• Home
  • Blog
  • Contact
HIPAA ComplianceHIPAA Compliance
HIPAA ComplianceHIPAA Compliance
  • Home
  • Blog
  • Contact

HIPAA Final Rule: Modification of Business Associate Definition, Part (3)

February 11, 2013 American Recovery and Reinvestment Act, Health IT and HITECH, HIPAA Law, Privacy, Security No Comments

February 11, 2013.  Today, we start to examine (3)—the third paragraph of four—of the business associate definition, as modified by the Final Rule:  Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications of the HIPAA Rules, which was published in the Federal Register on January 25, 2013.  The effective date of the Final Rule is March 26, 2013, and covered entities and business associates must comply by September 23, 2013.

Here is the first of three parts of this paragraph, (i), which is the subject of today’s post:

(3) Business associate includes:

“(i) A Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires access on a routine basis to such protected health information.”  [78 Federal Register 5688]

Again, as a reminder, “business associate means, with respect to a covered entity, a person.”  [emphasis added]  As defined at 45 CFR 160.103, person means “a natural person, trust or estate, partnership, corporation, professional association or corporation, or other entity, public or private.”

The Final Rule modified the definition of business associate to include explicitly each of the organizations listed above to conform with provisions of the HITECH Act.

Health Information Organization.  According to the Final Rule:  “We decline to provide a definition for Health Information Organization.  We recognize that the industry continues to develop and thus the type of entities that may be considered Health Information Organizations continues to evolve.  For this reason, we do not think it prudent to include in the regulation a specific definition at this time.  We anticipate continuing to issue guidance in the future on our Web site on the types of entities that do and do not fall within the definition of business associate, which can be updated as the industry evolves.”  [78 Federal Register 5571]

Access on a routine basis.  The Final Rule distinguishes between a business associate that requires access on a routine basis versus a conduit function or activity.  The Final Rule states:  “a determination will be fact specific based on the nature of the services provided and the extent to which the entity needs access to protected health information to perform the service for the covered entity.  The conduit exception is a narrow one … a conduit transports information but does not access it other than on a random or infrequent basis as necessary to perform the transportation service or as required by law…. Such occasional, random access to protected health information would not qualify [a] company as a business associate….We intend to issue further guidance in this area as electronic health information exchange continues to evolve.” [78 Federal Register 5571-5572]

The Final Rule discusses another critical difference:  “We note that the conduit exception is limited to transmission services (whether digital or hard copy), including any temporary storage of transmitted data incident to such transmission.  In contract, an entity that maintains protected health information on behalf of a covered entity is a business associate and not a conduit, even if the entity does not actually view the protected health information.  We recognize that in both situations, the entity providing the service to the covered entity has the opportunity to access the protected health information.  However, the difference between the two situations is the transient versus persistent nature of that opportunity.  For example, a data storage company that has access to protected health information (whether digital or hard copy) qualifies as a business associate, even if the entity does not view the information or only does so on a random or infrequent basis….  To help clarify this point, we have modified the definition of ‘business associate’ to generally provide that a business associates includes a person who ‘creates, receives, maintains, or transmits’ (emphasis added) protected health information on behalf of a covered entity.” [78 Federal Register 5572]

Tomorrow, we discuss personal health record vendors as business associates.

Tags: accessaccess on a routine basisbusiness associatecompliance dateconduitcovered entitycreatesdata storagedata transmission servicesdefinitiondigitalE-prescribing Gatewayeffective dateelectronic health information exchangeFederal RegisterFinal ruleguidancehard copyhealth information organizationHIPAAHITECH Actinfrequent basismaintainsMarch 26 2013modificationpersonpersonal health record vendorprotected health informationrandom accessreceivesrequired by lawroutine basisSeptember 23 2013temporary storagetransient versus persistenttransmissiontransmitstransmitted data
No Comments
Share
0

You also might be interested in

CMS Issues New and Updated HIPAA and HITECH Act FAQs: EHR Incentive Payment Start Dates

Aug 27, 2009

The Centers for Medicare and Medicaid Services (CMS) periodically issues[...]

Red Flags Rules Compliance Countdown: 1 day

Apr 30, 2009

The Federal Trade Commission’s (FTC’s) red flags rules for financial[...]

Exploring HIPAA and HITECH Act Definitions: Part 13

Dec 17, 2009

From now through December, HIPAA.com is providing a run through[...]

Leave a Reply Cancel Reply

Categories

  • 5010
  • American Recovery and Reinvestment Act
  • Enforcement
  • GINA
  • Health Care Reform
  • Health IT and HITECH
  • HIPAA Law
  • Identifiers
  • Meaningful Use
  • Privacy
  • Red Flags Rules
  • Security
  • Transactions & Code Sets
  • Uncategorized

Recent Posts

  • Contracting with Vendors that are NOT HIPAA Business Associates: Best Practices
  • HIPAA Breach: Who You Gonna Call?
  • Can I Be Sued for a HIPAA Violation?
  • Business Associate Agreements – a First Look at Indemnification
  • Gmail, Google Apps for Business HIPAA Business Associate Agreements

Archives

Contact Us

We're currently offline. Send us an email and we'll get back to you, asap.

Send Message
HIPAA- Health Insurance Portability Accountability Act

© 2023 · hipaa.com

Prev Next