This document proposes modifications to regulations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to implement recent amendments made by the Health Information Technology for Economic and Clinical Health Act (HITECH Act). Key proposals include extending certain privacy and security protections of protected health information to business associates of covered entities, requiring notification of breaches of unsecured protected health information, and strengthening individual rights to access and restrict use of their health information. Public comments are solicited on the proposed changes.
1. Wednesday,
July 14, 2010
Part II
Department of
Health and Human
Services
45 CFR Parts 160 and 164
Modifications to the HIPAA Privacy,
Security, and Enforcement Rules Under
the Health Information Technology for
Economic and Clinical Health Act;
Proposed Rule
srobinson on DSKHWCL6B1PROD with PROPOSALS2
VerDate Mar<15>2010 15:51 Jul 13, 2010 Jkt 220001 PO 00000 Frm 00001 Fmt 4717 Sfmt 4717 E:FRFM14JYP2.SGM 14JYP2
2. 40868 Federal Register / Vol. 75, No. 134 / Wednesday, July 14, 2010 / Proposed Rules
DEPARTMENT OF HEALTH AND H. Humphrey Building, Room 509F, 200 and Clinical Health (HITECH) Act,
HUMAN SERVICES Independence Avenue, SW., which was enacted as title XIII of
Washington, DC 20201. Please submit division A and title IV of division B of
Office of the Secretary one original and two copies. (Because the American Recovery and
access to the interior of the Hubert H. Reinvestment Act of 2009 (ARRA),
45 CFR Parts 160 and 164 Humphrey Building is not readily Public Law 111–5, modifies certain
available to persons without Federal provisions of the Social Security Act
RIN: 0991–AB57
government identification, commenters pertaining to the Administrative
Modifications to the HIPAA Privacy, are encouraged to leave their comments Simplification Rules (HIPAA Rules) and
Security, and Enforcement Rules in the mail drop slots located in the requires certain modifications to the
Under the Health Information main lobby of the building.) HIPAA Rules themselves.
Technology for Economic and Clinical Inspection of Public Comments: All A. HIPAA Administrative
Health Act comments received before the close of Simplification—Statutory Background
the comment period will be available for
AGENCY: Office for Civil Rights, public inspection, including any The Administrative Simplification
Department of Health and Human personally identifiable or confidential provisions of HIPAA provided for the
Services. business information that is included in establishment of national standards for
ACTION: Notice of proposed rulemaking. a comment. We will post all comments the electronic transmission of certain
received before the close of the health information, such as standards
SUMMARY: The Department of Health and comment period at http:// for certain health care transactions
Human Services (HHS or ‘‘the www.regulations.gov. Because conducted electronically and code sets
Department’’) is issuing this notice of comments will be made public, they and unique health care identifiers for
proposed rulemaking to modify the should not include any sensitive health care providers and employers.
Standards for Privacy of Individually personal information, such as a person’s The Administrative Simplification
Identifiable Health Information (Privacy social security number; date of birth; provisions of HIPAA also required the
Rule), the Security Standards for the driver’s license number, State establishment of national standards to
Protection of Electronic Protected identification number or foreign country protect the privacy and security of
Health Information (Security Rule), and equivalent; passport number; financial personal health information and
the rules pertaining to Compliance and account number; or credit or debit card established civil money and criminal
Investigations, Imposition of Civil number. Comments also should not penalties for violations of the
Money Penalties, and Procedures for include any sensitive health Administrative Simplification
Hearings (Enforcement Rule) issued provisions. The Administrative
information, such as medical records or
under the Health Insurance Portability Simplification provisions of HIPAA
other individually identifiable health
and Accountability Act of 1996 apply to three types of entities, which
information, or any non-public
(HIPAA). The purpose of these are known as ‘‘covered entities’’: health
corporate or trade association
modifications is to implement recent care providers who conduct covered
information, such as trade secrets or
statutory amendments under the Health health care transactions electronically,
other proprietary information.
Information Technology for Economic health plans, and health care
FOR FURTHER INFORMATION CONTACT: clearinghouses.
and Clinical Health Act (‘‘the HITECH Andra Wicks, 202–205–2292.
Act’’ or ‘‘the Act’’), to strengthen the B. HIPAA Administrative
SUPPLEMENTARY INFORMATION:
privacy and security protection of Simplification—Regulatory Background
The discussion below includes a
health information, and to improve the
description of the statutory and The rules proposed below concern the
workability and effectiveness of these
regulatory background of the proposed privacy and security standards issued
HIPAA Rules.
rules, a section-by-section description of pursuant to HIPAA, as well as the
DATES: Submit comments on or before the proposed modifications, and the enforcement rules that implement
September 13, 2010. impact statement and other required HIPAA’s civil money penalty authority.
