HIPAA Regulations: Security Standards for the Protection of Electronic PHI: Organizational Requirements - § 164.314
As Contained in the HHS Rules on Notification in the Case of Breach of Unsecured Protected Health Information
HHS Security Regulations as Amended January 2013 |
(a)(1) Standard: Business associate contracts or other arrangements. The contract or other arrangement required by §164.308(b)(3) must meet the requirements of paragraph (a)(2)(i), (a)(2)(ii), or (a)(2)(iii) of this section, as applicable.
(2) Implementation specifications (Required).
(i) Business associate contracts. The contract must provide that the business associate will—
(A) Comply with the applicable requirements of this subpart;
(B) In accordance with §164.308(b)(2), ensure that any subcontractors that create, receive, maintain, or transmit electronic protected health information on behalf of the business associate agree to comply with the applicable requirements of this subpart by entering into a contract or other arrangement that complies with this section; and
(C) Report to the covered entity any security incident of which it becomes aware, including breaches of unsecured protected health information as required by §164.410.
(ii) Other arrangements. The covered entity is in compliance with paragraph (a)(1) of this section if it has another arrangement in place that meets the requirements of §164.504(e)(3).
(iii) Business associate contracts with subcontractors. The requirements of paragraphs (a)(2)(i) and (a)(2)(ii) of this section apply to the contract or other arrangement between a business associate and a subcontractor required by §164.308(b)(4) in the same manner as such requirements apply to contracts or other arrangements between a covered entity and business associate.
(b)(1) Standard: Requirements for group health plans. Except when the only electronic protected health information disclosed to a plan sponsor is disclosed pursuant to §164.504(f)(1)(ii) or (iii), or as authorized under §164.508, a group health plan must ensure that its plan documents provide that the plan sponsor will reasonably and appropriately safeguard electronic protected health information created, received, maintained, or transmitted to or by the plan sponsor on behalf of the group health plan.
(2) Implementation specifications (Required). The plan documents of the group health plan must be amended to incorporate provisions to require the plan sponsor to—
(i) Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the group health plan;
(ii) Ensure that the adequate separation required by §164.504(f)(2)(iii) is supported by reasonable and appropriate security measures;
(iii) Ensure that any agent to whom it provides this information agrees to implement reasonable and appropriate security measures to protect the information; and
(iv) Report to the group health plan any security incident of which it becomes aware.
HHS Description and Commentary From the January 2013 Amendments Security Standards for the Protection of Electronic PHI: Organizational Requirements |
Proposed Rule
While Section 13401 of the HITECH Act does not expressly include § 164.314 among the provisions for which business associates are directly liable, it states that § 164.308 of the Security Rule applies to business associates "in the same manner" that the provision applies to covered entities. Section 164.308(b) requires a covered entity’s business associate agreements to conform to the requirements of § 164.314. Accordingly, in order for § 164.308(b) to apply to business associates in the same manner as it applies to covered entities, we proposed to revise § 164.314 to reflect that it is also applicable to agreements between business associates and subcontractors that create, receive, maintain, or transmit electronic protected health information.
We also proposed a number of modifications to streamline the requirements of § 164.314. First, since a business associate for purposes of the Security Rule is also always a business associate for purposes of the Privacy Rule, we proposed to remove contract provisions that were merely duplicative of parallel provisions in the Privacy Rule’s business associate contract provisions at § 164.504. We also proposed to remove the specific requirements under § 164.314(a)(2)(ii) for other arrangements, such as a memorandum of understanding when both a covered entity and business associate are governmental entities, and instead simply refer to the parallel Privacy Rule requirements at § 164.504(e)(3).
Second, we proposed conforming modifications to the remaining contract requirements in § 164.314(a)(2)(i) to provide that such contracts must require a business associate to comply with the Security Rule, to ensure any subcontractors enter into a contract or other arrangement to protect the security of electronic protected health information; and with respect to the reporting of security incidents by business associates to covered entities, to report to the covered entity breaches of unsecured protected health information as required by § 164.410 of the breach notification rules.
