Standards
for Privacy of Individually Identifiable Health Information
J. Section 164.532--Transition Provisions
2. Business Associates
December 2000 Privacy Rule
The Privacy Rule at Sec. 164.502(e) permits a covered entity to
disclose protected health information to a business associate who
performs a function or activity on behalf of, or provides a service
to, the covered entity that involves the creation, use, or disclosure
of, protected health information, provided that the covered entity
obtains satisfactory assurances that the business associate will
appropriately safeguard the information. The Department recognizes
that most covered entities do not perform or carry out all of their
health care activities and functions by themselves, but rather use
the services of, or receive assistance from, a variety of other
persons or entities. Given this framework, the Department intended
these provisions to allow such business relationships to continue
while ensuring that identifiable health information created or shared
in the course of the relationships was protected.
The Privacy Rule requires that the satisfactory assurances obtained
from the business associate be in the form of a written contract
(or other written arrangement, as between governmental entities)
between the covered entity and the business associate that contains
the elements specified at Sec. 164.504(e). For example, the agreement
must identify the uses and disclosures of protected health information
the business associate is permitted or required to make, as well
as require the business associate to put in place appropriate safeguards
to protect against a use or disclosure not permitted by the contract
or agreement.
The Privacy Rule also provides that, where a covered entity knows
of a material breach or violation by the business associate of the
contract or agreement, the covered entity is required to take reasonable
steps to cure the breach or end the violation, and if such steps
are unsuccessful, to terminate the contract or arrangement. If termination
of the contract or arrangement is not feasible, a covered entity
is required to report the problem to the Secretary of HHS. A covered
entity that violates the satisfactory assurances it provided as
a business associate of another covered entity is in noncompliance
with the Privacy Rule.
The Privacy Rule's definition of "business associate"
at Sec. 160.103 includes the types of functions or activities, and
list of services, that make a person or entity who engages in them
a business associate, if such activity or service involves protected
health information. For example, a third party administrator (TPA)
is a business associate of a health plan to the extent the TPA assists
the health plan with claims processing or another covered function.
Similarly, accounting services performed by an outside consultant
give rise to a business associate relationship when provision of
the service entails access to the protected health information held
by a covered entity.
The Privacy Rule excepts from the business associate standard certain
uses or disclosures of protected health information. That is, in
certain situations, a covered entity is not required to have a contract
or other written agreement in place before disclosing protected
health information to a business associate or allowing protected
health information to be created by the business associate on its
behalf. Specifically, the standard does not apply to: disclosures
by a covered entity to a health care provider for treatment purposes;
disclosures to the plan sponsor by a group health plan, or a health
insurance issuer or HMO with respect to a group health plan, to
the extent that the requirements of Sec. 164.504(f) apply and are
met; or to the collection and sharing of protected health information
by a health plan that is a public benefits program and an agency
other than the agency administering the health plan, where the other
agency collects protected health information for, or determines
eligibility or enrollment with respect to, the government program,
and where such activity is authorized by law. See Sec. 164.502(e)(1)(ii).
March 2002 NPRM
The Department heard concerns from many covered entities and others
about the business associate provisions of the Privacy Rule. The
majority expressed some concern over the anticipated administrative
burden and cost to implement the business associate provisions.
Some stated that many covered entities have existing contracts that
are not set to terminate or expire until after the compliance date
of the Privacy Rule. Others expressed specific concern that the
two-year compliance period does not provide enough time to reopen
and renegotiate what could be hundreds or more contracts for large
covered entities. These entities went on to urge the Department
to grandfather in existing contracts until such contracts come up
for renewal instead of requiring that all contracts be in compliance
with the business associate provisions by the compliance date of
the Privacy Rule.
In response to these concerns, the Department proposed to relieve
some of the burden on covered entities in complying with the business
associate provisions by both adding a transition provision to grandfather
certain existing contracts for a specified period of time, as well
as publishing sample contract language in the proposed Rule. The
following discussion addresses the issue of the business associate
transition provisions. A discussion of the business associate sample
contract language is included in Part X of the preamble.
