February 11, 2013. Today, we start to examine (3)—the third paragraph of four—of the business associate definition, as modified by the Final Rule: Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications of the HIPAA Rules, which was published in the Federal Register on January 25, 2013. The effective date of the Final Rule is March 26, 2013, and covered entities and business associates must comply by September 23, 2013.
Here is the first of three parts of this paragraph, (i), which is the subject of today’s post:
(3) Business associate includes:
“(i) A Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires access on a routine basis to such protected health information.” [78 Federal Register 5688]
Again, as a reminder, “business associate means, with respect to a covered entity, a person.” [emphasis added] As defined at 45 CFR 160.103, person means “a natural person, trust or estate, partnership, corporation, professional association or corporation, or other entity, public or private.”
The Final Rule modified the definition of business associate to include explicitly each of the organizations listed above to conform with provisions of the HITECH Act.
Health Information Organization. According to the Final Rule: “We decline to provide a definition for Health Information Organization. We recognize that the industry continues to develop and thus the type of entities that may be considered Health Information Organizations continues to evolve. For this reason, we do not think it prudent to include in the regulation a specific definition at this time. We anticipate continuing to issue guidance in the future on our Web site on the types of entities that do and do not fall within the definition of business associate, which can be updated as the industry evolves.” [78 Federal Register 5571]
Access on a routine basis. The Final Rule distinguishes between a business associate that requires access on a routine basis versus a conduit function or activity. The Final Rule states: “a determination will be fact specific based on the nature of the services provided and the extent to which the entity needs access to protected health information to perform the service for the covered entity. The conduit exception is a narrow one … a conduit transports information but does not access it other than on a random or infrequent basis as necessary to perform the transportation service or as required by law…. Such occasional, random access to protected health information would not qualify [a] company as a business associate….We intend to issue further guidance in this area as electronic health information exchange continues to evolve.” [78 Federal Register 5571-5572]
The Final Rule discusses another critical difference: “We note that the conduit exception is limited to transmission services (whether digital or hard copy), including any temporary storage of transmitted data incident to such transmission. In contract, an entity that maintains protected health information on behalf of a covered entity is a business associate and not a conduit, even if the entity does not actually view the protected health information. We recognize that in both situations, the entity providing the service to the covered entity has the opportunity to access the protected health information. However, the difference between the two situations is the transient versus persistent nature of that opportunity. For example, a data storage company that has access to protected health information (whether digital or hard copy) qualifies as a business associate, even if the entity does not view the information or only does so on a random or infrequent basis…. To help clarify this point, we have modified the definition of ‘business associate’ to generally provide that a business associates includes a person who ‘creates, receives, maintains, or transmits’ (emphasis added) protected health information on behalf of a covered entity.” [78 Federal Register 5572]
Tomorrow, we discuss personal health record vendors as business associates.