HIPAA Privacy Regulations: General Rules for Uses and Disclosures of Protected Health Information: Disclosures to Business Associates - § 164.502(e)
As Contained in the HHS HIPAA Privacy Rules
HHS Guidance: Business Associates
|
HHS Regulations as Amended January 2013 |
(e)(1) Standard: Disclosures to business associates. (i) A covered entity may disclose protected health information to a business associate and may allow a business associate to create, receive, maintain, or transmit protected health information on its behalf, if the covered entity obtains satisfactory assurance that the business associate will appropriately safeguard the information. A covered entity is not required to obtain such satisfactory assurances from a business associate that is a subcontractor.
(ii) A business associate may disclose protected health information to a business associate that is a subcontractor and may allow the subcontractor to create, receive, maintain, or transmit protected health information on its behalf, if the business associate obtains satisfactory assurances, in accordance with §164.504(e)(1)(i), that the subcontractor will appropriately safeguard the information.
(2) Implementation specification: Documentation. The satisfactory assurances required by paragraph (e)(1) of this section must be documented through a written contract or other written agreement or arrangement with the business associate that meets the applicable requirements of §164.504(e).
| HHS Description and Commentary From the January 2013 Amendments General Rules for Uses and Disclosures of Protected Health Information: Disclosures to Business Associates |
Proposed Rule
Section 164.502(e) permits a covered entity to disclose protected health information to a business associate and may allow a business associate to create or receive protected health information on its behalf, if the covered entity obtains satisfactory assurances, in the form of a written contract or other written arrangement with the business associate that meets the requirements of § 164.504(e), that the business associate will appropriately safeguard the information. We proposed a parallel provision in § 164.502(e) that would allow a business associate to disclose protected health information to a business associate that is a subcontractor, and to allow the subcontractor to create or receive protected health information on its behalf, if the business associate obtains similar satisfactory assurances that the subcontractor will appropriately safeguard the information.
Consistent with the proposal with respect to Security Rule requirements and business associates, we proposed to make clear in § 164.502(e) that a covered entity would not be required to obtain satisfactory assurances from business associates that are subcontractors. Rather, a business associate would be required to obtain such assurances from a subcontractor. Thus, the proposed provisions would not change the parties to the contracts. For example, a covered entity may choose to contract with a business associate (contractor) to use or disclose protected health information on its behalf, the business associate may choose to obtain the services of (and exchange protected health information with) a subcontractor (subcontractor 1), and that subcontractor may, in turn, contract with another subcontractor (subcontractor 2) for services involving protected health information. The contractor and subcontractors 1 and 2 would now be business associates with direct liability under the HIPAA Rules, and would be required to obtain business associate agreements with the parties with whom they contract for services that involve access to protected health information. (Note, however, as discussed above with respect to the definition of “business associate,” direct liability under the HIPAA Rules would attach regardless of whether the contractor and subcontractors have entered into the required business associate agreements.)
We also proposed to remove § 164.502(e)(1)(iii), which provides that a covered entity that violates the satisfactory assurances it provided as a business associate of another covered entity will be in noncompliance with the Privacy Rule’s business associate agreement provisions, given that proposed changes to § 164.502 would now restrict directly the uses and disclosures of protected health information by a business associate, including a covered entity acting as a business associate, to those uses and disclosures permitted by its business associate agreement.
Finally, as discussed above with respect to the definition of business associate, we proposed to move the current exceptions to business associate to the definition itself in § 160.103.
Overview of Public Comments to Sections 164.502(e) and 164.504(e)
Several commenters expressed confusion regarding the need for business associate agreements, considering the provisions for direct liability from the HITECH Act and in the proposed rule. Many of these commenters suggested that all of the requirements of the Privacy Rule apply to business associates, as is the case with the Security Rule.
A few commenters requested clarification about what constitutes “satisfactory assurances” pursuant to the rule, asking whether, for example, there were expectations on covered entities to ensure that business associates (including subcontractors) have appropriate controls in place besides business associate agreements or whether a covered entity must obtain from a business associate satisfactory assurance that any business associate subcontractors are complying with the Rules. Several commenters requested clarification on the appropriateness of indemnification clauses in business associate agreements.
Finally, several commenters requested that the Department provide a model business associate agreement.
Final Rule: Sections 164.502(e) and 164.504(e)
The final rule adopts the proposed modifications to §§ 164.502(e) and 164.504(e).
As we discussed above, while section 13404 of the HITECH Act provides that business associates are now directly liable for civil money penalties under the HIPAA Privacy Rule for impermissible uses and disclosures and for the additional HITECH requirements in Subtitle D that are made applicable to covered entities, it does not apply all of the requirements of the Privacy Rule to business associates and thus, the final rule does not.
Therefore, business associates are not required to comply with other provisions of the Privacy Rule, such as providing a notice of privacy practices or designating a privacy official, unless the covered entity has chosen to delegate such a responsibility to the business associate, which would then make it a contractual requirement for which contractual liability would attach.
