regulation does not require a covered entity’s business associate function areas to comply with 3
Recommend
More recommend