Third, we proposed to add a provision at § 164.314(a)(2)(iii) that provides that the requirements of this section for contracts or other arrangements between a covered entity and business associate would apply in the same manner to contracts or other arrangements between business associates and subcontractors required by the proposed requirements of § 164.308(b)(4). For example, under these provisions, a business associate contract between a business associate and a business associate subcontractor would need to provide that the subcontractor report any security incident of which it becomes aware, including breaches of unsecured protected health information as required by § 164.410, to the business associate.
This would mean that if a breach of unsecured protected health information occurs at or by a second tier subcontractor, the subcontractor must notify the business associate subcontractor with which it contracts of the breach, which then must notify the business associate which contracts with the covered entity of the breach, which then must notify the covered entity of the breach. The covered entity then notifies the affected individuals, the Secretary, and, if applicable, the media, of the breach, unless it has delegated such responsibilities to a business associate.
Finally, we proposed to remove the reference to subcontractors in § 164.314(b)(2)(iii) regarding amendment of group health plan documents as a condition of disclosure of protected health information to a plan sponsor, as unnecessary and to avoid subcontractor when referring to subcontractors that are business associates.
Final Rule
The Department did not receive substantive public comment on these proposed changes. The final rule adopts the modifications as proposed.
Response to Other Public Comments
Comment: One commenter suggested that business associate agreements should be an "addressable" requirement under the Security Rule.
Response: The HITECH Act does not remove the requirements for business associate agreements under the HIPAA Rules. Therefore, we decline to make the execution of business associate agreements an "addressable" requirement under the Security Rule.
Comment: One commenter recommended that the Department remove the "addressable" designation from the Security Rule, because such designations lead to ambiguity in the application of the Security Rule in the health care industry.
Response: We decline to adopt this recommendation. The Security Rule is structured to be both scalable and flexible, so that entities of different types and sizes can implement the standards and implementation specifications in a manner that is reasonable and appropriate for their circumstances. We do not mandate the use of specific technologies, or require uniform policies and procedures for compliance, because we recognize the diversity of regulated entities and appreciate the unique characteristics of their environments.
Comment: Two commenters suggested providing subcontractors with additional time to comply with the provisions of the Security Rule.
Response: We decline to delay application of the requirements under the Security Rule to subcontractors beyond the compliance dates provided by this final rule. As we emphasized above, the Security Rule already requires covered entities to establish business associate agreements that require business associates to ensure that their subcontractors implement reasonable and appropriate safeguards to protect the security of electronic protected health information they handle.
Comment: A few commenters proposed alternative ways to apply security requirements to subcontractors, such as exempting subcontractors from compliance with the Security Rule if they have already completed security assessments and met the security requirements under other State and Federal laws or only requiring subcontractors to comply with the minimum necessary standard and to utilize "reasonable" security measures with regard to protected health information.
Response: We decline to adopt an exemption or otherwise limit subcontractors’ responsibility to safeguard individuals’ electronic protected health information. To ensure appropriate and strong security protections for electronic protected health information, subcontractors are required to comply with the Security Rule to the same extent as business associates with a direct relationship with a covered entity.
HHS Description From the Original Security Regulations Security Standards for the Protection of Electronic PHI: Organizational Requirements |
We proposed that each health care clearinghouse must comply with the security standards to ensure all health information and activities are protected from unauthorized access. If the clearinghouse is part of a larger organization, then unauthorized access by the larger organization must be prevented. We also proposed that parties processing data through a third party would be required to enter into a chain of trust partner agreement, a contract in which the parties agree to electronically exchange data and to protect the transmitted data in accordance with the security standards.