Concerning commenters’ questions about the continued need for business associate agreements given the new direct liability on business associates for compliance, we note that section 13404 of the HITECH Act expressly refers and ties business associate liability to making uses and disclosures in accordance with the uses and disclosures laid out in such agreements, rather than liability for compliance with the Privacy Rule generally. Further, section 13408 of the HITECH Act requires certain data transmission and personal health record vendors to have in place business associate agreements with the covered entities they serve. We also continue to believe that, despite the business associate’s direct liability for certain provisions of the HIPAA Rules, the business associate agreement is necessary to clarify and limit, as appropriate, the permissible uses and disclosures by the business associate, given the relationship between the parties and the activities or services being performed by the business associate. The business associate agreement is also necessary to ensure that the business associate is contractually required to perform certain activities for which direct liability does not attach (such as amending protected health information in accordance with § 164.526). In addition, the agreement represents an opportunity for the parties to clarify their respective responsibilities under the HIPAA Rules, such as by establishing how the business associate should handle a request for access to protected health information that it directly receives from an individual. Finally, the business associate agreement serves to notify the business associate of its status under the HIPAA Rules, so that it is fully aware of its obligations and potential liabilities.
With respect to questions about “satisfactory assurances,” § 164.502(e) provides that covered entities and business associates must obtain and document the “satisfactory assurances” of a business associate through a written contract or other agreement, such as a memorandum of understanding, with the business associate that meets the applicable requirements of § 164.504(e). As discussed above, § 164.504(e) specifies the provisions required in the written agreement between covered entities and business associates, including a requirement that a business associate ensure that any subcontractors agree to the same restrictions and conditions that apply to the business associate by providing similar satisfactory assurances. Beyond the required elements at § 164.504(e), as with any contracting relationship, business associates and covered entities may include other provisions or requirements that dictate and describe their business relationship, and that are outside the governance of the Privacy and Security Rules. These may or may not include additional assurances of compliance or indemnification clauses or other riskshifting provisions.
We also clarify with respect to the satisfactory assurances to be provided by subcontractors, that the agreement between a business associate and a business associate that is a subcontractor may not permit the subcontractor to use or disclose protected health information in a manner that would not be permissible if done by the business associate. For example, if a business associate agreement between a covered entity and a contractor does not permit the contractor to de-identify protected health information, then the business associate agreement between the contractor and a subcontractor (and the agreement between the subcontractor and another subcontractor) cannot permit the deidentification of protected health information. Such a use may be permissible if done by the covered entity, but is not permitted by the contractor or any subcontractors if it is not permitted by the covered entity’s business associate agreement with the contractor. In short, each agreement in the business associate chain must be as stringent or more stringent as the agreement above with respect to the permissible uses and disclosures.
Finally, in response to the comments requesting a model business associate agreement, we note that the Department has published sample business associate provisions on its web site. The sample language is designed to help covered entities comply with the business associate agreement requirements of the Privacy and Security Rules. However, use of these sample provisions is not required for compliance with the Rules, and the language should be amended as appropriate to reflect actual business arrangements between the covered entity and the business associate (or a business associate and a subcontractor).
Response to Other Public Comments: Sections 164.502(e) and 164.504(e)
Comment: Commenters requested guidance on whether a contract that complies with the requirements of the Graham Leach Bliley Act (GLBA) and incorporates the required elements of the HIPAA Rules may satisfy both sets of regulatory requirements.
The commenters urged the Department to permit a single agreement rather than requiring business associates and business associate subcontractors to enter into separate GLBA agreements and business associate agreements.
Response: While meeting the requirements of the GLBA does not satisfy the requirements of the HIPAA Rules, covered entities may use one agreement to satisfy the requirements of both the GLBA and the HIPAA Rules.
Comment: A few commenters recommended adding an exception to having a business associate agreement for a person that receives a limited dataset and executes a data use agreement for research, health care operations, or public health purposes.
Response: We have prior guidance that clarifies that if only a limited dataset is released to a business associate for a health care operations purpose, then a data use agreement suffices and a business associate agreement is not necessary. To make this clear in the regulation itself, we are adding to § 164.504(e)(3) a new paragraph (iv) that recognizes that a data use agreement may qualify as a business associate’s satisfactory assurance that it will appropriately safeguard the covered entity’s protected health information when the protected health information disclosed for a health care operations purpose is a limited data set. A similar provision is not necessary or appropriate for disclosures of limited data sets for research or public health purposes since such disclosures would not otherwise require business associate agreements.
Comment: A few commenters requested that the Department delete § 164.504(e)(2)(ii)(H), which provides that to the extent the business associate is to carry out a covered entity’s obligation under the HIPAA Rules, the business associate must comply with the requirements of the HIPAA Rules that apply to the covered entity in the performance of the obligation on behalf of the covered entity. Alternatively, commenters suggested that the Department clarify that the requirements of the section need not be included in business associate agreements and that this section does not limit the ability of covered entities and business associates to negotiate responsibilities with regard to other sections of the Privacy Rule.