ADDRESSES: You may submit comments, regulatory analyses. We solicit public The Standards for Privacy of
identified by RIN 0991–AB57, by any of comment on the proposed rules. Persons Individually Identifiable Health
the following methods (please do not interested in commenting on the Information, known as the ‘‘Privacy
submit duplicate comments): provisions of the proposed rules can Rule,’’ were issued on December 28,
• Federal eRulemaking Portal: http:// assist us by preceding discussion of any 2000, and amended on August 14, 2002.
www.regulations.gov. Follow the particular provision or topic with a See 65 FR 82462, as amended at 67 FR
instructions for submitting comments. citation to the section of the proposed 53182. The Security Standards for the
Attachments should be in Microsoft rule being discussed. Protection of Electronic Protected
Word, WordPerfect, or Excel; however, Health Information, known as the
we prefer Microsoft Word. I. Statutory and Regulatory Background
‘‘Security Rule,’’ were issued on
• Regular, Express, or Overnight Mail: The regulatory modifications February 20, 2003. See 68 FR 8334. The
U.S. Department of Health and Human proposed below concern several sets of Compliance and Investigations,
Services, Office for Civil Rights, rules that implement the Administrative Imposition of Civil Money Penalties,
srobinson on DSKHWCL6B1PROD with PROPOSALS2
Attention: HITECH Privacy and Security Simplification provisions of title II, and Procedures for Hearings regulations,
Rule Modifications, Hubert H. subtitle F, of the Health Insurance collectively known as the ‘‘Enforcement
Humphrey Building, Room 509F, 200 Portability and Accountability Act of Rule,’’ were issued as an interim final
Independence Avenue, SW., 1996 (HIPAA) (Pub. L. 104–191), which rule on April 17, 2003 (68 FR 18895),
Washington, DC 20201. Please submit added a new part C to title XI of the and revised and issued as a final rule,
one original and two copies. Social Security Act (sections 1171–1179 following rulemaking, on February 16,
• Hand Delivery or Courier: Office for of the Social Security Act, 42 U.S.C. 2006 (71 FR 8390).
Civil Rights, Attention: HITECH Privacy 1320d–1320d–8). The Health The Privacy Rule protects individuals’
and Security Rule Modifications, Hubert Information Technology for Economic medical records and other individually
VerDate Mar<15>2010 15:51 Jul 13, 2010 Jkt 220001 PO 00000 Frm 00002 Fmt 4701 Sfmt 4702 E:FRFM14JYP2.SGM 14JYP2
3. Federal Register / Vol. 75, No. 134 / Wednesday, July 14, 2010 / Proposed Rules 40869
identifiable health information created standardization of health information entities’ electronic health records, shall
or received by or on behalf of covered technology. Subtitle D of title XIII, be treated as business associates for
entities, known as ‘‘protected health entitled ‘‘Privacy,’’ supports this goal by purposes of the HITECH Act and the
information.’’ The Privacy Rule protects adopting amendments designed to HIPAA Privacy and Security Rules and
individuals’ health information by strengthen the privacy and security required to enter into business associate
regulating the circumstances under protections of health information contracts.
which covered entities may use and established by HIPAA. These provisions Section 13402 of the Act sets forth the
disclose protected health information include extending the applicability of breach notification provisions, requiring
and by requiring covered entities to certain of the Privacy and Security covered entities and business associates
have safeguards in place to protect the Rules’ requirements to the business to provide notification following
privacy of the information. As part of associates of covered entities; requiring discovery of a breach of unsecured
these protections, covered entities are HIPAA covered entities and business protected health information.
required to have contracts or other associates to provide for notification of Additionally, section 13407 of the Act,
arrangements in place with business breaches of ‘‘unsecured protected health enforced by the Federal Trade
associates that perform functions for or information’’; establishing new Commission (FTC), applies similar
provide services to the covered entity limitations on the use and disclosure of breach notification provisions to
and that require access to protected protected health information for vendors of personal health records and
health information to ensure that these marketing and fundraising purposes; their third party service providers.
business associates likewise protect the prohibiting the sale of protected health Section 13405 of the Act requires the
privacy of the health information. The information; requiring the consideration Department to modify certain Privacy
Privacy Rule also gives individuals of a limited data set as the minimum Rule provisions. In particular, section
rights with respect to their protected necessary amount of information; and 13405 sets forth certain circumstances
health information, including rights to expanding individuals’ rights to access in which covered entities must comply
examine and obtain a copy of their and receive an accounting of disclosures with an individual’s request for
health records and to request of their protected health information, restriction of disclosure of his or her
corrections. and to obtain restrictions on certain protected health information, provides
The Security Rule, which applies only disclosures of protected health for covered entities to consider a limited
to protected health information in information to health plans. In addition, data set as the minimum necessary for
electronic form, requires covered subtitle D adopts provisions designed to a particular use, disclosure, or request of
entities to implement certain strengthen and expand HIPAA’s protected health information, and
administrative, physical, and technical enforcement provisions. We provide a requires the Secretary to issue guidance
safeguards to protect this electronic to address what constitutes minimum
brief overview of the relevant statutory
information. As with the Privacy Rule, necessary under the Privacy Rule.
