This article addresses in general terms the requirements of Health Insurance Portability and Accountability Act of 1996 (HIPAA) as supplemented by the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH Act”) on the discrete issue of privacy requirements placed upon “covered entities” in regard to their business associates. Before tackling the issue of contracts between covered entities and their business associates, let us first discuss the HIPAA privacy rule in general before focusing upon the relationship between covered entities and their outside contractors.
Basically, the HIPAA privacy rule includes standards for protection of individually identifiable health information, known in regulatory parlance as Protected Health Information (“PHI”). “Individually identifiable health information” is data that relates to an individual’s past, present or future physical or mental health or condition for which there is a reasonable basis to believe the data can be used to identify said individual. The HIPAA privacy rule applies to certain health care providers, health plans, and health care clearinghouses (“covered entities”) creating standards for protection of PHI and an individual’s rights with regard to his or her PHI. More specifically, covered entities are defined as “health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA.” See Summary of the HIPAA Privacy Rule at HHS website. What information is protected? “All medical records and other individually identifiable health information used or disclosed by a covered entity in any form, whether electronically, on paper, or orally, are covered by the final rule.” See About HIPAA Privacy Rule at CDC website.
Although the HIPAA statute itself only speaks of privacy restrictions placed upon covered entities, the Department of Health and Human Services (HHS) issued regulations extending the reach of the HIPAA privacy rules to business associates of covered entities. A business associate is an outside contractor that performs activities involves the use or disclosure of PHI by the covered entity to the contractor. Examples includes accountants, medical billing firm, or an independent medical transcriptionist.
“The Privacy Rule requires that the satisfactory assurances obtained from the business associate be in the form of a written contract (or other written arrangement, as between governmental entities) between the covered entity and the business associate that contains the elements specified at Sec. 164.504(e). For example, the agreement must identify the uses and disclosures of protected health information the business associate is permitted or required to make, as well as require the business associate to put in place appropriate safeguards to protect against a use or disclosure not permitted by the contract or agreement.” Modifications to the HIPAA Privacy Rule, HHS Explanation of Final Regulations (August 14, 2002) Link. The Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH Act”) placed additional requirements on safeguarding PHI. Most notably, HITECH obligates business associates of covered entities to comply with HIPAA’s Security Rule for administrative, physical, and technical safeguard of PHI.
The upshot of the foregoing is that covered entities must enter into contracts with their business associates who have access to PHI. No specific wording is mandated by the regulations; however, a covered entity’s contract with business associates must contain the elements set forth in 45 CFR 164.504(e), i.e., the final HIPAA regulations promulgated by HHS. For example, the contract must describe the permitted uses of PHI and provide that the business associate will not use or disclose PHI other than as permitted by the contract. HITECH requires a business associate, upon discovery of a breach of security of PHI under its control, to notify the covered entity, which then must notify the impacted individual. This duty of the business associate to disclose breaches of PHI security to the covered entity should also be in the contract.
The HIPAA Privacy Rule excepts from the above standard certain disclosures by a covered entity. Specifically, the standard does not apply to disclosures by a covered entity to a health care provider for treatment purposes; disclosures to the plan sponsor by a group health plan, or a health insurance issuer or HMO with respect to a group health plan, to the extent that the requirements of Sec. 164.504(f) apply and are met; or to the collection and sharing of protected health information by a health plan that is a public benefits program and an agency other than the agency administering the health plan, where the other agency collects protected health information for, or determines eligibility or enrollment with respect to, the government program, and where such activity is authorized by law. See Regulation Sec. 164.502(e)(1)(ii).