HIPAA Privacy Regulations: Privacy of Individually Identifiable Health Information: Applicability - § 164.500
As Contained in the HHS HIPAA Privacy Rules
HHS Regulations as Amended January 2013 |
(a) Except as otherwise provided herein, the standards, requirements, and implementation specifications of this subpart apply to covered entities with respect to protected health information.
(b) Health care clearinghouses must comply with the standards, requirements, and implementation specifications as follows:
(1) When a health care clearinghouse creates or receives protected health information as a business associate of another covered entity, the clearinghouse must comply with:
(i) Section 164.500 relating to applicability;
(ii) Section 164.501 relating to definitions;
(iii) Section 164.502 relating to uses and disclosures of protected health information, except that a clearinghouse is prohibited from using or disclosing protected health information other than as permitted in the business associate contract under which it created or received the protected health information;
(iv) Section 164.504 relating to the organizational requirements for covered entities;
(v) Section 164.512 relating to uses and disclosures for which individual authorization or an opportunity to agree or object is not required, except that a clearinghouse is prohibited from using or disclosing protected health information other than as permitted in the business associate contract under which it created or received the protected health information;
(vi) Section 164.532 relating to transition requirements; and
(vii) Section 164.534 relating to compliance dates for initial implementation of the privacy standards.
(2) When a health care clearinghouse creates or receives protected health information other than as a business associate of a covered entity, the clearinghouse must comply with all of the standards, requirements, and implementation specifications of this subpart.
(c) Where provided, the standards, requirements, and implementation specifications adopted under this subpart apply to a business associate with respect to the protected health information of a covered entity.
(d) The standards, requirements, and implementation specifications of this subpart do not apply to the Department of Defense or to any other federal agency, or non-governmental organization acting on its behalf, when providing health care to overseas foreign national beneficiaries.
HHS Description and Commentary From the January 2013 Amendments |
Section 13404 of the HITECH Act makes specific requirements of the Privacy Rule applicable to business associates and creates direct liability for noncompliance by business associates with regard to those requirements.
Proposed Rule
In accordance with section 13404 of the HITECH Act, we proposed language in § 164.500 to clarify that, where provided, the standards, requirements, and implementation specifications of the Privacy Rule apply to business associates.
Overview of Public Comments
One commenter suggested that the Department expand the applicability of the Privacy Rule to all entities that handle individually identifiable health information. Some commenters requested clarification as to which provisions of the Privacy Rule apply directly to business associates, and one commenter recommended applying all of the provisions of the Privacy Rule to business associates, including requiring business associates to implement reasonable safeguards, train employees, and designate a privacy official.
Final Rule
The final rule implements the proposed revisions to § 164.500. While we understand commenters’ concerns regarding the uses and disclosures of health information by entities not covered by the Privacy Rule, the Department is limited to applying the HIPAA Rules to those entities covered by HIPAA (i.e., health plans, health 105 care clearinghouses, and health care providers that conduct covered transactions) and to business associates, as provided under the HITECH Act.
As we discuss further below, section 13404 of the HITECH Act creates direct liability for impermissible uses and disclosures of protected health information by a business associate of a covered entity “that obtains or creates” protected health information “pursuant to a written contract or other arrangement described in § 164.502(e)(2)” and for compliance with the other privacy provisions in the HITECH Act.
Section 13404 does not create direct liability for business associates with regard to compliance with all requirements under the Privacy Rule (i.e., does not treat them as covered entities). Therefore, under the final rule, a business associate is directly liable under the Privacy Rule for uses and disclosures of protected health information that are not in accord with its business associate agreement or the Privacy Rule. In addition, a business associate is directly liable for failing to disclose protected health information when required by the Secretary to do so for the Secretary to investigate and determine the business associate’s compliance with the HIPAA Rules, and for failing to disclose protected health information to the covered entity, individual, or individual’s designee, as necessary to satisfy a covered entity’s obligations with respect to an individual’s request for an electronic copy of protected health information. See § 164.502(a)(3) and (a)(4).
Further, a business associate is directly liable for failing to make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. See § 164.502(b).
Finally, business associates are directly liable for failing to enter into business associate agreements with subcontractors that create or receive protected health information on their behalf. See § 164.502(e)(1)(ii). As was the case under the Privacy Rule before the HITECH Act, business associates remain contractually liable for all other Privacy Rule obligations that are included in their contracts or other arrangements with covered entities.