provisions below.
the Security Rule requires covered Section 13405 also requires the
entities to have contracts or other In the area of business associates, the Department to modify the Privacy Rule
arrangements in place with their Act makes a number of changes. First, to require covered entities that use or
business associates that provide section 13401 of the Act applies certain maintain electronic health records to
satisfactory assurances that the business provisions of the Security Rule that provide individuals, upon request, with
associates will appropriately safeguard apply to covered entities directly to an accounting of disclosures of
the electronic protected health their business associates and makes protected health information through an
information they receive, create, business associates liable for civil and electronic health record for treatment,
maintain, or transmit on behalf of the criminal penalties for the failure to payment, or health care operations;
covered entities. comply with these provisions. generally prohibits the sale of protected
The Enforcement Rule establishes Similarly, section 13404 makes business health information without a valid
rules governing the compliance associates of covered entities civilly and authorization from the individual; and
responsibilities of covered entities with criminally liable under the Privacy Rule strengthens an individual’s right to an
respect to cooperation in the for making uses and disclosures of electronic copy of their protected health
enforcement process. It also provides protected health information that do not information, where a covered entity
rules governing the investigation by the comply with the terms of their business uses or maintains an electronic health
Department of compliance by covered associate contracts. The Act also record.
entities, both through the investigation provides that the additional privacy and Section 13406 of the Act requires the
of complaints and the conduct of security requirements of subtitle D of Department to modify the marketing
compliance reviews. It establishes rules the Act are applicable to business and fundraising provisions of the
governing the process and grounds for associates and that such requirements Privacy Rule. With respect to marketing,
establishing the amount of a civil money shall be incorporated into business the Act requires authorizations for
penalty where the Department has associate contracts. Finally, section certain health-related communications,
determined a covered entity has 13408 of the Act requires that which are currently exempted from the
violated a requirement of a HIPAA Rule. organizations that provide data definition of marketing, if the covered
Finally, the Enforcement Rule transmission of protected health entity receives remuneration in
establishes rules governing the information to a covered entity or exchange for making the
srobinson on DSKHWCL6B1PROD with PROPOSALS2
procedures for hearings and appeals business associate and that require communication. The Act also
where the covered entity challenges a routine access to such information, such strengthens an individual’s right under
violation determination. as Health Information Exchange the Privacy Rule to opt out of
Organizations, Regional Health fundraising communications by
C. The HITECH Act—Statutory Information Organizations, and E- requiring the Department to modify the
Background prescribing Gateways, as well as Privacy Rule so that covered entities
The HITECH Act, enacted on vendors that contract with covered must provide individuals with a clear
February 17, 2009, is designed to entities to offer personal health records and conspicuous opportunity to opt out
promote the widespread adoption and to patients as part of the covered of receiving fundraising
VerDate Mar<15>2010 15:51 Jul 13, 2010 Jkt 220001 PO 00000 Frm 00003 Fmt 4701 Sfmt 4702 E:FRFM14JYP2.SGM 14JYP2
4. 40870 Federal Register / Vol. 75, No. 134 / Wednesday, July 14, 2010 / Proposed Rules
communications and by requiring that health information unusable, of previous rulemakings. In addition, we
an opt out be treated as a revocation of unreadable, or indecipherable to do not address in this rulemaking the
authorization under the Privacy Rule. unauthorized individuals (section accounting for disclosures requirement
Section 13410 of the Act addresses 13402(h)); guidance on what constitutes in section 13405 of the Act, which is
enforcement in a number of ways. First, the minimum necessary amount of tied to the adoption of a standard under
section 13410(a) provides that the information for purposes of the Privacy the HITECH Act at subtitle A of title XIII
Secretary’s authority to impose a civil Rule (section 13405(b)); a report by the of ARRA, or the penalty distribution
money penalty will only be barred to Government Accountability Office methodology requirement in section
the extent a criminal penalty has been (GAO) regarding recommendations for a 13410(c) of the Act, which is to be based
imposed, rather than in cases in which methodology under which harmed on the recommendations noted above to
the offense in question merely individuals may receive a percentage of be developed at a later date by the GAO.