In this final rule, we have adopted the concepts of hybrid and affiliated entities, as previously defined in § 164.504, and now defined in § 164.103, and business associates as defined in § 160.103, to be consistent with the Privacy Rule. General organizational requirements related to affiliated covered entities and hybrid entities are now contained in a new § 164.105. The proposed chain of trust partner agreement has been replaced by the standards for business associate contracts or other arrangements and the standards for group health plans. Consistent with the statute and the policy of the Privacy Rule, this final rule does not require noncovered entities to comply with the security standards.
Health Care Clearinghouses
The proposed rule proposed that if a health care clearinghouse were part of a larger organization, it would be required to ensure that all health information pertaining to an individual is protected from unauthorized access by the larger organization; this statement closely tracked the statutory language in section 1173(d)(1)(B) of the Act. Since the point of the statutory language is to ensure that health care information in the possession of a health care clearinghouse is not inappropriately accessed by the larger organization of which it is a part, this final rule implements the statutory language through the information access management provision of § 164.308(a)(4)(ii)(A).
The final rule, at § 164.105, makes the health care component and affiliated entity standards of the Privacy Rule applicable to the security standards. Therefore, we have not changes those standards substantively. In pertaining to the Privacy Rule, we have simply moved them to a new location in part 164. Any differences between § 164.105 and § 164.504(a) through (d) reflects the addition of requirements specific to the security standards.
The health care component approach was developed in response to extensive comment received principally on the Privacy Rule. See 65 FR 82502 through 82503 and 82637 through 82640 for a discussion of the policy concerns underlying the health care component approach. Since the security standards are intended to support the protection of electronic information protected by the Privacy Rule, it makes sense to incorporate organizational requirements that parallel those required of covered entities by the Privacy Rule. This policy will also minimize the burden of complying with both rules.
Business Associate Contracts and Other Arrangements
We proposed that parties processing data through a third party would be required to enter into a chain of trust partner agreement, a contract in which the parties agree to electronically exchange data and to protect the transmitted data. This final rule narrows the scope of agreements required. It essentially tracks the provisions in § 164.502(e) and § 164.504(e) of the Privacy Rule, although appropriate modifications have been made in this rule to the required elements of the contract.
In this final rule, a contract between a covered entity and a business associate must provide that the business associate must--(1) implement safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the covered entity; (2) ensure that any agent, including a subcontractor, to whom it provides this information agrees to implement reasonable and appropriate safeguards; (3) report to the covered entity any security incident of which it becomes aware; (4) make its policies and procedures, and documentation required by this subpart relating to such safeguards, available to the Secretary for purposes of determining the covered entity's compliance with this subpart; and (5) authorize termination of the contract by the covered entity if the covered entity determines that the business associate has violated a material term of the contract.
When a covered entity and its business associate are both governmental entities, an "other arrangement" is sufficient. The covered entity is in compliance with this standard if it enters into a memorandum of understanding with the business associate that contains terms that accomplish the objectives of the above-described business associate contract. However, the covered entity may omit from this memorandum the termination authorization required by the business associate contract provisions if this authorization is inconsistent with the statutory obligations of the covered entity or its business associate. If other law (including regulations adopted by the covered entity or its business associate) contains requirements applicable to the business associate that accomplish the objectives of the above-described business associate contract, a contract or agreement is not required. If a covered entity enters into other arrangements with another governmental entity that is a business associate, such arrangements may omit provisions equivalent to the termination authorization required by the business associate contract, if inconsistent with the statutory obligation of the covered entity or its business associate.
If a business associate is required by law to perform a function or activity on behalf of a covered entity or to provide a service described in the definition of business associate in § 160.103 of this subchapter to a covered entity, the covered entity may permit the business associate to receive, create, maintain, or transmit electronic protected health information on its behalf to the extent necessary to comply with the legal mandate without meeting the requirements of the above-described business associate contract, provided that the covered entity attempts in good faith to obtain satisfactory assurances as required by the above described business associate contract and documents the attempt and the reasons that these assurances cannot be obtained.