Response: The Department declines to delete § 164.504(e)(2)(ii)(H). If a business associate contracts to provide services to the covered entity with regard to fulfilling individual rights or other obligations of the covered entity under the Privacy Rule, then the business associate agreement must require the business associate to fulfill such obligation in accordance with the Privacy Rule’s requirements. We do clarify, however, that if the covered entity does not delegate any of its responsibilities under the Privacy Rule to the business associate, then § 164.504(e)(2)(ii)(H) is not applicable and the parties are not required to include such language.
Comment: One commenter requested that the Department modify § 164.502(a)(4)(i) to permit business associates to use and disclose protected health information for their own health care operations purposes, and another commenter requested that the Department clarify whether § 164.504(e)(4) provides that a business associate may use or disclose protected health information as a covered entity would use or disclose the information.
Response: The Department declines to make the suggested modification.
Business associates do not have their own health care operations (see the definition of health care operations at § 164.501, which is limited to activities of the covered entity).
While a business associate does not have health care operations, it is permitted by § 164.504(e)(2)(i)(A) to use and disclose protected health information as necessary for its own management and administration if the business associate agreement permits such activities, or to carry out its legal responsibilities. Other than the exceptions for the business associate’s management and administration and for data aggregation services relating to the health care operations of the covered entity, the business associate may not use or disclose protected health information in a manner that would not be permissible if done by the covered entity (even if such a use or disclosure is permitted by the business associate agreement).
Comment: One commenter suggested requiring subcontractors to return or destroy all protected health information received from or created for a business associate when the contract with the business associate is terminated.
Response: The final rule at § 164.504(e)(5) does apply the requirements at § 164.504(e)(2) through (4) (which set forth the requirements for agreements between covered entities and their business associates) to agreements between business associates and their subcontractors. This includes § 164.504(e)(2)(ii)(J), which requires the business associate to return or destroy all protected health information received from, or created or received on behalf of, the covered entity at the termination of the contract, if feasible. When this requirement is applied to the agreement between the business associate and its business associate subcontractor, the effect is a contractual obligation for the business associate subcontractor to similarly return or destroy protected health information at the termination of the contract, if feasible.
Comment: One commenter suggested requiring a business associate to disclose all subcontractors of the business associate to a covered entity within thirty days of the covered entity’s request.
Response: The Department declines to adopt this suggestion as a requirement of the HIPAA Rules, because such a requirement would impose an undue disclosure burden on business associates. However, covered entities and business associates may include additional terms and conditions in their contracts beyond those required by § 164.504.
Comment: One commenter suggested establishing a certification process of business associates and subcontractors with regard to HIPAA compliance.
Response: The Department declines to establish or endorse a certification process for HIPAA compliance for business associates and subcontractors. Business associates and subcontractors are free to enlist the services of outside entities to assess their compliance with the HIPAA Rules and certification may be a useful compliance tool for entities, depending on the rigor of the program. However, certification does not guarantee compliance and therefore “certified” entities may still be subject to enforcement by OCR.
Comment: One commenter requested clarification on when it is not feasible for a business associate to terminate a contract with a subcontractor.
Response: Whether it is feasible for a business associate to terminate an agreement with a business associate subcontractor is a very fact-specific inquiry that must be examined on a case-by-case basis. For example, termination is not feasible for a business associate with regard to a subcontractor relationship where there are no other viable business alternatives for the business associate (when the subcontractor, for example, provides a unique service that is necessary for the business associate’s operations). See our prior guidance on this issue as it applies to covered entities and business associates in Frequently Asked Question #236, available at http://www.hhs.gov/ocr/privacy/hipaa/faq/business_associates/236.html.[Link no longer active]
| HHS Description From the Original Rulemaking General Rules for Uses and Disclosures of Protected Health Information: Disclosures to Business Associates |
In the proposed rule, other than for purposes of consultation or referral for treatment, we would have allowed a covered entity to disclose protected health information to a business partner only pursuant to a written contract that would, among other specified provisions, limit the business partner's uses and disclosures of protected health information to those permitted by the contract, and would impose certain security, inspection and reporting requirements on the business partner. We proposed to define the term “business partner” to mean, with respect to a covered entity, a person to whom the covered entity discloses protected health information so that the person can carry out, assist with the performance of, or perform on behalf of, a function or activity for the covered entity.
In the final rule, we change the term “business partner” to “business associate” and in the definition clarify the full range of circumstances in which a person is acting as a business associate of a covered entity. (See definition of “business associate” in § 160.103.) These changes mean that § 164.502(e) requires a business associate contract (or other arrangement, as applicable) not only when the covered entity discloses protected health information to a business associate, but also when the business associate creates or receives protected health information on behalf of the covered entity.
In the final rule, we modify the proposed standard and implementation specifications for business associates in a number of significant ways. These modifications are explained in the preamble discussion of § 164.504(e).
| HHS Response to Comments Received From the Original Rulemaking General Rules for Uses and Disclosures of Protected Health Information: Disclosures to Business Associates |
Comments on business associates are addressed in the preamble to § 164.504(e).