constitutes an offense criminally civil money penalties and monetary
punishable. In addition, section These provisions will be the subject of
settlements under the HIPAA Privacy
13410(a) of the Act requires the future rulemakings. Further, we clarify
and Security Rules (section 13410(c)); a
Secretary to formally investigate any report to Congress on HIPAA Privacy that we are not issuing regulations with
complaint where a preliminary and Security enforcement (section respect to the new authority of the State
investigation of the facts indicates a 13424(a)); a study and report on the Attorneys General to enforce the HIPAA
possible violation due to willful neglect application of privacy and security Rules. Finally, other than the guidance
and to impose a penalty where a requirements to non-HIPAA covered required by section 13405(b) of the Act
violation is found in such cases. Section entities (section 13424(b)); guidance on with respect to what constitutes
13410(c) of the Act provides, for de-identification (section 13424(c)); and minimum necessary, this proposed rule
purposes of enforcement, for the transfer a study on the Privacy Rule’s definition does not address the studies, reports,
to the HHS Office for Civil Rights of any of ‘‘psychotherapy notes’’ at 45 CFR guidance, audits, or education efforts
civil money penalty or monetary 164.501, with regard to including test required by the HITECH Act.
settlement collected under the Privacy data that is related to direct responses,
and Security Rules and also requires the D. The HITECH Act—Regulatory
scores, items, forms, protocols, manuals,
Department to establish by regulation a or other materials that are part of a Background
methodology for distributing to harmed mental health evaluation (section As noted above, certain of the
individuals a percentage of the civil 13424(f)). HITECH Act’s privacy and security
money penalties and monetary Finally, the Act includes provisions provisions have already been the subject
settlements collected under the Privacy for education by HHS on health
of rulemakings and related actions. In
and Security Rules. Effective as of information privacy and for periodic
particular, the Department published
February 18, 2009, section 13410(d) of audits by the Secretary. Section
the Act also modified the civil money 13403(a) provides for the Secretary to interim final regulations to implement
penalty structure for violations of the designate HHS regional office privacy the breach notification provisions at
HIPAA Rules by implementing a tiered advisors to offer guidance and education section 13402 of the Act for HIPAA
increase in the amount of penalties to covered entities, business associates, covered entities and business associates
based on culpability. In addition, as of and individuals on their rights and in the Federal Register on August 24,
February 18, 2009, section 13410(e) of responsibilities related to Federal 2009 (74 FR 42740), effective September
the Act also granted State Attorneys privacy and security requirements for 23, 2009. Similarly, the FTC published
General the authority to enforce the protected health information. Section final regulations implementing the
HIPAA Rules by bringing civil actions 13403(b) requires the HHS Office for breach notification provisions at section
on behalf of State residents in court. Civil Rights, not later than 12 months 13407 for personal health record
Section 13421 states that HIPAA’s after enactment, to develop and vendors and their third party service
State preemption provisions at 42 U.S.C. maintain a multi-faceted national providers on August 25, 2009 (74 FR
1320d–7 shall apply to the provisions of education initiative to enhance public 42962), effective September 24, 2009.
subtitle D of the HITECH Act in the transparency regarding the uses of For purposes of determining to what
same manner as they do to HIPAA’s protected health information, including information the HHS and FTC breach
provisions.1 Section 13423 of the Act programs to educate individuals about notification regulations apply, the
provides a general effective date of potential uses of their protected health Department also issued, first on April
February 18, 2010, for most of its information, the effects of such uses, 17, 2009 (published in the Federal
provisions, except where a different and the rights of individuals with Register on April 27, 2009, 74 FR
effective date is otherwise provided. respect to such uses. Section 13411 19006), and then later with its interim
The Act also provides for the requires the Secretary to provide for final rule, the guidance required by the
development of guidance, reports, and periodic audits to ensure covered HITECH Act under 13402(h) specifying
studies in a number of areas, including entities and business associates comply
the technologies and methodologies that
guidance on appropriate technical with the applicable requirements of the
render protected health information
safeguards to implement the HIPAA HIPAA Privacy and Security Rules.
We discuss many of the Act’s unusable, unreadable, or indecipherable
Security Rule (section 13401(c)); for
statutory provisions in more detail to unauthorized individuals. In
purposes of breach notification,
addition, to conform the provisions of
srobinson on DSKHWCL6B1PROD with PROPOSALS2
guidance on the methods and below where we describe section-by-
section how these proposed regulations the Enforcement Rule to the new tiered
technologies for rendering protected
would implement those provisions of and increased civil money penalty
1 We note that section 13421 of the HITECH Act the Act. However, we do not discuss in structure made effective by the HITECH
and HIPAA’s State preemption provisions do not detail the breach notification provisions Act on the day after enactment, or
affect the applicability of other Federal law, such in sections 13402 of the Act or the February 18, 2009, the Department
as the Confidentiality of Alcohol and Drug Abuse published an interim final rule on
Patient Records Regulation at 42 CFR Part 2, to a
modified civil money penalty structure
covered entity’s use or disclosure of health in section 13410(d) of the Act, which as October 30, 2009 (74 FR 56123),
information. explained below, have been the subject effective November 30, 2009.
