SlideShare verwendet Cookies, um die Funktionalität und Leistungsfähigkeit der Webseite zu verbessern und Ihnen relevante Werbung bereitzustellen. Wenn Sie diese Webseite weiter besuchen, erklären Sie sich mit der Verwendung von Cookies auf dieser Seite einverstanden. Lesen Sie bitte unsere Nutzervereinbarung und die Datenschutzrichtlinie.
SlideShare verwendet Cookies, um die Funktionalität und Leistungsfähigkeit der Webseite zu verbessern und Ihnen relevante Werbung bereitzustellen. Wenn Sie diese Webseite weiter besuchen, erklären Sie sich mit der Verwendung von Cookies auf dieser Seite einverstanden. Lesen Sie bitte unsere unsere Datenschutzrichtlinie und die Nutzervereinbarung.
Wednesday, July 14, 2010 Part II Department of Health and Human Services 45 CFR Parts 160 and 164 Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the Health Information Technology for Economic and Clinical Health Act; Proposed Rulesrobinson on DSKHWCL6B1PROD with PROPOSALS2 VerDate Mar<15>2010 15:51 Jul 13, 2010 Jkt 220001 PO 00000 Frm 00001 Fmt 4717 Sfmt 4717 E:FRFM14JYP2.SGM 14JYP2
40868 Federal Register / Vol. 75, No. 134 / Wednesday, July 14, 2010 / Proposed Rules DEPARTMENT OF HEALTH AND H. Humphrey Building, Room 509F, 200 and Clinical Health (HITECH) Act, HUMAN SERVICES Independence Avenue, SW., which was enacted as title XIII of Washington, DC 20201. Please submit division A and title IV of division B of Office of the Secretary one original and two copies. (Because the American Recovery and access to the interior of the Hubert H. Reinvestment Act of 2009 (ARRA), 45 CFR Parts 160 and 164 Humphrey Building is not readily Public Law 111–5, modifies certain available to persons without Federal provisions of the Social Security Act RIN: 0991–AB57 government identification, commenters pertaining to the Administrative Modifications to the HIPAA Privacy, are encouraged to leave their comments Simplification Rules (HIPAA Rules) and Security, and Enforcement Rules in the mail drop slots located in the requires certain modifications to the Under the Health Information main lobby of the building.) HIPAA Rules themselves. Technology for Economic and Clinical Inspection of Public Comments: All A. HIPAA Administrative Health Act comments received before the close of Simplification—Statutory Background the comment period will be available for AGENCY: Office for Civil Rights, public inspection, including any The Administrative Simplification Department of Health and Human personally identifiable or confidential provisions of HIPAA provided for the Services. business information that is included in establishment of national standards for ACTION: Notice of proposed rulemaking. a comment. We will post all comments the electronic transmission of certain received before the close of the health information, such as standards SUMMARY: The Department of Health and comment period at http:// for certain health care transactions Human Services (HHS or ‘‘the www.regulations.gov. Because conducted electronically and code sets Department’’) is issuing this notice of comments will be made public, they and unique health care identifiers for proposed rulemaking to modify the should not include any sensitive health care providers and employers. Standards for Privacy of Individually personal information, such as a person’s The Administrative Simplification Identifiable Health Information (Privacy social security number; date of birth; provisions of HIPAA also required the Rule), the Security Standards for the driver’s license number, State establishment of national standards to Protection of Electronic Protected identification number or foreign country protect the privacy and security of Health Information (Security Rule), and equivalent; passport number; financial personal health information and the rules pertaining to Compliance and account number; or credit or debit card established civil money and criminal Investigations, Imposition of Civil number. Comments also should not penalties for violations of the Money Penalties, and Procedures for include any sensitive health Administrative Simplification Hearings (Enforcement Rule) issued provisions. The Administrative information, such as medical records or under the Health Insurance Portability Simplification provisions of HIPAA other individually identifiable health and Accountability Act of 1996 apply to three types of entities, which information, or any non-public (HIPAA). The purpose of these are known as ‘‘covered entities’’: health corporate or trade association modifications is to implement recent care providers who conduct covered information, such as trade secrets or statutory amendments under the Health health care transactions electronically, other proprietary information. Information Technology for Economic health plans, and health care FOR FURTHER INFORMATION CONTACT: clearinghouses. and Clinical Health Act (‘‘the HITECH Andra Wicks, 202–205–2292. Act’’ or ‘‘the Act’’), to strengthen the B. HIPAA Administrative SUPPLEMENTARY INFORMATION: privacy and security protection of Simplification—Regulatory Background The discussion below includes a health information, and to improve the description of the statutory and The rules proposed below concern the workability and effectiveness of these regulatory background of the proposed privacy and security standards issued HIPAA Rules. rules, a section-by-section description of pursuant to HIPAA, as well as the DATES: Submit comments on or before the proposed modifications, and the enforcement rules that implement September 13, 2010. impact statement and other required HIPAA’s civil money penalty authority. ADDRESSES: You may submit comments, regulatory analyses. We solicit public The Standards for Privacy of identified by