HHS Description from Original Rulemaking Privacy of Individually Identifiable Health Information: Applicability |
The discussion below describes the entities and the information that are subject to the final regulation.
Many of the provisions of the regulation are presented as “standards.” Generally, the standards indicate what must be accomplished under the regulation and implementation specifications describe how the standards must be achieved.
Covered Entities
We proposed in the NPRM to apply the standards in the regulation to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with transactions referred to in section 1173(a)(1) of the Act. The proposal referred to these entities as “covered entities.”
We have revised § 164.500 to clarify the applicability of the rule to health care clearinghouses. As we stated in the preamble to the NPRM, we believe that in most instances health care clearinghouses will receive protected health information as a business associate to another covered entity. This understanding was confirmed by the comments and by our fact finding. Clearinghouses rarely have direct contact with individuals, and usually will not be in a position to create protected health information or to receive it directly from them. Unlike health plans and providers, clearinghouses usually convey and repackage information and do not add materially to the substance of protected health information of an individual.
The revised language provides that clearinghouses are not subject to certain requirements in the rule when acting as business associates of other covered entities. As revised, a clearinghouse acting as a business associate is subject only to the provisions of this section, to the definitions, to the general rules for uses and disclosures of protected health information (subject to limitations), to the provision relating to health care components, to the provisions relating to uses and disclosures for which consent, individual authorization or an opportunity to agree or object is not required (subject to limitations), to the transition requirements and to the compliance date. With respect to the uses and disclosures authorized under § 164.502 or § 164.512, a clearinghouse acting as a business associate is not authorized by the rule to make any use or disclosure not permitted by its business associate contract. Clearinghouses acting as business associates are not subject to the other requirements of this rule, which include the provisions relating to procedural requirements, requirements for obtaining consent, individual authorization or agreement, provision of a notice, individual rights to request privacy protection, access and amend information and receive an accounting of disclosures and the administrative requirements.
We note that, even as business associates, clearinghouses remain covered entities.
Clearinghouses, like other covered entities, are responsible under this regulation for abiding by the terms of business associate contracts. For example, while the provisions regarding individuals’ access to and right to request corrections to protected health information about them apply only to health plans and covered health care providers, clearinghouses may have some responsibility for providing such access under their business associate contracts. A clearinghouse (or any other covered entity) that violates the terms of a business associate contract also is in direct violation of this rule and, as a covered entity, is subject to compliance and enforcement action.
We clarify that a covered entity is only subject to these rules to the extent that they possess protected health information. Moreover, these rules only apply with regard to protected health information. For example, if a covered entity does not disclose or receive from its business associate any protected health information and no protected health information is created or received by its business associate on behalf of the covered entity, then the business associate requirements of this rule do not apply.
We clarify that the Department of Defense or any other federal agency and any non-governmental organization acting on its behalf, is not subject to this rule when it provides health care in another country to foreign national beneficiaries. The Secretary believes that this exemption is warranted because application of the rule could have the unintended effect of impeding or frustrating the conduct of such activities, such as interfering with the ability of military command authorities to obtain protected health information on prisoners of war, refugees, or detainees for whom they are responsible under international law. See the preamble to the definition of “individual” for further discussion.
Covered Information
We proposed in the NPRM to apply the requirements of the rule to individually identifiable health information that is or has been electronically transmitted or maintained by a covered entity. The provisions would have applied to the information itself, referred to as protected health information in the rule, and not to the particular records in which the information is contained. We proposed that once information was maintained or transmitted electronically by a covered entity, the protections would follow the information in whatever form, including paper records, in which it exists while held by a covered entity. The proposal would not have applied to information that was never electronically maintained or transmitted by a covered entity.
In the final rule, we extend the scope of protections to all individually identifiable health information in any form, electronic or non-electronic, that is held or transmitted by a covered entity. This includes individually identifiable health information in paper records that never has been electronically stored or transmitted. (See § 164.501, definition of “protected health information,” for further discussion.)
HHS Response to Comments Received from Original Rulemaking Privacy of Individually Identifiable Health Information: Applicability |
Covered Entities
The response to comments on covered entities is included in the response to comments on the definition of “covered entity” in the preamble discussion of § 160.103.
Covered Information
The response to comments on covered information is included in the response to comments on the definition of “protected health information” in the preamble discussion of § 164.501.