VerDate Mar<15>2010 15:51 Jul 13, 2010 Jkt 220001 PO 00000 Frm 00004 Fmt 4701 Sfmt 4702 E:FRFM14JYP2.SGM 14JYP2
5. Federal Register / Vol. 75, No. 134 / Wednesday, July 14, 2010 / Proposed Rules 40871
II. General Issues Secretary to further delay the that the 180-day compliance period
compliance date for small health plans, would not govern the time period
A. Effective and Compliance Dates
we do not believe that it is necessary to required to modify those business
As noted above, section 13423 of the do so for this rule both because most of associate agreements that qualify for the
Act provides that the provisions in the changes being proposed are discrete longer transition period proposed in
subtitle D took effect one year after modifications to existing requirements § 164.532. We seek comments on any
enactment, i.e., on February 18, 2010, of the HIPAA Rules, as well as because potential unintended consequences of
except as specified otherwise. There are the Department is proposing an establishing a 180-day compliance date
a number of exceptions to this general additional one-year transition period to as a regulatory default, with the noted
rule. Some provisions were effective the modify certain business associate exceptions.
day after enactment, i.e., February 18, agreements, which should provide
2009. For example, the tiered and sufficient relief to all covered entities, B. Other Proposed Changes
increased civil money penalty including small health plans. The While passage of the HITECH Act
provisions of section 13410(d) were Department welcomes comment on the necessitates much of the rulemaking
effective for violations occurring after assumption that it is not necessary to below, it does not account for all of the
the date of enactment. Sections 13402 extend the compliance date for small proposed changes to the HIPAA Privacy,
and 13407 of the Act regarding breach health plans. Security, and Enforcement Rules
notification required interim final rules We also expect that for future encompassed in this rulemaking. The
within 180 days of enactment, with modifications to the HIPAA Rules, in Department is taking this opportunity to
effective dates 30 days after the most cases, a 180-day compliance improve the workability and
publication of such rules. Other period will suffice. Accordingly, we effectiveness of all three sets of HIPAA
provisions of the Act have later effective propose to add a provision at § 160.105 Rules. The Privacy Rule has not been
dates. For example, the provision at to address the compliance date amended since 2002, and the Security
section 13410(a)(1) of the Act providing generally for implementation of new or Rule has not been amended since 2003.
that the Secretary’s authority to impose modified standards in the HIPAA Rules. While the Enforcement Rule was
a civil money penalty will only be Proposed § 160.105 would provide that amended in the October 30, 2009,
barred to the extent a criminal penalty with respect to new standards or interim final rule to incorporate the
has been imposed, rather than in cases implementation specifications or enforcement-related HITECH statutory
in which the offense in question merely modifications to standards or
constitutes an offense that is criminally changes that are already effective, it has
implementation specifications in the
punishable, becomes effective for not been otherwise substantively
HIPAA Rules, except as otherwise
violations occurring on or after February amended since 2006. In the intervening
provided, covered entities and business
18, 2011. The rules proposed below years, HHS has accumulated a wealth of
associates must comply with the
generally pertain to the statutory experience with these rules, both from
applicable new standards or
provisions that became effective on public contact in various forums and
implementation specifications or
February 18, 2010, or, in a few cases, on through the process of enforcing the
modifications to standards or
a later date. rules. In addition, we have identified a
implementation specifications no later
We note that the final rule will not number of needed technical corrections
than 180 days from the effective date of
take effect until after most of the to the rules. Accordingly, we propose a
any such change. Where future
provisions of the HITECH Act became modifications to the HIPAA Rules number of modifications that we believe
effective on February 18, 2010. We necessitate a longer compliance period, will eliminate ambiguities in the rules
recognize that it will be difficult for we would provide so accordingly in the and/or make them more workable and
covered entities and business associates regulatory text. We propose to retain the effective. Further, we propose a few
to comply with the statutory provisions compliance date provisions at modifications to conform the HIPAA
until after we have finalized our §§ 164.534 and 164.318, which provide Privacy Rule to provisions in the Patient
changes to the HIPAA Rules. In the compliance dates of April 14, 2003, Safety and Quality Improvement Act of
addition, we recognize that covered and April 20, 2005, for initial 2005 (PSQIA). We address the
entities and business associates will implementation of the HIPAA Privacy substantive proposed changes in the
need some time beyond the effective and Security Rules, respectively, for section-by-section description of the
date of the final rule to come into historical purposes only. proposed rule below. Technical
compliance with the final rule’s We note that proposed § 160.105 corrections are discussed at the end of
provisions. In light of these regarding the compliance date of new or the section-by-section description of the
considerations, we intend to provide modified standards or implementation other proposed amendments to the
covered entities and business associates specifications would not apply to rules.
