HIPAA Final Rule: Modification of Business Associate Definition, Part (4)–Personal Health Record Vendor

February 12, 2013.  Today, we examine the role of the personal health record vendor in paragraph (3)—the third paragraph of four—of the business associate definition, as modified by the Final Rule:  Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications of the HIPAA Rules, which was published in the Federal Register on January 25, 2013.  The effective date of the Final Rule is March 26, 2013, and covered entities and business associates must comply by September 23, 2013.

Here is the second of three parts of this paragraph, which is the subject of today’s post:

(3) Business associate includes:

“(ii) A person that offers a personal health record to one or more individuals on behalf of a covered entity.”  [78 Federal Register 5688]

Again, as a reminder, “business associate means, with respect to a covered entity, a person.”  [emphasis added]  As defined at 45 CFR 160.103, person means “a natural person, trust or estate, partnership, corporation, professional association or corporation, or other entity, public or private.”

The Final Rule modified the definition of business associate to include explicitly a personal health record vendor under certain conditions to enable provisions of the HITECH Act, and discusses the role of the personal health record vendor as follows:

“As with data transmission services [discussed in the February 11, 2013, post], determining whether a personal health record vendor is a business associate is a fact specific determination.  A personal health record vendor is not a business associate of a covered entity solely by virtue of entering into an interoperability relationship with a covered entity.  For example, when a personal health record vendor and a covered entity establish the electronic means for a covered entity’s electronic health record to send protected health information to the personal health record vendor pursuant to the individual’s written authorization, it does not mean that the personal health record vendor is offering the personal health record on behalf of the covered entity, even if there is an agreement between the personal health record vendor and the covered entity governing the exchange of data (such as an agreement specifying the technical specifications for exchanging of data or specifying that such data shall be kept confidential).  In contrast, when a covered entity hires a vendor to provide and manage a personal health record service the covered entity wishes to offer its patients or enrollees, and provides the vendor with access to protected health information in order to do so, the personal health record vendor is a business associate.

“A personal health record vendor may offer personal health records directly to individuals and may also offer personal health records on behalf of covered entities.  In such cases, the personal health record vendor is only subject to HIPAA as a business associate with respect to personal health records that are offered to individuals on behalf of covered entities.

“[A] personal health record vendor that offers a personal health record to a patient on behalf of a covered entity does not act merely as a conduit.  Rather, the personal health record vendor is maintaining protected health information on behalf of the covered entity (for the benefit of the individual).  Further, a personal health record vendor that operates a personal health record on behalf of a covered entity is a business associate if it has access to protected health information, regardless of whether the personal health record vendor actually exercises this access….  As with other aspects of the definition of ‘business associate,’ we intend to provide future guidance on when a personal health record vendor is a business associate for purposes of the HIPAA Rules.”  [78 Federal Register 5572]

Tomorrow, we take up the third of three parts of paragraph (3) of the modified definition of business associate:  subcontractors.

Leave a Reply

Your email address will not be published. Required fields are marked *