RIN 0991–AB57, by any of comment on the proposed rules. Persons Individually Identifiable Health the following methods (please do not interested in commenting on the Information, known as the ‘‘Privacy submit duplicate comments): provisions of the proposed rules can Rule,’’ were issued on December 28, • Federal eRulemaking Portal: http:// assist us by preceding discussion of any 2000, and amended on August 14, 2002. www.regulations.gov. Follow the particular provision or topic with a See 65 FR 82462, as amended at 67 FR instructions for submitting comments. citation to the section of the proposed 53182. The Security Standards for the Attachments should be in Microsoft rule being discussed. Protection of Electronic Protected Word, WordPerfect, or Excel; however, Health Information, known as the we prefer Microsoft Word. I. Statutory and Regulatory Background ‘‘Security Rule,’’ were issued on • Regular, Express, or Overnight Mail: The regulatory modifications February 20, 2003. See 68 FR 8334. The U.S. Department of Health and Human proposed below concern several sets of Compliance and Investigations, Services, Office for Civil Rights, rules that implement the Administrative Imposition of Civil Money Penalties,srobinson on DSKHWCL6B1PROD with PROPOSALS2 Attention: HITECH Privacy and Security Simplification provisions of title II, and Procedures for Hearings regulations, Rule Modifications, Hubert H. subtitle F, of the Health Insurance collectively known as the ‘‘Enforcement Humphrey Building, Room 509F, 200 Portability and Accountability Act of Rule,’’ were issued as an interim final Independence Avenue, SW., 1996 (HIPAA) (Pub. L. 104–191), which rule on April 17, 2003 (68 FR 18895), Washington, DC 20201. Please submit added a new part C to title XI of the and revised and issued as a final rule, one original and two copies. Social Security Act (sections 1171–1179 following rulemaking, on February 16, • Hand Delivery or Courier: Office for of the Social Security Act, 42 U.S.C. 2006 (71 FR 8390). Civil Rights, Attention: HITECH Privacy 1320d–1320d–8). The Health The Privacy Rule protects individuals’ and Security Rule Modifications, Hubert Information Technology for Economic medical records and other individually VerDate Mar<15>2010 15:51 Jul 13, 2010 Jkt 220001 PO 00000 Frm 00002 Fmt 4701 Sfmt 4702 E:FRFM14JYP2.SGM 14JYP2
Federal Register / Vol. 75, No. 134 / Wednesday, July 14, 2010 / Proposed Rules 40869 identifiable health information created standardization of health information entities’ electronic health records, shall or received by or on behalf of covered technology. Subtitle D of title XIII, be treated as business associates for entities, known as ‘‘protected health entitled ‘‘Privacy,’’ supports this goal by purposes of the HITECH Act and the information.’’ The Privacy Rule protects adopting amendments designed to HIPAA Privacy and Security Rules and individuals’ health information by strengthen the privacy and security required to enter into business associate regulating the circumstances under protections of health information contracts. which covered entities may use and established by HIPAA. These provisions Section 13402 of the Act sets forth the disclose protected health information include extending the applicability of breach notification provisions, requiring and by requiring covered entities to certain of the Privacy and Security covered entities and business associates have safeguards in place to protect the Rules’ requirements to the business to provide notification following privacy of the information. As part of associates of covered entities; requiring discovery of a breach of unsecured these protections, covered entities are HIPAA covered entities and business protected health information. required to have contracts or other associates to provide for notification of Additionally, section 13407 of the Act, arrangements in place with business breaches of ‘‘unsecured protected health enforced by the Federal Trade associates that perform functions for or information’’; establishing new Commission (FTC), applies similar provide services to the covered entity limitations on the use and disclosure of breach notification provisions to and that require access to protected protected health information for vendors of personal health records and health information to ensure that these marketing and fundraising purposes; their third party service providers. business associates likewise protect the prohibiting the sale of protected health Section 13405 of the Act requires the privacy of the health information. The information; requiring the consideration Department to modify certain Privacy Privacy Rule also gives individuals of a limited data set as the minimum Rule provisions. In particular, section rights with respect to their protected necessary amount of information; and 13405 sets forth certain circumstances health information, including rights to expanding individuals’ rights to access in which covered entities must comply examine and obtain a copy of their and receive an accounting of disclosures with an individual’s request for health records and to request of their protected health information, restriction of disclosure of his or her corrections. and to obtain restrictions on certain protected health information, provides The Security Rule, which applies only disclosures of protected health for covered entities to consider a limited to protected health information in information to health plans. In addition, data set as the minimum necessary for electronic form, requires covered subtitle D adopts provisions designed to a particular use, disclosure, or request of entities to implement certain strengthen and expand HIPAA’s protected health information, and