with 180 days beyond the effective date modifications to the provisions of the III. Section-by-Section Description of
of the final rule to come into HIPAA Enforcement Rule because such the Proposed Amendments to Subparts
compliance with most of the rule’s provisions are not standards or A and B of Part 160
provisions. We believe that providing a implementation specifications (as the
180-day compliance period best terms are defined at § 160.103). Such Subpart A of part 160 of the HIPAA
comports with section 1175(b)(2) of the provisions are in effect and apply at the Rules contains general provisions that
srobinson on DSKHWCL6B1PROD with PROPOSALS2
Social Security Act, 42 U.S.C. 1320d–4, time the final rule becomes effective or apply to all of the HIPAA Rules. Subpart
and our implementing provision at 45 as otherwise specifically provided. We B of part 160 contains the regulatory
CFR 160.104(c)(1), which require the also note that our proposed general rule provisions implementing HIPAA’s
Secretary to provide at least a 180-day for a 180-day compliance period for new preemption provisions. We propose to
period for covered entities to comply or modified standards would not apply amend a number of these provisions.
with modifications to standards and where we expressly provide a different Some of the proposed changes are
implementation specifications in the compliance period in the regulation for necessitated by the statutory changes
HIPAA Rules. While the Social Security one or more provisions. For purposes of made by the HITECH Act, while others
Act and the HIPAA Rules permit the this proposed rule, this would mean are of a technical or conforming nature.
VerDate Mar<15>2010 15:51 Jul 13, 2010 Jkt 220001 PO 00000 Frm 00005 Fmt 4701 Sfmt 4702 E:FRFM14JYP2.SGM 14JYP2
6. 40872 Federal Register / Vol. 75, No. 134 / Wednesday, July 14, 2010 / Proposed Rules
A. Subpart A—General Provisions, definition a reference to sections 13400– for purposes of PSQIA and the Patient
Section 160.101—Statutory Basis and 13424 of the HITECH Act. Safety Rule, 42 CFR 3.10, et seq. While
Purpose the HIPAA Rules as written would
2. Definition of ‘‘Business Associate’’
encompass a PSO as a business
This section sets out the statutory Sections 164.308(b) of the Security associate when the PSO was performing
basis and purpose of the HIPAA Rules. Rule and 164.502(e) of the Privacy Rule quality analyses and other activities on
We propose a technical change to require a covered entity to enter into a behalf of a covered health care provider,
include a reference to the provisions of contract or other written agreement or we propose this change to the definition
the HITECH Act upon which most of the arrangement with its business of business associate to more clearly
regulatory changes proposed below are associates. The purpose of these align the HIPAA and Patient Safety
based. contracts or other arrangements, Rules.
B. Subpart A—General Provisions, generally known as business associate We note that in some cases a covered
Section 160.102—Applicability agreements, is to provide some legal health care provider, such as a public or
protection when protected health private hospital, may have a component
This section sets out to whom the information is being handled by another PSO that performs patient safety
HIPAA Rules apply. We propose to add person (a natural person or legal entity) activities on behalf of the health care
a new paragraph (b) to make clear, on behalf of a covered entity. The provider. See 42 CFR 3.20. In such
consistent with the provisions of the HIPAA Rules define ‘‘business cases, the component PSO would not be
HITECH Act that are discussed more associate’’ generally to mean a person a business associate of the covered
fully below, that the standards, who performs functions or activities on entity but rather the persons performing
requirements, and implementation behalf of, or certain services for, a patient safety activities would be
specifications of the subchapter apply to covered entity that involve the use or workforce members of the covered
business associates, where so provided. disclosure of protected health entity. However, if the component PSO
C. Subpart A—General Provisions, information. Examples of business contracts out some of its patient safety
Section 160.103—Definitions associates include third party activities to a third party, the third party
administrators or pharmacy benefit would be a business associate of the
Section 160.103 contains definitions managers for health plans, claims covered entity. In addition, if a
of terms that appear throughout the processing or billing companies, component PSO of one covered entity
HIPAA Rules. For ease of reference, we transcription companies, and persons performs patient safety activities for
propose to move several definitions who perform legal, actuarial, another covered entity, such component
currently found at § 160.302 to accounting, management, or PSO would be a business associate of
§ 160.103 without substantive change to administrative services for covered the other covered entity.