The Department proposed new transition provisions at Sec. 164.532(d)
and (e) to allow covered entities, other than small health plans,
to continue to operate under certain existing contracts with business
associates for up to one year beyond the April 14, 2003, compliance
date of the Privacy Rule. The additional transition period would
be available to a covered entity, other than a small health plan,
if, prior to the effective date of the transition provision, the
covered entity had an existing contract or other written arrangement
with a business associate, and such contract or arrangement was
not renewed or modified between the effective date of this provision
and the Privacy Rule's compliance date of April 14, 2003. The proposed
provisions were intended to allow those covered entities with contracts
that qualified as described above to continue to disclose protected
health information to the business associate, or allow the business
associate to create or receive protected health information on its
behalf, for up to one year beyond the Privacy Rule's compliance
date, regardless of whether the contract meets the applicable contract
requirements in the Privacy Rule. The Department proposed to deem
such contracts to be compliant with the Privacy Rule until either
the covered entity had renewed or modified the contract following
the compliance date of the Privacy Rule (April 14, 2003), or April
14, 2004, whichever was sooner. In cases where a contract simply
renewed automatically without any change in terms or other action
by the parties (also known as "evergreen contracts"),
the Department intended that such evergreen contracts would be eligible
for the extension and that deemed compliance would not terminate
when these contracts automatically rolled over.
These transition provisions would apply to covered entities only
with respect to written contracts or other written arrangements
as specified above, and not to oral contracts or other arrangements.
In addition, the proposed transition provisions would not apply
to small health plans, as defined in the Privacy Rule. Small health
plans would be required to have all business associate contracts
be in compliance with the Privacy Rule's applicable provisions,
by the compliance deadline of April 14, 2004, for such covered entities.
In proposed Sec. 164.532(e)(2), the Department provided that the
new transition provisions would not relieve a covered entity of
its responsibilities with respect to making protected health information
available to the Secretary, including information held by a business
associate, as necessary for the Secretary to determine compliance.
Similarly, these provisions would not relieve a covered entity of
its responsibilities with respect to an individual's rights to access
or amend his or her protected health information held by a business
associate, or receive an accounting of disclosures by a business
associate, as provided for by the Privacy Rule's requirements at
Secs. 164.524, 164.526, and 164.528. Covered entities still would
be required to fulfill individuals' rights with respect to their
protected health information, including information held by a business
associate of the covered entity. Covered entities would have to
ensure, in whatever manner effective, the appropriate cooperation
by their business associates in meeting these requirements.
The Department did not propose modifications to the standards and
implementation specifications that apply to business associate relationships
as set forth at Secs. 164.502(e) and 164.504(e), respectively, of
the Privacy Rule.
Overview of Public Comments
The following discussion provides an overview of the public comment
received on this proposal. Additional comments received on this
issue are discussed below in the section entitled, "Response
to Other Public Comments."
Most commenters on this issue expressed general support for a transition
period for business associate contracts. Of these commenters, however,
many requested that the Department modify the proposal in a number
of different ways. For example, a number of commenters urged the
Department to modify which contracts qualify for the transition
period, such as by making the transition period available to contracts
existing as of the compliance date of the Privacy Rule, rather than
as of the effective date of the transition modification. Others
requested that the Department apply the transition period to all
business associate arrangements, even those arrangements for which
there was no existing written contract.
Some commenters urged the Department to modify the end date of
the transition period. A few of these commenters requested that
the transition period apply to existing business associate contracts
until they expired or were renewed, with no specified end date in
the regulation. It was also suggested that the Department simply
provide one extra year, until April 14, 2004, for compliance with
the business associate contract provisions, without the provision
that a renewal or modification of the contract would trigger an
earlier transition period end date. A few commenters requested further
guidance as to the types of actions the Department would or would
not consider to be a "renewal or modification" of the
contract.
Additionally, numerous commenters requested that the Department
further clarify a covered entity's responsibilities with regard
to their business associates during the transition period. Commenters
expressed concerns with the proposal's requirement that the transition
provisions would not have relieved a covered entity of its responsibilities
with respect to an individual's rights to access or amend his or
her protected health information held by business associates, or
receive an accounting of disclosures by a business associate. Similarly,
commenters raised concerns that the transition provisions would
not have relieved a covered entity of its responsibilities to make
information available to the Secretary, including information held
by a business associate, as necessary for the Secretary to determine
compliance. Commenters also expressed concerns about the fact that
it appeared that covered entities still would have been required
to obtain satisfactory assurances from a business associate that
protected health information not be used improperly by the business
associate, or that the covered entity still would have been required
to mitigate any known harmful effects of a business associate's
improper use or disclosure of protected health information during
the transition period. It was stated that cooperation by a business
associate with respect to the covered entity's obligations under
the Rule would be difficult, if not impossible, to secure without
a formal agreement.