administrative, physical, and technical enforcement provisions. We provide a requires the Secretary to issue guidance safeguards to protect this electronic to address what constitutes minimum brief overview of the relevant statutory information. As with the Privacy Rule, necessary under the Privacy Rule. provisions below. the Security Rule requires covered Section 13405 also requires the entities to have contracts or other In the area of business associates, the Department to modify the Privacy Rule arrangements in place with their Act makes a number of changes. First, to require covered entities that use or business associates that provide section 13401 of the Act applies certain maintain electronic health records to satisfactory assurances that the business provisions of the Security Rule that provide individuals, upon request, with associates will appropriately safeguard apply to covered entities directly to an accounting of disclosures of the electronic protected health their business associates and makes protected health information through an information they receive, create, business associates liable for civil and electronic health record for treatment, maintain, or transmit on behalf of the criminal penalties for the failure to payment, or health care operations; covered entities. comply with these provisions. generally prohibits the sale of protected The Enforcement Rule establishes Similarly, section 13404 makes business health information without a valid rules governing the compliance associates of covered entities civilly and authorization from the individual; and responsibilities of covered entities with criminally liable under the Privacy Rule strengthens an individual’s right to an respect to cooperation in the for making uses and disclosures of electronic copy of their protected health enforcement process. It also provides protected health information that do not information, where a covered entity rules governing the investigation by the comply with the terms of their business uses or maintains an electronic health Department of compliance by covered associate contracts. The Act also record. entities, both through the investigation provides that the additional privacy and Section 13406 of the Act requires the of complaints and the conduct of security requirements of subtitle D of Department to modify the marketing compliance reviews. It establishes rules the Act are applicable to business and fundraising provisions of the governing the process and grounds for associates and that such requirements Privacy Rule. With respect to marketing, establishing the amount of a civil money shall be incorporated into business the Act requires authorizations for penalty where the Department has associate contracts. Finally, section certain health-related communications, determined a covered entity has 13408 of the Act requires that which are currently exempted from the violated a requirement of a HIPAA Rule. organizations that provide data definition of marketing, if the covered Finally, the Enforcement Rule transmission of protected health entity receives remuneration in establishes rules governing the information to a covered entity or exchange for making thesrobinson on DSKHWCL6B1PROD with PROPOSALS2 procedures for hearings and appeals business associate and that require communication. The Act also where the covered entity challenges a routine access to such information, such strengthens an individual’s right under violation determination. as Health Information Exchange the Privacy Rule to opt out of Organizations, Regional Health fundraising communications by C. The HITECH Act—Statutory Information Organizations, and E- requiring the Department to modify the Background prescribing Gateways, as well as Privacy Rule so that covered entities The HITECH Act, enacted on vendors that contract with covered must provide individuals with a clear February 17, 2009, is designed to entities to offer personal health records and conspicuous opportunity to opt out promote the widespread adoption and to patients as part of the covered of receiving fundraising VerDate Mar<15>2010 15:51 Jul 13, 2010 Jkt 220001 PO 00000 Frm 00003 Fmt 4701 Sfmt 4702 E:FRFM14JYP2.SGM 14JYP2
40870 Federal Register / Vol. 75, No. 134 / Wednesday, July 14, 2010 / Proposed Rules communications and by requiring that health information unusable, of previous rulemakings. In addition, we an opt out be treated as a revocation of unreadable, or indecipherable to do not address in this rulemaking the authorization under the Privacy Rule. unauthorized individuals (section accounting for disclosures requirement Section 13410 of the Act addresses 13402(h)); guidance on what constitutes in section 13405 of the Act, which is enforcement in a number of ways. First, the minimum necessary amount of tied to the adoption of a standard under section 13410(a) provides that the information for purposes of the Privacy the HITECH Act at subtitle A of title XIII Secretary’s authority to impose a civil Rule (section 13405(b)); a report by the of ARRA, or the penalty distribution money penalty will only be barred to Government Accountability Office methodology requirement in section the extent a criminal penalty has been (GAO) regarding recommendations for a 13410(c) of the Act, which is to be based imposed, rather than in cases in which methodology under which harmed on the recommendations noted above to the offense in question merely individuals may receive a percentage of be developed at a later date by the GAO. constitutes an offense criminally civil money penalties and monetary punishable. In addition, section These provisions will be the subject of settlements under the HIPAA Privacy 13410(a) of the Act requires the future rulemakings. Further, we