the definitions themselves. This entities and who require access to
category includes definitions of the protected health information. We b. Inclusion of Health Information
following terms: ‘‘ALJ,’’ ‘‘civil money propose a number of modifications to Organizations (HIO), E–Prescribing
penalty,’’ and ‘‘violation or violate.’’ As the definition of ‘‘business associate.’’ In Gateways, and Other Persons That
the removal of these definitions, along particular, we propose to modify the Facilitate Data Transmission; as Well as
with the removal of other definitions definition to conform the term to the Vendors of Personal Health Records
discussed below (e.g., ‘‘administrative statutory provisions of PSQIA, 42 U.S.C. Section 13408 of the HITECH Act,
simplification provision’’ and 299b–21, et seq., and the HITECH Act. which became effective on February 18,
‘‘respondent’’), would leave § 160.302 Additional modifications are made for 2010, provides that an organization,
unpopulated, we propose to reserve that the purpose of clarifying circumstances such as a Health Information Exchange
section. We also propose to remove a when a business associate relationship Organization, E-prescribing Gateway, or
comma from the definition of exists and for general clarification of the Regional Health Information
‘‘disclosure’’ inadvertently inserted into definition. Organization, that provides data
the definition in a prior rulemaking, transmission of protected health
which is not intended as a substantive a. Inclusion of Patient Safety information to a covered entity (or its
change to the definition. In addition, we Organizations business associate) and that requires
propose to replace the term We propose to add patient safety access on a routine basis to such
‘‘individually identifiable health activities to the list of functions and protected health information must be
information’’ with ‘‘protected health activities a person may undertake on treated as a business associate for
information’’ in the definition of behalf of a covered entity that give rise purposes of the Act and the HIPAA
‘‘standard’’ to better reflect the scope of to a business associate relationship. Privacy and Security Rules. Section
the Privacy and Security Rules. Further, PSQIA, at 42 U.S.C. 299b–22(i)(1), 13408 also provides that a vendor that
we propose the following definitional provides that Patient Safety contracts with a covered entity to allow
changes: Organizations (PSOs) must be treated as the covered entity to offer a personal
business associates when applying the health record to patients as part of the
1. Definition of ‘‘Administrative Privacy Rule. PSQIA provides for the covered entity’s electronic health record
Simplification Provision’’ establishment of PSOs to receive reports shall be treated as a business associate.
This definition is currently located in of patient safety events or concerns from Section 13408 requires that such
srobinson on DSKHWCL6B1PROD with PROPOSALS2
the definitions section of subpart C of providers and provide analyses of organizations and vendors enter into a
part 160 of the HIPAA Enforcement events to reporting providers. A written business associate contract or
Rule. We propose to remove the reporting provider may be a HIPAA other arrangement with the covered
definition of this term from § 160.302 covered entity and, thus, information entity in accordance with the HIPAA
and move it to the definitions section reported to a PSO may include Rules.
located at § 160.103 for clarity and protected health information that the In accordance with the Act, we
convenience, as the term is used PSO may analyze on behalf of the propose to modify the definition of
repeatedly throughout the entire part covered provider. The analysis of such ‘‘business associate’’ to explicitly
160. We also propose to add to the information is a patient safety activity designate these persons as business
VerDate Mar<15>2010 15:51 Jul 13, 2010 Jkt 220001 PO 00000 Frm 00006 Fmt 4701 Sfmt 4702 E:FRFM14JYP2.SGM 14JYP2
7. Federal Register / Vol. 75, No. 134 / Wednesday, July 14, 2010 / Proposed Rules 40873
associates. Under proposed paragraphs mere conduits for the transport of underlying these provisions. The
(3)(i) and (ii) of the definition, the term protected health information but do not proposed definition of ‘‘subcontractor’’
‘‘business associate’’ would include: (1) access the information other than on a also is consistent with Congress’ overall
A Health Information Organization, E- random or infrequent basis are not concern that the privacy and security
prescribing Gateway, or other person business associates. See http:// protections of the HIPAA Rules extend
that provides data transmission services www.hhs.gov/ocr/privacy/hipaa/faq/ beyond covered entities to those entities
with respect to protected health providers/business/245.html. In that create or receive protected health
information to a covered entity and that contrast, however, entities that manage information in order for the covered
requires routine access to such the exchange of protected health entity to perform its health care
protected health information; and (2) a information through a network, functions. For example, as discussed
person who offers a personal health including providing patient locator above, section 13408 makes explicit that
record to one or more individuals on services and performing various certain types of entities providing
behalf of a covered entity. oversight and governance functions for services to covered entities—e.g.,
Section 13408 of the Act makes electronic health information exchange, vendors of personal health records—
reference to Health Information have more than ‘‘random’’ access to shall be considered business associates.