A few commenters opposed the proposal, one of whom raised concerns
that the proposed transition period would encourage covered entities
to enter into "stop gap" contracts instead of compliant
business associate contracts. This commenter urged that the Department
maintain the original compliance date for business associate contracts.
Final Modifications
In the final Rule, the Department adopts the transition period
for certain business associate contracts as proposed in the NPRM.
The final Rule's transition provisions at Sec. 164.532(d) and (e)
permit covered entities, other than small health plans, to continue
to operate under certain existing contracts with business associates
for up to one year beyond the April 14, 2003, compliance date of
the Privacy Rule. The transition period is available to covered
entities who have an existing contract (or other written arrangement)
with a business associate prior to the effective date of this modification,
provided that the contract is not renewed or modified prior to the
April 14, 2003, compliance date of the Privacy Rule. (See the "Dates"
section above for the effective date of this modification.) Covered
entities with contracts that qualify are permitted to continue to
operate under those contracts with their business associates until
April 14, 2004, or until the contract is renewed or modified, whichever
is sooner. During the transition period, such contracts are deemed
to be compliant with the Privacy Rule regardless of whether the
contract meets the Rule's applicable contract requirements at Secs.
164.502(e) and 164.504(e).
The transition provisions are intended to address the concerns
of covered entities that the two-year period between the effective
date and compliance date of the Privacy Rule is insufficient to
reopen and renegotiate all existing contracts for the purposes of
bringing them into compliance with the Rule. These provisions also
provide covered entities with added flexibility to incorporate the
business associate contract requirements at the time they would
otherwise modify or renew the existing contract.
Given the intended purpose of these provisions, the Department
is not persuaded by the comments that it is necessary to modify
the provision to make the transition period available to those contracts
existing prior to the Rule's compliance date of April 14, 2003,
rather than the effective date of the modification, or, even less
so, to any business associate arrangement regardless of whether
a written contract currently exists.
A covered entity that does not have a written contract with a business
associate prior to the effective date of this modification does
not encounter the same burdens described by other commenters associated
with having to reopen and renegotiate many existing contracts at
once. The Department believes that such a covered entity should
be able to enter into a compliant business associate contract by
the compliance date of the Rule. Further, those covered entities
whose business associate contracts come up for renewal or modification
prior to the compliance date have the opportunity to bring such
contracts into compliance by April 14, 2003. Thus, a covered entity
that enters into a business associate contract after the effective
date of this modification, or that has a contract that is renewed
or modified prior to the compliance date of the Rule, is not eligible
for the transition period and is required to have a business associate
contract in place that meets the applicable requirements of Secs.
164.502(e) and 164.504(e) by the Privacy Rule's compliance date
of April 14, 2003. Further, as in the proposed Rule, the transition
provisions apply only to written contracts or other written arrangements.
Oral contracts or other arrangements are not eligible for the transition
period. The Department clarifies, however, that nothing in these
provisions requires a covered entity to come into compliance with
the business associate contract provisions prior to April 14, 2003.
Similarly, in response to those commenters who requested that the
Department permit existing contracts to be transitioned until April
14, 2004, regardless of whether such contracts are renewed or modified
prior to that date, the Department considers a renewal or modification
of the contract to be an appropriate, less burdensome opportunity
to bring such contracts into compliance with the Privacy Rule. The
Department, therefore, does not modify the proposal in such a way.
Further, in response to commenters who requested that the Rule grandfather
in existing business associate contracts until they expire or are
renewed, with no specified end date in the regulation, the Department
believes that limiting the transition period to one year beyond
the Rule's compliance date is the proper balance between individuals'
privacy interests and alleviating burden on the covered entity.
All existing business associate contracts must be compliant with
the Rule's business associate contract provisions by April 14, 2004.
As in the proposal, evergreen or other contracts that renew automatically
without any change in terms or other action by the parties and that
exist by the effective date of this modification are eligible for
the transition period. The automatic renewal of such contracts itself
does not terminate qualification for, or deemed compliance during,
the transition period. Renewal or modification for the purposes
of these transition provisions requires action by the parties involved.