clarify and Security Rules (section 13410(c)); a Secretary to formally investigate any report to Congress on HIPAA Privacy that we are not issuing regulations with complaint where a preliminary and Security enforcement (section respect to the new authority of the State investigation of the facts indicates a 13424(a)); a study and report on the Attorneys General to enforce the HIPAA possible violation due to willful neglect application of privacy and security Rules. Finally, other than the guidance and to impose a penalty where a requirements to non-HIPAA covered required by section 13405(b) of the Act violation is found in such cases. Section entities (section 13424(b)); guidance on with respect to what constitutes 13410(c) of the Act provides, for de-identification (section 13424(c)); and minimum necessary, this proposed rule purposes of enforcement, for the transfer a study on the Privacy Rule’s definition does not address the studies, reports, to the HHS Office for Civil Rights of any of ‘‘psychotherapy notes’’ at 45 CFR guidance, audits, or education efforts civil money penalty or monetary 164.501, with regard to including test required by the HITECH Act. settlement collected under the Privacy data that is related to direct responses, and Security Rules and also requires the D. The HITECH Act—Regulatory scores, items, forms, protocols, manuals, Department to establish by regulation a or other materials that are part of a Background methodology for distributing to harmed mental health evaluation (section As noted above, certain of the individuals a percentage of the civil 13424(f)). HITECH Act’s privacy and security money penalties and monetary Finally, the Act includes provisions provisions have already been the subject settlements collected under the Privacy for education by HHS on health of rulemakings and related actions. In and Security Rules. Effective as of information privacy and for periodic particular, the Department published February 18, 2009, section 13410(d) of audits by the Secretary. Section the Act also modified the civil money 13403(a) provides for the Secretary to interim final regulations to implement penalty structure for violations of the designate HHS regional office privacy the breach notification provisions at HIPAA Rules by implementing a tiered advisors to offer guidance and education section 13402 of the Act for HIPAA increase in the amount of penalties to covered entities, business associates, covered entities and business associates based on culpability. In addition, as of and individuals on their rights and in the Federal Register on August 24, February 18, 2009, section 13410(e) of responsibilities related to Federal 2009 (74 FR 42740), effective September the Act also granted State Attorneys privacy and security requirements for 23, 2009. Similarly, the FTC published General the authority to enforce the protected health information. Section final regulations implementing the HIPAA Rules by bringing civil actions 13403(b) requires the HHS Office for breach notification provisions at section on behalf of State residents in court. Civil Rights, not later than 12 months 13407 for personal health record Section 13421 states that HIPAA’s after enactment, to develop and vendors and their third party service State preemption provisions at 42 U.S.C. maintain a multi-faceted national providers on August 25, 2009 (74 FR 1320d–7 shall apply to the provisions of education initiative to enhance public 42962), effective September 24, 2009. subtitle D of the HITECH Act in the transparency regarding the uses of For purposes of determining to what same manner as they do to HIPAA’s protected health information, including information the HHS and FTC breach provisions.1 Section 13423 of the Act programs to educate individuals about notification regulations apply, the provides a general effective date of potential uses of their protected health Department also issued, first on April February 18, 2010, for most of its information, the effects of such uses, 17, 2009 (published in the Federal provisions, except where a different and the rights of individuals with Register on April 27, 2009, 74 FR effective date is otherwise provided. respect to such uses. Section 13411 19006), and then later with its interim The Act also provides for the requires the Secretary to provide for final rule, the guidance required by the development of guidance, reports, and periodic audits to ensure covered HITECH Act under 13402(h) specifying studies in a number of areas, including entities and business associates comply the technologies and methodologies that guidance on appropriate technical with the applicable requirements of the render protected health information safeguards to implement the HIPAA HIPAA Privacy and Security Rules. We discuss many of the Act’s unusable, unreadable, or indecipherable Security Rule (section 13401(c)); for statutory provisions in more detail to unauthorized individuals. In purposes of breach notification, addition, to conform the provisions ofsrobinson on DSKHWCL6B1PROD with PROPOSALS2 guidance on the methods and below where we describe section-by- section how these proposed regulations the Enforcement Rule to the new tiered technologies for rendering protected would implement those provisions of and increased civil money penalty 1 We note that section 13421 of the HITECH Act the Act. However, we do not discuss in structure made effective by the HITECH and HIPAA’s State preemption provisions do not detail the breach notification provisions Act on the day after enactment, or affect the applicability of other Federal law, such in sections 13402 of the Act or the February 18, 2009, the Department as the Confidentiality of Alcohol and Drug Abuse published an interim final rule on Patient Records Regulation at 42 CFR Part 2, to a modified civil money penalty structure covered entity’s use or disclosure of health in section 13410(d) of the Act, which as October 30, 2009 (74 FR 56123), information. explained below, have been the subject effective November 30, 2009. VerDate Mar<15>2010 15:51 Jul 13, 2010 Jkt 220001 PO 00000 Frm 00004 Fmt 4701 Sfmt 4702 E:FRFM14JYP2.SGM 14JYP2