We have added a standard for group health plans that parallels the provisions of the Privacy Rule. It became apparent during the course of the security and privacy rulemaking that our original chain of trust approach was both overly broad in scope and failed to address appropriately the circumstances of certain covered entities, particularly the ERISA group health plans. These latter considerations and the solutions arrived at in the Privacy Rule are described in detail in the Privacy Rule at 65 FR 82507 through 82509. Because the purpose of the security standards is in part to reinforce privacy protections, it makes sense to align the organizational policies of the two rules. This decision should also make compliance less burdensome for covered entities than would a decision to have different organizational requirements for the two sets of rules.
Thus, we have added at § 164.314(b) a standard for group health plan that tracks the standard at § 164.504(f) very closely. The purpose of these provisions is to ensure that, except when the electronic protected health information disclosed to a plan sponsor is summary health information or enrollment or disenrollment information as provided for by § 164.504(f), group health plan documents provide that the plan sponsor will reasonably and appropriately safeguard electronic protected health information created, received, maintained or transmitted to or by the plan sponsor on behalf of the group health plan. The plan documents of the group health plan must be amended to incorporate provisions to require the plan sponsor to implement reasonable and appropriate safeguards to protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the group health plan; ensure that the adequate separation required by § 164.504(f)(2)(iii) is supported by reasonable and appropriate security measures; ensure that any agents, including a subcontractor, to whom it provides this information agrees to implement reasonable and appropriate safeguards to protect the information; report to the group health plan any security incident of which it becomes aware; and make its policies and procedures and documentation relating to these safeguards available to the Secretary for purposes of determining the group health plan's compliance with this subpart.
HHS Response to Comments Received From the Original Security Regulations Security Standards for the Protection of Electronic PHI: Organizational Requirements |
Health Care Clearinghouses
Comment: Relative to the following preamble statement (63 FR 43258): "If the clearinghouse is part of a larger organization, then security must be imposed to prevent unauthorized access by the larger organization."
One commenter asked what is considered to be "the larger organization." For example, if a clearinghouse function occurs in a department of a larger business entity, will the regulation cover all internal electronic communication, such as e-mail, within the larger business and all external electronic communication, such as e-mail with its owners?
Response: The "larger organization" is the overall business entity that a clearinghouse would be part of. Under the Security Rule, the larger organization must assure that the health care clearinghouse function has instituted measures to ensure only that electronic protected health information that it processes is not improperly accessed by unauthorized persons or other entities, including the larger organization. Internal electronic communication within the larger organization will not be covered by the rule if it does not involve the clearinghouse, assuming that it has designated health care components, of which the health care clearinghouse is one.
External communication must be protected as sent by the clearinghouse, but need not be protected once received.
Comment: One commenter asked that the first sentence in § 142.306(b) of the proposed rule, "If a health care clearinghouse is part of a larger organization, it must assure all health information is protected from unauthorized access by the larger organization" be expanded to read, "If a health care clearinghouse or any other health care entity is part of a larger organization . . ."
Response: The Act specifically provides, at section 1173(d)(1)(B), that the Secretary must adopt standards to ensure that a health care clearinghouse, if part of a larger organization, has policies and security procedures to protect information from unauthorized access by the larger organization.
Health care providers and health plans are often part of larger organizations that are not themselves health care providers or health plans. The security measures implemented by health plans and covered health care providers should protect electronic protected health information in circumstances such as the one identified by the commenter. Therefore, we agree with the comment that the requirement should be expanded as suggested by the commenter. In this final rule, those components of a hybrid entity that are designated as health care components must comply with the security standards and protect against unauthorized access with respect to the other components of the larger entity in the same way as they must deal with separate entities.
Business Associate Contracts and Other Arrangements
Comment: Several commenters expressed confusion concerning the applicability of proposed § 142.104 to security.