For example, the Department does not consider an automatic inflation
adjustment to the price of a contract to be a renewal or modification
for purposes of these provisions. Such an adjustment will not trigger
the end of the transition period, nor make the contract ineligible
for the transition period if the adjustment occurs before the compliance
date of the Rule.
The transition provisions do not apply to "small health plans,"
as defined at Sec. 160.103. Small health plans are required to have
business associate contracts that are compliant with Secs. 164.502(e)
and 164.504(e) by the April 14, 2004, compliance date for such entities.
As explained in the proposal, the Department believes that the additional
year provided by the statute for these entities to comply with the
Privacy Rule provides sufficient time for compliance with the Rule's
business associate provisions. In addition, the sample contract
provisions provided in the Appendix to the preamble will assist
small health plans and other covered entities in their implementation
of the Privacy Rule's business associate provisions by April 14,
2004.
Like the proposal, the final Rule at Sec. 164.532(e)(2) provides
that, during the transition period, covered entities are not relieved
of their responsibilities to make information available to the Secretary,
including information held by a business associate, as necessary
for the Secretary to determine compliance by the covered entity.
Similarly, the transition period does not relieve a covered entity
of its responsibilities with respect to an individual's rights to
access or amend his or her protected health information held by
a business associate, or receive an accounting of disclosures by
a business associate, as provided for by the Privacy Rule's requirements
at Secs. 164.524, 164.526, and 164.528. In addition, unlike the
proposed Rule, the final Rule at Sec. 164.532(e)(3) explicitly provides
that with respect to those business associate contracts that qualify
for the transition period as described above, a covered entity is
not relieved of its obligation under Sec. 164.530(f) to mitigate,
to the extent practicable, any harmful effect that is known to the
covered entity of a use or disclosure of protected health information
by its business associate in violation of the covered entity's policies
and procedures or the requirements of this subpart, as required
by Sec. 164.530(f).
The Department does not believe that a covered entity should be
relieved during the transition period of its responsibilities with
respect to cooperating with the Secretary or fulfilling an individual's
rights with respect to protected health information held by the
business associate, or mitigating any harmful effects of an inappropriate
use or disclosure by the business associate. The transition period
is intended to alleviate some of the burden on covered entities,
but not at the expense of individuals' privacy rights. Eliminating
these privacy protections and rights would severely weaken the Rule
with respect to those covered entities with contracts that qualify
for the transition period.
Further, the Rule provides covered entities some discretion in
implementing these requirements with respect to their business associates.
For example, a covered entity does not need to provide an individual
with access to protected health information held by a business associate
if the only information the business associate holds is a duplicate
of what the covered entity maintains and to which it has provided
the individual access. Covered entities are required to ensure,
in whatever manner deemed effective by the covered entity, the appropriate
cooperation by their business associates in meeting these requirements.
In response to other concerns from commenters, the Department clarifies
that a covered entity is not required to obtain satisfactory assurances
(in any form), as required by Sec. 164.502(e)(1), from a business
associate to which the transition period applies. The transition
period effectively deems such qualified contracts to fulfill the
requirement for satisfactory assurances from the business associate.
The Department is aware that the transition provisions may encourage
some covered entities to enter into contracts before the effective
date of the modification solely to take advantage of the transition
period, rather than encourage such entities to execute fully compliant
business associate contracts. However, the Department believes that
the provision appropriately limits the potential for such misuse
by requiring that qualified contracts exist prior to the modification
effective date rather than the Privacy Rule's compliance date. Further,
the transition provisions do not relieve the covered entity of its
obligations with respect to protected health information held by
the business associate and, therefore, ensures that an individual's
rights, as provided for by the Rule, remain intact during the transition
period.
Response to Other Public Comments
Comment: One commenter requested that the transition period
also be applied to the requirement that a group health plan amend
plan documents pursuant to Sec. 164.504(f) before protected health
information may be disclosed to the plan sponsor.
Response: The Department does not make such a modification.