Exchange Organizations; however, we protected health information and thus, Therefore, consistent with Congress’
instead include in the proposed would fall within the definition of intent in sections 13401 and 13404 of
definition the term ‘‘Health Information ‘‘business associate.’’ the Act, as well as its overall concern
Organization’’ because it is our that the HIPAA Rules extent beyond
understanding that ‘‘Health Information c. Inclusion of Subcontractors
covered entities to those entities that
Organization’’ is the more widely We propose to add language in create or receive protected health
recognized and accepted term to paragraph (3)(iii) of the definition of information, we propose that
describe an organization that oversees ‘‘business associate’’ to provide that downstream entities that work at the
and governs the exchange of health- subcontractors of a covered entity—i.e., direction of or on behalf of a business
related information among those persons that perform functions for associate and handle protected health
organizations.2 Section 13408 of the Act or provide services to a business information would also be required to
also specifically refers to Regional associate, other than in the capacity as comply with the applicable Privacy and
Health Information Organizations. a member of the business associate’s Security Rule provisions in the same
However, we do not believe the workforce, are also business associates manner as the primary business
inclusion of the term in the definition to the extent that they require access to associate, and likewise would incur
of ‘‘business associate’’ is necessary as a protected health information. We also liability for acts of noncompliance. We
Regional Health Information propose to include a definition of note, and further explain below, that
Organization is simply a Health ‘‘subcontractor’’ in § 160.103 to make this proposed modification would not
Information Organization that governs clear that a subcontractor is a person require the covered entity to have a
health information exchange among who acts on behalf of a business contract with the subcontractor; rather,
organizations within a defined associate, other than in the capacity of the obligation would remain on each
geographic area.3 Further, the specific a member of the workforce of such business associate to obtain satisfactory
terms of ‘‘Health Information business associate. Even though we use assurances in the form of a written
Organization’’ and ‘‘E-prescribing the term ‘‘subcontractor,’’ which implies contract or other arrangement that a
Gateway’’ are merely illustrative of the there is a contract in place between the subcontractor will appropriately
types of organizations that would fall parties, we note that the definition safeguard protected health information.
within this paragraph of the definition would apply to an agent or other person For example, under this proposal, if a
of ‘‘business associate.’’ We request who acts on behalf of the business business associate, such as a third party
comment on the use of these terms associate, even if the business associate administrator, hires a company to
within the definition and whether has failed to enter into a business handle document and media shredding
additional clarifications or additions are associate contract with the person. We to securely dispose of paper and
necessary. request comment on the use of the term electronic protected health information,
Section 13408 also provides that the ‘‘subcontractor’’ and its proposed then the shredding company would be
data transmission organizations that the definition. directly required to comply with the
Act requires to be treated as business The proposed modifications are applicable requirements of the HIPAA
associates are those that require access similar in structure and effect to the Security Rule (e.g., with respect to
to protected health information on a Privacy Rule’s initial extension of proper disposal of electronic media) and
routine basis. Conversely, data privacy protections from covered the Privacy Rule (e.g., with respect to
transmission organizations that do not entities to business associates through limiting its uses and disclosures of the
require access to protected health contract requirements to protect protected health information in
information on a routine basis would downstream protected health accordance with its contract with the
not be treated as business associates. information. The proposed provisions business associate).
This is consistent with our prior avoid having privacy and security
protections for protected health d. Exceptions to Business Associate
interpretation of the definition of
‘‘business associate,’’ through which we information lapse merely because a We also propose to move the
srobinson on DSKHWCL6B1PROD with PROPOSALS2
have indicated that entities that act as function is performed by an entity that provisions at §§ 164.308(b)(2) and
is a subcontractor rather than an entity 164.502(e)(1)(ii) to the definition of
2 Department of Health and Human Services, with a direct relationship with a business associate. These provisions
Office of the National Coordinator for Health covered entity. Allowing such a lapse in provide that in certain circumstances,
Information Technology, The National Alliance for privacy and security protections may such as when a covered entity discloses
Health Information Technology Report to the Office allow business associates to avoid protected health information to a health
of the National Coordinator For Health Information
Technology: Defining Key Health Information liability imposed upon them by sections care provider concerning the treatment
Terms, Pg. 24 (2008). 13401 and 13404 of the Act, thus of an individual, a covered entity is not
3 Id. at 25. circumventing the congressional intent required to enter into a business
VerDate Mar<15>2010 15:51 Jul 13, 2010 Jkt 220001 PO 00000 Frm 00007 Fmt 4701 Sfmt 4702 E:FRFM14JYP2.SGM 14JYP2