Response: The proposed preamble included language generally applicable to most of the proposed standards under HIPAA. Proposed § 142.104 concerned general requirements for health plans relative to processing transactions. We proposed that plans could not refuse to conduct a transaction as a standard transaction, or delay or otherwise adversely affect a transaction on the grounds that it was a standard transaction; health information transmitted and received in connection with a transaction must be in the form of standard data elements; and plans conducting transactions through an agent must ensure that the agent met all the requirements that applied to the health plan. Except for the statement that a plan's agent ("business associate" in the final rule) must meet the requirements (which would include security) that apply to the health plan, this proposed section did not pertain to the security standards and was addressed in the Transaction Rule.
Comment: The majority of comments concerned proposed rule language stating "the same level of security will be maintained at all links in the chain . . ." Commenters believed the current language will have an adverse impact on one of the security standard's basic premises, which is scalability. It was requested that the language be changed to indicate that, while appropriate security must be maintained, all partners do not need to maintain the same level of security.
A number of commenters expressed some confusion concerning their responsibility for the security of information once it has passed from their control to their trading partner's control, and so on down the trading partner chain. Requests were made that we clarify that chain of trust partner agreements were really between two parties, and that, if a trading partner agreement has been entered into, any given partner would not be responsible, or liable, for the security of data once it is out of his or her control.
In line with this concern, several commenters were concerned that they would have some responsibility to ensure the level of security maintained by their trading partner.
Several commenters believe a chain of trust partner agreement should not be a security requirement. One commenter stated that because covered entities must already conform to the regulation requirements, a "chain of trust" agreement does not add to overall security. Compliance with the regulation should be sufficient.
Response: We believe the commenters are correct that the rule as proposed would--(1) not allow for scalability; and (2) would lead an entity to believe it is responsible, and liable, for making sure all entities down the line maintain the same level of security. The confusion here seems to come from the phrase "same level of security." Our intention was that each trading partner would maintain reasonable and appropriate safeguards to protect the information. We did not mean that partners would need to implement the same security technology or measures and procedures.
We have replaced the proposed "Chain of trust" standard with a standard for "Business associate contracts and other arrangements."
When another entity is acting as a business associate of a covered entity, we require the covered entity to require the other entity to protect the electronic protected health information that it creates, receives, maintains or transmits on the covered entity's behalf. The level of security afforded particular electronic protected health information should not decrease just because the covered entity has made the business decision to entrust a business associate with using or disclosing that information in connection with the performance of certain functions instead of doing those functions itself. Thus, the rule below requires covered entities to require their business associates to implement certain safeguards and take other measures to ensure that the information is safeguarded (see § 164.308(b)(1) and § 164.314(a)(1)).
The specific requirements of § 164.314(a)(1) are drawn from the analogous requirements at 45 CFR 164.504(e) of the Privacy Rule, although they have been adapted to reflect the objectives and context of the security standards. Compare, in particular, 45 CFR 164.504(e)(2)(ii) with § 164.314(a)(1). We have not imported all of the requirements of 45 CFR 164.504(e), however, as many have no clear analog in the security context (see, for example, 45 CFR 164.504(e)(2)(i) regarding permitted and required uses and disclosures made by a business associate). HHS had previously committed to reconciling its security and privacy policies regarding business associates (see 65 FR 82643). The close relationship of many of the organizational requirements in section § 164.314 with the analogous requirements of the Privacy Rule should facilitate the implementation and coordination of security and privacy policies and procedures by covered entities.
In contrast, when another entity is not acting as a business associate for the covered entity, but rather is acting in the capacity of some other sort of trading partner, we do not require the covered entity to require the other entity to adopt particular security measures, as previously proposed. This policy is likewise consistent with the general approach of the Privacy Rule (see the discussion in the Privacy Rule at 65 FR 82476). The covered entity is free to negotiate security arrangements with its non-business associate trading partners, but this rule does not require it to do so.