The intent of the business associate transition provisions is to
alleviate burden on those covered entities with many existing contracts,
where as a result, the two-year period between the effective date
and compliance date of the Privacy Rule may be insufficient to reopen
and renegotiate all such contracts for the purposes of bringing
them into compliance with the Rule. The Privacy Rule does not require
a business associate contract for disclosure of protected health
information from a group health plan to a plan sponsor. Rather,
the Rule permits a group health plan to disclose protected health
information to a plan sponsor if, among other requirements, the
plan documents are amended to appropriately reflect and restrict
the plan sponsor's uses and disclosures of such information. As
the group health plan should only have one set of plan documents
that must be amended, the same burdens described above do not exist
with respect to this activity. Thus, the Department expects that
group health plans will be able to modify plan documents in accordance
with the Rule by the Rule's compliance date.
Comment: Many commenters continued to recommend various
modifications to the business associate standard, unrelated to the
proposed modifications. For example, some commenters urged that
the Department eliminate the business associate requirements entirely.
Several commenters urged that the Department exempt covered entities
from having to enter into contracts with business associates who
are also covered entities under the Privacy Rule. Alternatively,
one commenter suggested that the Department simplify the requirements
by requiring a covered entity that is a business associate to specify
in writing the uses and disclosures the covered entity is permitted
to make as a business associate.
Other commenters requested that the Department allow business associates
to self-certify or be certified by a third party or HHS as compliant
with the Privacy Rule, as an alternative to the business associate
contract requirement.
Certain commenters urged the Department to modify the Rule to eliminate
the need for a contract with accreditation organizations. Some commenters
suggested that the Department do so by reclassifying private accreditation
organizations acting under authority from a government agency as
health oversight organizations, rather than as business associates.
Response: The proposed modifications regarding business
associates were intended to address the concerns of commenters with
respect to having insufficient time to reopen and renegotiate what
could be thousands of contracts for some covered entities by the
compliance date of the Privacy Rule. The proposed modifications
did not address changes to the definition of, or requirements for,
business associates generally. The Department has, in previous guidance,
as well as in the preamble to the December 2000 Privacy Rule, explained
its position with respect to most of the above concerns. However,
the Department summarizes its position in response to such comments
briefly below.
The Department recognizes that most covered entities acquire the
services of a variety of other persons or entities to assist in
carrying covered entities' health care activities. The business
associate provisions are necessary to ensure that individually identifiable
health information created or shared in the course of these relationships
is protected. Further, without the business associate provisions,
covered entities would be able to circumvent the requirements of
the Privacy Rule simply by contracting out certain of its functions.
With respect to a contract between a covered entity and a business
associate who is also a covered entity, the Department restates
its position that a covered entity that is a business associate
should be restricted from using or disclosing the protected health
information it creates or receives as a business associate for any
purposes other than those explicitly provided for in its contract.
Further, to modify the provisions to require or permit a type of
written assurance, other than a contract, by a covered entity would
add unnecessary complexity to the Rule.
Additionally, the Department at this time does not believe that
a business associate certification process would provide the same
kind of protections and guarantees with respect to a business associate's
actions that are available to a covered entity through a contract
under State law. With respect to certification by a third party,
it is unclear whether such a process would allow for any meaningful
enforcement (such as termination of a contract) for the actions
of a business associate. Further, the Department could not require
that a business associate be certified by a third party. Thus, the
Privacy Rule still would have to allow for a contract between a
covered entity and a business associate.
The Privacy Rule explicitly defines organizations that accredit
covered entities as business associates. See the definition of "business
associate" at Sec. 160.103. The Department defined such organizations
as business associates because, like other business associates,
they provide a service to the covered entity during which much protected
health information is shared. The Privacy Rule treats all organizations
that provide accreditation services to covered entities alike. The
Department has not been persuaded by the comments that those accreditation
organizations acting under grant of authority from a government
agency should be treated differently under the Rule and relieved
of the conditions placed on other such relationships. However, the
Department understands concerns regarding the burdens associated
with the business associate contract requirements. The Department
clarifies that the business associate provisions may be satisfied
by standard or model contract forms which could require little or
no modification for each covered entity. As an alternative to the
business associate contract, these final modifications permit a
covered entity to disclose a limited data set of protected health
information, not including direct identifiers, for accreditation
and other health care operations purposes subject to a data use
agreement. See Sec. 164.514(e).