Federal Register / Vol. 75, No. 134 / Wednesday, July 14, 2010 / Proposed Rules 40871 II. General Issues Secretary to further delay the that the 180-day compliance period compliance date for small health plans, would not govern the time period A. Effective and Compliance Dates we do not believe that it is necessary to required to modify those business As noted above, section 13423 of the do so for this rule both because most of associate agreements that qualify for the Act provides that the provisions in the changes being proposed are discrete longer transition period proposed in subtitle D took effect one year after modifications to existing requirements § 164.532. We seek comments on any enactment, i.e., on February 18, 2010, of the HIPAA Rules, as well as because potential unintended consequences of except as specified otherwise. There are the Department is proposing an establishing a 180-day compliance date a number of exceptions to this general additional one-year transition period to as a regulatory default, with the noted rule. Some provisions were effective the modify certain business associate exceptions. day after enactment, i.e., February 18, agreements, which should provide 2009. For example, the tiered and sufficient relief to all covered entities, B. Other Proposed Changes increased civil money penalty including small health plans. The While passage of the HITECH Act provisions of section 13410(d) were Department welcomes comment on the necessitates much of the rulemaking effective for violations occurring after assumption that it is not necessary to below, it does not account for all of the the date of enactment. Sections 13402 extend the compliance date for small proposed changes to the HIPAA Privacy, and 13407 of the Act regarding breach health plans. Security, and Enforcement Rules notification required interim final rules We also expect that for future encompassed in this rulemaking. The within 180 days of enactment, with modifications to the HIPAA Rules, in Department is taking this opportunity to effective dates 30 days after the most cases, a 180-day compliance improve the workability and publication of such rules. Other period will suffice. Accordingly, we effectiveness of all three sets of HIPAA provisions of the Act have later effective propose to add a provision at § 160.105 Rules. The Privacy Rule has not been dates. For example, the provision at to address the compliance date amended since 2002, and the Security section 13410(a)(1) of the Act providing generally for implementation of new or Rule has not been amended since 2003. that the Secretary’s authority to impose modified standards in the HIPAA Rules. While the Enforcement Rule was a civil money penalty will only be Proposed § 160.105 would provide that amended in the October 30, 2009, barred to the extent a criminal penalty with respect to new standards or interim final rule to incorporate the has been imposed, rather than in cases implementation specifications or enforcement-related HITECH statutory in which the offense in question merely modifications to standards or constitutes an offense that is criminally changes that are already effective, it has implementation specifications in the punishable, becomes effective for not been otherwise substantively HIPAA Rules, except as otherwise violations occurring on or after February amended since 2006. In the intervening provided, covered entities and business 18, 2011. The rules proposed below years, HHS has accumulated a wealth of associates must comply with the generally pertain to the statutory experience with these rules, both from applicable new standards or provisions that became effective on public contact in various forums and implementation specifications or February 18, 2010, or, in a few cases, on through the process of enforcing the modifications to standards or a later date. rules. In addition, we have identified a implementation specifications no later We note that the final rule will not number of needed technical corrections than 180 days from the effective date of take effect until after most of the to the rules. Accordingly, we propose a any such change. Where future provisions of the HITECH Act became modifications to the HIPAA Rules number of modifications that we believe effective on February 18, 2010. We necessitate a longer compliance period, will eliminate ambiguities in the rules recognize that it will be difficult for we would provide so accordingly in the and/or make them more workable and covered entities and business associates regulatory text. We propose to retain the effective. Further, we propose a few to comply with the statutory provisions compliance date provisions at modifications to conform the HIPAA until after we have finalized our §§ 164.534 and 164.318, which provide Privacy Rule to provisions in the Patient changes to the HIPAA Rules. In the compliance dates of April 14, 2003, Safety and Quality Improvement Act of addition, we recognize that covered and April 20, 2005, for initial 2005 (PSQIA). We address the entities and business associates will implementation of the HIPAA Privacy substantive proposed changes in the need some time beyond the effective and Security Rules, respectively, for section-by-section description of the date of the final rule to come into historical purposes