A similar approach underlies § 164.314(b) below. These provisions are likewise drawn from, and intended to support, the analogous privacy protections provided for by 45 CFR 164.504(f) (see the discussion of § 164.504(f) of the Privacy Rule at 65 FR 82507 through 82509, and 82646 through 82648). As with the business associate contract provisions, however, they are imported and adapted only to the extent they make sense in the security context. Thus, for example, the requirement at § 164.504(f)(2)(ii)(C) prohibits the plan documents from permitting disclosure of protected health information to the plan sponsor for employment-related purposes. As this prohibition goes entirely to the permissibility of a particular type of disclosure, it has no analog in § 164.314(b).
Comment: Several commenters stated that if security features are determined by agreements established between "trading partners," as stated in the proposed regulations, there should be some guidelines or boundaries for those agreements so that extreme or unusual provisions are not permitted.
Response: This final rule sets a baseline, or minimum level, of security measures that must be taken by a covered entity and stipulates that a business associate must also implement reasonable and appropriate safeguards. This final rule does not, however, prohibit a covered entity from employing more stringent security measures or from requiring a business associate to employ more stringent security measures. A covered entity may determine that, in order to do business with it, a business associate must also employ equivalent measures. This would be a business decision and would not be governed by the provisions of this rule. Security mechanisms relative to the transmission of electronic protected health information between entities may need to be agreed upon by both parties in order to successfully complete the transmission. However, the determination of the specific transmission mechanisms and the specific security features to be implemented remains a business decision.
Comment: Several commenters asked whether existing contracts could be used to meet the requirement for a trading partner agreement, or does the rule require entry into a new contract specific to this purpose. Also, the commenters want to know about those whose working agreements do not involve written contractual agreement: Do they now need to set up formal agreements and incur the additional expense that would entail?
Response: This final rule requires written agreements between covered entities and business associates. New contracts do not have to be entered into specifically for this purpose, if existing written contracts adequately address the applicable requirements (or can be amended to do so).
Comment: Several commenters asked whether covered entities are responsible for the security of all individual health information sent to them, or only information sent by chain of trust partners. They also asked if they can refuse to process standard transactions sent to them in an unsecured fashion. In addition, they inquired if they can refuse to send secured information in standard transactions to entities not required by law to secure the information. One commenter asked if there is a formula for understanding in any particular set of relationships where the ultimate responsibility for compliance with the standards would lie.
Response: Pursuant to the Transactions Rule, if a health plan receives an unsecured standard transaction, it may not refuse to process that transaction simply because it was sent in an unsecured manner. The health plan is not responsible under this rule, for how the transaction was sent to it (unless the transmission was made by a business associate, in which case different considerations apply); however, once electronic protected health information is in the possession of a covered entity, the covered entity is responsible for the security of the electronic protected health information received. The covered entity must implement technical security mechanisms to guard against unauthorized access to electronic protected health information that is transmitted over an electronic communication network. In addition, the rule requires the transmitting covered entity to obtain written assurance from a business associate receiving the transmission that it will provide an adequate level of protection to the information. For the business associate provisions, see § 164.308(b) and § 164.314(a) of this final rule.
Comment: One commenter asked what security standards a vendor having access to a covered entity's health information during development, testing, and repair must meet and wanted to know whether the rule anticipates having a double layer of security compliance (one at the user level and one at the vendor level). If so, the commenter believes this will cause duplication of work.
Response: In the situation described, the vendor would be acting as a business associate. The covered entity must require the business associate to implement reasonable and appropriate security protections of electronic protected health information. This requirement, however, does not impose detailed requirements for how that level of protection must be achieved. The resulting flexibility should permit entities and their business associates to adapt their security safeguards in ways that make sense in their particular environments.
Comment: A number of commenters requested sample contract language or models of contracts. We also received one comment that suggested that we should not dictate the contents of contracted agreements.
Response: We will consider developing sample contract language as part of our guideline development.