Comment: A number of commenters continued to express concern
over a covered entity's perceived liability with respect to the
actions of its business associate. Some commenters requested further
clarification that a covered entity is not responsible for or required
to monitor the actions of its business associates. It also was suggested
that such language expressly be included in the Rule's regulatory
text. One commenter recommended that the Rule provide that business
associates are directly liable for their own failure to comply with
the Privacy Rule. Another commenter urged that the Department eliminate
a covered entity's obligation to mitigate any harmful effects caused
by a business associate's improper use or disclosure of protected
health information.
Response: The Privacy Rule does not require a covered entity
to actively monitor the actions of its business associates nor is
the covered entity responsible or liable for the actions of its
business associates. Rather, the Rule only requires that, where
a covered entity knows of a pattern of activity or practice that
constitutes a material breach or violation of the business associate's
obligations under the contract, the covered entity take steps to
cure the breach or end the violation. See Sec. 164.504(e)(1). The
Department does not believe a regulatory modification is necessary
in this area. The Department does not have the statutory authority
to hold business associates, that are not also covered entities,
liable under the Privacy Rule.
With respect to mitigation, the Department does not accept the
commenter's suggestion. When protected health information is used
or disclosed inappropriately, the harm to the individual is the
same, regardless of whether the violation was caused by the covered
entity or a by business associate. Further, this provision is not
an absolute standard intended to require active monitoring of the
business associate or mitigation of all harm caused by the business
associate. Rather, the provision applies only if the covered entity
has actual knowledge of the harm, and requires mitigation only "to
the extent practicable" by the covered entity. See Sec. 164.530(f).
Comment: Several commenters asked the Department to provide
additional clarification as to who is and is not a business associate
for purposes of the Rule. For example, commenters questioned whether
researchers were business associates. Other commenters requested
further clarification as to when a health care provider would be
the business associate of another health care provider. One commenter
asked the Department to clarify whether covered entities that engage
in joint activities under an organized health care arrangement (OHCA)
are required to have a business associate contract. Several commenters
asked the Department to clarify that a business associate agreement
is not required with organizations or persons where contact with
protected health information would result inadvertently (if at all),
for example, janitorial services.
Response: The Department provides the following guidance
in response to commenters. Disclosures from a covered entity to
a researcher for research purposes as permitted by the Rule do not
require a business associate contract. This remains true even in
those instances where the covered entity has hired the researcher
to perform research on the covered entity's own behalf because research
is not a covered function or activity. However, the Rule does not
prohibit a covered entity from entering into a business associate
contract with a researcher if the covered entity wishes to do so.
Notwithstanding the above, a covered entity must enter into a data
use agreement, as required by Sec. 164.514(e), prior to disclosing
a limited data set for research purposes to a researcher.
With respect to business associate contracts between health care
providers, the Privacy Rule explicitly excepts from the business
associate requirements disclosures by a covered entity to a health
care provider for treatment purposes. See Sec. 164.502(e)(1). Therefore,
any covered health care provider (or other covered entity) may share
protected health information with a health care provider for treatment
purposes without a business associate contract. The Department does
not intend the Rule to interfere with the sharing of information
among health care providers for treatment. However, this exception
does not preclude one health care provider from establishing a business
associate relationship with another health care provider for some
other purpose. For example, a hospital may enlist the services of
another health care provider to assist in the hospital's training
of medical students. In this case, a business associate contract
would be required before the hospital could allow the health care
provider access to patient health information.
As to disclosures among covered entities who participate in an
organized health care arrangement, the Department clarifies that
no business associate contract is needed to the extent the disclosure
relates to the joint activities of the OHCA.
The Department also clarifies that a business associate contract
is not required with persons or organizations whose functions, activities,
or services do not involve the use or disclosure of protected health
information, and where any access to protected health information
by such persons would be de minimus, if at all. For example, a health
care provider is not required to enter into a business associate
contract with its janitorial service because the performance of
such service does not involve the use or disclosure of protected
health information. In this case, where a janitor has contact with
protected health information incidentally, such disclosure is permissible
under Sec. 164.502(a)(1)(iii) provided reasonable safeguards are
in place.
The Department is aware that similar questions still remain with
respect to the business associate provisions of the Privacy Rule
and intends to provide technical assistance and further clarifications
as necessary to address these questions.