only. proposed rule below. Technical compliance with the final rule’s We note that proposed § 160.105 corrections are discussed at the end of provisions. In light of these regarding the compliance date of new or the section-by-section description of the considerations, we intend to provide modified standards or implementation other proposed amendments to the covered entities and business associates specifications would not apply to rules. with 180 days beyond the effective date modifications to the provisions of the III. Section-by-Section Description of of the final rule to come into HIPAA Enforcement Rule because such the Proposed Amendments to Subparts compliance with most of the rule’s provisions are not standards or A and B of Part 160 provisions. We believe that providing a implementation specifications (as the 180-day compliance period best terms are defined at § 160.103). Such Subpart A of part 160 of the HIPAA comports with section 1175(b)(2) of the provisions are in effect and apply at the Rules contains general provisions thatsrobinson on DSKHWCL6B1PROD with PROPOSALS2 Social Security Act, 42 U.S.C. 1320d–4, time the final rule becomes effective or apply to all of the HIPAA Rules. Subpart and our implementing provision at 45 as otherwise specifically provided. We B of part 160 contains the regulatory CFR 160.104(c)(1), which require the also note that our proposed general rule provisions implementing HIPAA’s Secretary to provide at least a 180-day for a 180-day compliance period for new preemption provisions. We propose to period for covered entities to comply or modified standards would not apply amend a number of these provisions. with modifications to standards and where we expressly provide a different Some of the proposed changes are implementation specifications in the compliance period in the regulation for necessitated by the statutory changes HIPAA Rules. While the Social Security one or more provisions. For purposes of made by the HITECH Act, while others Act and the HIPAA Rules permit the this proposed rule, this would mean are of a technical or conforming nature. VerDate Mar<15>2010 15:51 Jul 13, 2010 Jkt 220001 PO 00000 Frm 00005 Fmt 4701 Sfmt 4702 E:FRFM14JYP2.SGM 14JYP2
40872 Federal Register / Vol. 75, No. 134 / Wednesday, July 14, 2010 / Proposed Rules A. Subpart A—General Provisions, definition a reference to sections 13400– for purposes of PSQIA and the Patient Section 160.101—Statutory Basis and 13424 of the HITECH Act. Safety Rule, 42 CFR 3.10, et seq. While Purpose the HIPAA Rules as written would 2. Definition of ‘‘Business Associate’’ encompass a PSO as a business This section sets out the statutory Sections 164.308(b) of the Security associate when the PSO was performing basis and purpose of the HIPAA Rules. Rule and 164.502(e) of the Privacy Rule quality analyses and other activities on We propose a technical change to require a covered entity to enter into a behalf of a covered health care provider, include a reference to the provisions of contract or other written agreement or we propose this change to the definition the HITECH Act upon which most of the arrangement with its business of business associate to more clearly regulatory changes proposed below are associates. The purpose of these align the HIPAA and Patient Safety based. contracts or other arrangements, Rules. B. Subpart A—General Provisions, generally known as business associate We note that in some cases a covered Section 160.102—Applicability agreements, is to provide some legal health care provider, such as a public or protection when protected health private hospital, may have a component This section sets out to whom the information is being handled by another PSO that performs patient safety HIPAA Rules apply. We propose to add person (a natural person or legal entity) activities on behalf of the health care a new paragraph (b) to make clear, on behalf of a covered entity. The provider. See 42 CFR 3.20. In such consistent with the provisions of the HIPAA Rules define ‘‘business cases, the component PSO would not be HITECH Act that are discussed more associate’’ generally to mean a person a business associate of the covered fully below, that the standards, who performs functions or activities on entity but rather the persons performing requirements, and implementation behalf of, or certain services for, a patient safety activities would be specifications of the subchapter apply to covered entity that involve the use or workforce members of the covered business associates, where so provided. disclosure of protected health entity. However, if the component PSO C. Subpart A—General Provisions, information. Examples of business contracts out some of its patient safety Section 160.103—Definitions associates include third party activities to a third party, the third party administrators or pharmacy benefit would be a business associate of the Section 160.103 contains definitions managers for health plans, claims covered entity. In addition, if a of terms that appear throughout the processing or billing companies, component PSO of one covered entity HIPAA Rules. For ease of reference, we transcription companies, and persons performs patient safety activities for propose to move several definitions who perform legal, actuarial, another covered entity, such component currently found at § 160.302 to accounting, management, or PSO would be a business associate of § 160.103 without substantive change to administrative services for covered the other covered entity. the definitions themselves. This entities and who require access to category includes definitions of the protected health information. We b. Inclusion of Health Information following terms: ‘‘ALJ,’’ ‘‘civil money propose a number of modifications to Organizations (HIO), E–Prescribing penalty,’’ and ‘‘violation or violate.’’ As the definition of ‘‘business associate.’’ In Gateways, and Other Persons That the removal of these definitions, along particular, we propose to modify the Facilitate Data Transmission; as Well as with the removal of other definitions definition to conform the term to the Vendors of Personal Health Records discussed below (e.g., ‘‘administrative statutory provisions of PSQIA, 42 U.S.C. Section 13408 of the HITECH Act, simplification provision’’ and 299b–21, et seq., and the HITECH Act. which became effective on February 18, ‘‘respondent’’), would leave § 160.302 Additional modifications are made for 2010, provides that an organization, unpopulated, we propose to reserve that the purpose of clarifying circumstances such as a Health Information Exchange section. We also propose to remove a when a business associate relationship Organization, E-prescribing Gateway, or comma from the definition of exists and for general clarification of the Regional Health Information ‘‘disclosure’’ inadvertently inserted into definition. Organization, that provides data the definition in a prior rulemaking, transmission of protected health which is not intended as a substantive a. Inclusion of Patient Safety information to a covered entity (or its change to the definition. In addition, we Organizations business associate) and that requires propose to replace the term We propose to add patient safety access on a routine basis to such ‘‘individually identifiable health activities to the list of functions and protected health information must be information’’ with ‘‘protected health activities a person may undertake on treated as a business associate for information’’ in the definition of behalf of a covered entity that give rise purposes of the Act and the HIPAA ‘‘standard’’ to better reflect the scope of to a business associate relationship. Privacy and Security Rules. Section the Privacy and Security Rules. Further, PSQIA, at 42 U.S.C. 299b–22(i)(1), 13408 also provides that a vendor that we propose the following definitional provides that Patient Safety contracts with a covered entity to allow changes: Organizations (PSOs) must be treated as the covered entity to offer a personal business associates when applying the health record to patients as part of the 1. Definition of ‘‘Administrative Privacy Rule. PSQIA provides for the covered entity’s electronic health record Simplification Provision’’ establishment of PSOs to receive reports shall be treated as a business associate. This definition is currently located in of patient safety events or concerns from Section 13408 requires that suchsrobinson on DSKHWCL6B1PROD with PROPOSALS2 the definitions section of subpart C of providers and provide analyses of organizations and vendors enter into a part 160 of the HIPAA Enforcement events to reporting providers. A written business associate contract or Rule. We propose to remove the reporting provider may be a HIPAA other arrangement with the covered definition of this term from § 160.302 covered entity and, thus, information entity in accordance with the HIPAA and move it to the definitions section reported to a PSO may include Rules. located at § 160.103 for clarity and protected health information that the In accordance with the Act, we convenience, as the term is used PSO may analyze on behalf of the propose to modify the definition of repeatedly throughout the entire part covered provider. The analysis of such ‘‘business associate’’ to explicitly 160. We also propose to add to the information is a patient safety activity designate these persons as business VerDate Mar<15>2010 15:51 Jul 13, 2010 Jkt 220001 PO 00000 Frm 00006 Fmt 4701 Sfmt 4702 E:FRFM14JYP2.SGM 14JYP2
Federal Register / Vol. 75, No. 134 / Wednesday, July 14, 2010 / Proposed Rules 40873 associates. Under proposed paragraphs mere conduits for the transport of underlying these provisions. The (3)(i) and (ii) of the definition, the term protected health information but do not proposed definition of ‘‘subcontractor’’ ‘‘business associate’’ would include: (1) access the information other than on a also is consistent with Congress’ overall A Health Information Organization, E- random or infrequent basis are not concern that the privacy and security prescribing Gateway, or other person business associates. See http:// protections of the HIPAA Rules extend that provides data transmission services www.hhs.gov/ocr/privacy/hipaa/faq/ beyond covered entities to those entities with respect to protected health providers/business/245.html. In that create or receive protected health information to a covered entity and that contrast, however, entities that manage information in order for the covered requires routine access to such the exchange of protected health entity to perform its health care protected health information; and (2) a information through a network, functions. For example, as discussed person who offers a personal health including providing patient locator above, section 13408 makes explicit that record to one or more individuals on services and performing various certain types of entities providing behalf of a covered entity. oversight and governance functions for services to covered entities—e.g., Section 13408 of the Act makes electronic health information exchange, vendors of personal health records— reference to Health Information have more than ‘‘random’’ access to shall be considered business associates. Exchange Organizations; however, we protected health information and thus, Therefore, consistent with Congress’ instead include in the proposed would fall within the definition of intent in sections 13401 and 13404 of definition the term ‘‘Health Information ‘‘business associate.’’ the Act, as well as its overall concern Organization’’ because it is our that the HIPAA Rules extent beyond understanding that ‘‘Health Information c. Inclusion of Subcontractors covered entities to those entities that Organization’’ is the more widely We propose to add language in create or receive protected health recognized and accepted term to paragraph (3)(iii) of the definition of information, we propose that describe an organization that oversees ‘‘business associate’’ to provide that downstream entities that work at the and governs the exchange of health- subcontractors of a covered entity—i.e., direction of or on behalf of a business related information among those persons that perform functions for associate and handle protected health organizations.2 Section 13408 of the Act or provide services to a business information would also be required to also specifically refers to Regional associate, other than in the capacity as comply with the applicable Privacy and Health Information Organizations. a member of the business associate’s Security Rule provisions in the same However, we do not believe the workforce, are also business associates manner as the primary business inclusion of the term in the definition to the extent that they require access to associate, and likewise would incur of ‘‘business associate’’ is necessary as a protected health information. We also liability for acts of noncompliance. We Regional Health Information propose to include a definition of note, and further explain below, that Organization is simply a Health ‘‘subcontractor’’ in § 160.103 to make this proposed modification would not Information Organization that governs clear that a subcontractor is a person require the covered entity to have a health information exchange among who acts on behalf of a business contract with the subcontractor; rather, organizations within a defined associate, other than in the capacity of the obligation would remain on each geographic area.3 Further, the specific a member of the workforce of such business associate to obtain satisfactory terms of ‘‘Health Information business associate. Even though we use assurances in the form of a written Organization’’ and ‘‘E-prescribing the term ‘‘subcontractor,’’ which implies contract or other arrangement that a Gateway’’ are merely illustrative of the there is a contract in place between the subcontractor will appropriately types of organizations that would fall parties, we note that the definition safeguard protected health information. within this paragraph of the definition would apply to an agent or other person For example, under this proposal, if a of ‘‘business associate.’’ We request who acts on behalf of the business business associate, such as a third party comment on the use of these terms associate, even if the business associate administrator, hires a company to within the definition and whether has failed to enter into a business handle document and media shredding additional clarifications or additions are associate contract with the person. We to securely dispose of paper and necessary. request comment on the use of the term electronic protected health information, Section 13408 also provides that the ‘‘subcontractor’’ and its proposed then the shredding company would be data transmission organizations that the definition. directly required to comply with the Act requires to be treated as business The proposed modifications are applicable requirements of the HIPAA associates are those that require access similar in structure and effect to the Security Rule (e.g., with respect to to protected health information on a Privacy Rule’s initial extension of proper disposal of electronic media) and routine basis. Conversely, data privacy protections from covered the Privacy Rule (e.g., with respect to transmission organizations that do not entities to business associates through limiting its uses and disclosures of the require access to protected health contract requirements to protect protected health information in information on a routine basis would downstream protected health accordance with its contract with the not be treated as business associates. information. The proposed provisions business associate). This is consistent with our prior avoid having privacy and security protections for protected health d. Exceptions to Business Associate interpretation of the definition of ‘‘business associate,’’ through which we information lapse merely because a We also propose to move thesrobinson on DSKHWCL6B1PROD with PROPOSALS2 have indicated that entities that act as function is performed by an entity that provisions at §§ 164.308(b)(2) and is a subcontractor rather than an entity 164.502(e)(1)(ii) to the definition of 2 Department of Health and Human Services, with a direct relationship with a business associate. These provisions Office of the National Coordinator for Health covered entity. Allowing such a lapse in provide that in certain circumstances, Information Technology, The National Alliance for privacy and security protections may such as when a covered entity discloses Health Information Technology Report to the Office allow business associates to avoid protected health information to a health of the National Coordinator For Health Information Technology: Defining Key Health Information liability imposed upon them by sections care provider concerning the treatment Terms, Pg. 24 (2008). 13401 and 13404 of the Act, thus of an individual, a covered entity is not 3 Id. at 25. circumventing the congressional intent required to enter into a business VerDate Mar<15>2010 15:51 Jul 13, 2010 Jkt 220001 PO 00000 Frm 00007 Fmt 4701 Sfmt 4702 E:FRFM14JYP2.SGM 14JYP2