Exploring HIPAA and HITECH Act Definitions: Part 11

From now through November, HIPAA.com is providing a run through of HIPAA transaction & code set, privacy, and security definitions, along with relevant HITECH Act definitions pertaining to breach notification, securing of protected health information, and electronic health record (EHR) standards development and adoption. These definitions are key to understanding the referenced HIPAA and HITECH Act enabling regulations that are effective now and that will require compliance by covered entities and business associates now or in the months ahead, as indicated in HIPAA.com’s timeline. Each posting will contain three definitions, with a date reference to the Federal Register, Code of Federal Regulations (CFR), or statute, as appropriate.

Exploring HIPAA and HITECH Act Definitions:  Parts 11-15, include definitions from:

American Recovery and Reinvestment Act of 2009 (February 17, 2009, pp.258-259),

Health Information Technology for Economic and Clinical Health Act,

Title XIII—Health Information Technology,

Subtitle D—Privacy,

Section 13400—Definitions.

Breach

(A) In General—The term ‘breach’ means the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.

(B) Exceptions—The term ‘breach’ does not include—

1. Any unintentional acquisition, access, or use of protected health information by an employee or individual acting under the authority of a covered entity or business associate if—
   1. Such acquisition, access, or use was made in good faith and within the course and scope of the employment or other professional relationship of such employee or individual, respectively, with the covered entity or business associate; and
   2. Such information is not further acquired, accessed, used, or disclosed by an person; or
2. Any inadvertent disclosure from an individual who is otherwise authorized to access protected health information at a facility operated by a covered entity or business associate to another similarly situated individual at same facility; and
3. Any such information received as a result of such disclosure is not further acquired, accessed, used, or disclosed without authorization by any person.

[Note:  The definition of ‘breach‘ in the enabling regulation is different in several respects from the statutory definition above, including introduction of consideration of risk of harm to the individual:

Breach means the acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E [Privacy of Individually Identifiable Health Information] of this part [45 CFR 164:  Security and Privacy] which compromises the security or privacy of the protected health information.

(1)(i) For purposes of this definition, compromises the security or privacy of the protected health information means poses a significant risk of financial, reputational, or other harm to the individual.

(ii) A use or disclosure of protected health information that does not include the identifiers listed at § 164.514(e)(2) [Implementation Specification for the Limited Data Set standard], date of birth, and zip code does not compromise the security or privacy of the protected health information.

(2) Breach excludes:

(i) Any unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under subpart E of this part.

(ii) Any inadvertent disclosure by a person who is authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the same covered entity or business associate, or organized health care arrangement in which the covered entity participates, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under subpart E of this part.

(iii) A disclosure of protected health information where a covered entity or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.

See Department of Health and Human Services, Office of the Secretary, “45 CFR Parts 160 and 164–Breach Notification for Unsecured Protected Health Information; Interim Final Rule,” Federal Register, v. 74, n. 162, August 24, 2009, pp.42767-42768.]

Business Associate

Has the meaning given such term in section 160.103 of title 45, Code of Federal Regulations [CFR]:

“(1) Except as provided in paragraph (2) of this definition, business associate means, with respect to a covered entity, a person who:

1. On behalf of such covered entity or of an organized health care arrangement (as defined in § 164.501 of this subchapter) in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or arrangement, performs, or assists in the performance of:
   1. A function or activity involving the use or disclosure of individually identifiable health information, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing; or
   2. Any other function or activity regulated by this subchapter; or
   3. Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation (as defined in § 164.501 of this subchapter), management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of individually identifiable health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.

(2) A covered entity participating in an organized health care arrangement that performs a function or activity as described by paragraph (1)(i) of this definition for or on behalf of such organized health care arrangement, or that provides a service as described in paragraph (1)(ii) of this definition to or for such organized health care arrangement, does not, simply through the performance of such function or activity or the provision of such service, become a business associate of other covered entities participating in such organized health care arrangement.

(3) A covered entity may be a business associate of another covered entity.”

Covered Entity

Has the meaning given such term in section 160.103 of title 45, Code of Federal Regulations [CFR]:

“(1) A health plan.

(2) A health care clearinghouse.

(3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.”