Comment: A few commenters urged that the Department modify
the Privacy Rule's requirement for a covered entity to take reasonable
steps to cure a breach or end a violation of its business associate
contract by a business associate. One commenter recommended that
the requirement be modified instead to require a covered entity
who has knowledge of a breach to ask its business associate to cure
the breach or end the violation. Another commenter argued that a
covered entity only should be required to take reasonable steps
to cure a breach or end a violation if the business associate or
a patient reports to the privacy officer or other responsible employee
of the covered entity that a misuse of protected health information
has occurred.
Response: It is expected that a covered entity with evidence
of a violation will ask its business associate, where appropriate,
to cure the breach or end the violation. Further, the Department
intends that whether a covered entity "knew" of a pattern
or practice of the business associate in breach or violation of
the contract will be consistent with common principles of law that
dictate when knowledge can be attributed to a corporate entity.
Regardless, a covered entity's training of its workforce, as required
by Sec. 164.530(b), should address the recognition and reporting
of violations to the appropriate responsible persons with the entity.
Comment: Several commenters requested clarification as to
whether a business associate is required to provide individuals
with access to their protected health information as provided by
Sec. 164.524 or an accounting of disclosures as provided by Sec.
164.528, or amend protected health information as required by Sec.
164.526. Some commenters wanted clarification that the access and
amendment provisions apply to the business associate only if the
business associate maintains the original designated record set
of the protected health information.
Response: Under the Rule, the covered entity is responsible
for fulfilling all of an individual's rights, including the rights
of access, amendment, and accounting, as provided for by Secs. 164.524,
164.526, and 164.528. With limited exceptions, a covered entity
is required to provide an individual access to his or her protected
health information in a designated record set. This includes information
in a designated record set of a business associate, unless the information
held by the business associate merely duplicates the information
maintained by the covered entity. However, the Privacy Rule does
not prevent the parties from agreeing through the business associate
contract that the business associate will provide access to individuals,
as may be appropriate where the business associate is the only holder
of the, or part of the, designated record set.
As governed by Sec. 164.526, a covered entity must amend protected
health information about an individual in a designated record set,
including any designated record sets (or copies thereof) held by
a business associate. Therefore, the Rule requires covered entities
to specify in the business associate contract that the business
associate will make protected health information available for amendment
and will incorporate amendments accordingly. The covered entity
itself is responsible for addressing requests from individuals for
amendment and coordinating such requests with its business associate.
However, the Privacy Rule also does not prevent the parties from
agreeing through the contract that the business associate will receive
and address requests for amendment on behalf of the covered entity.
With respect to accounting, Sec. 164.528 requires a covered entity
to provide an accounting of certain disclosures, including certain
disclosures by its business associate, to the individual upon request.
The business associate contract must provide that the business associate
will make such information available to the covered entity in order
for the covered entity to fulfill its obligation to the individual.
As with access and amendment, the parties can agree through the
business associate contract that the business associate will provide
the accounting to individuals, as may be appropriate given the protected
health information held by, and the functions of, the business associate.
Comment: One commenter asked whether a business associate
agreement in electronic form, with an electronic signature, would
satisfy the Privacy Rule's business associate requirements.
Response: The Privacy Rule generally allows for electronic
documents to qualify as written documents for purposes of meeting
the Rule's requirements. This also applies with respect to business
associate agreements. However, currently, no standards exist under
HIPAA for electronic signatures. Thus, in the absence of specific
standards, covered entities should ensure any electronic signature
used will result in a legally binding contract under applicable
State or other law.
Comment: Certain commenters raised concerns with the Rule's
classification of attorneys as business associates. A few of these
commenters urged the Department to clarify that the Rule's requirement
at Sec. 164.504(e)(2)(ii)(H), which requires a contract to state
the business associate must make information relating to the use
or disclosure of protected health information available to the Secretary
for purposes of determining the covered entity's compliance with
the Rule, not apply to protected health information in possession
of a covered entity's lawyer. Commenters argued that such a requirement
threatens to impact attorney-client privilege. Others expressed
concern over the requirement that the attorney, as a business associate,
must return or destroy protected health information at termination
of the contract. It was argued that such a requirement is inconsistent
with many current obligations of legal counsel and is neither warranted
nor useful.
Response: The Department does not modify the Rule in this
regard. The Privacy Rule is not intended to interfere with attorney-client
privilege. Nor does the Department anticipate that it will be necessary
for the Secretary to have access to privileged material in order
to resolve a complaint or investigate a violation of the Privacy
Rule. However, the Department does not believe that it is appropriate
to exempt attorneys from the business associate requirements.
With respect to the requirement for the return or destruction of
protected health information, the Rule requires the return or destruction
of all protected health information at termination of the contract
only where feasible or permitted by law. Where such action is not
feasible, the contract must state that the information will remain
protected after the contract ends for as long as the information
is maintained by the business associate, and that further uses and
disclosures of the information will be limited to those purposes
that make the return or destruction infeasible.
Comment: One commenter was concerned that the business associate
provisions regarding the return or destruction of protected health
information upon termination of the business associate agreement
conflict with various provisions of the Bank Secrecy Act, which
require financial institutions to retain certain records for up
to five years. The commenter further noted that there are many State
banking regulations that require financial institutions to retain
certain records for up to ten years. The commenter recommended that
the Department clarify, in instances of conflict with the Privacy
Rule, that financial institutions comply with Federal and State
banking regulations.
Response: The Department does not believe there is a conflict
between the Privacy Rule and the Bank Secrecy Act retention requirements
or that the Privacy Rule would prevent a financial institution that
is a business associate of a covered entity from complying with
the Bank Secrecy Act. The Privacy Rule generally requires a business
associate contract to provide that the business associate will return
or destroy protected health information upon the termination of
the contract; however, it does not require this if the return or
destruction of protected health information is infeasible. Return
or destruction would be considered "infeasible" if other
law, such as the Bank Secrecy Act, requires the business associate
to retain protected health information for a period of time beyond
the termination of the business associate contract. The Privacy
Rule would require that the business associate contract extend the
protections of the contract and limit further uses and disclosures
to those purposes that make the return or destruction of the information
infeasible. In this case, the business associate would have to limit
the use or disclosure of the protected health information to purposes
of the Bank Secrecy Act or State banking regulations.
Comment: A commenter requested clarification concerning
the economic impact on business associates of the cost-based copying
fees allowed to be charged to individuals who request a copy of
their medical record under the right of access provided by the Privacy
Rule. See Sec. 164.524. According to the commenter, many hospitals
and other covered entities currently outsource their records reproduction
function for fees that often include administrative costs over and
above the costs of copying. In some cases, the fees may be set in
accordance with State law. The Privacy Rule, at Sec. 164.524(c)(4),
however, permits only reasonable, cost-based copying fees to be
charged to individuals seeking to obtain a copy of their medical
record under their right of access. The commenter was concerned
that others seeking copies of all or part of the medical record,
such as payers, attorneys, or entities that have the individual's
authorization, would try to claim the limited copying fees provided
in Sec. 164.524(c)(4). The commenter asserted that such a result
would drastically alter the economics of the outsourcing industry,
driving outsourcing companies out of business, and raising costs
for the health industry as a whole. A clarification that the fee
structure in Sec. 164.524(c)(4) applies only to individuals exercising
their right of access was sought.
Response: The Department clarifies that the Rule, at Sec.
164.524(c)(4), limits only the fees that may be charged to individuals,
or to their personal representatives in accordance with Sec. 164.502(g),
when the request is to obtain a copy of protected health information
about the individual in accordance with the right of access. The
fee limitations in Sec. 164.524(c)(4) do not apply to any other
permissible disclosures by the covered entity, including disclosures
that are permitted for treatment, payment or health care operations,
disclosures that are based on an individual's authorization that
is valid under Sec. 164.508, or other disclosures permitted without
the individual's authorization as specified in Sec. 164.512.
The fee limitation in Sec. 164.524(c)(4) is intended
to assure that the right of access provided by the Privacy
Rule is available to all individuals, and not just to
those who can afford to do so. Based on the clarification
provided, the Department does not anticipate that this
provision will cause any significant disruption in the
way that covered entities do business today. To the
extent hospitals and other entities outsource this function
because it is less expensive than doing it themselves,
the fee limitation for individuals seeking access under
Sec. 164.524 will affect only a portion of this business;
and, in these cases, hospitals should still find it
economical to outsource these activities, even if they
can only pass on a portion of the costs to the individual.
|
