• Home
  • Blog
  • Contact
HIPAA ComplianceHIPAA Compliance
HIPAA ComplianceHIPAA Compliance
  • Home
  • Blog
  • Contact

HIPAA Final Rule: Modification of Business Associate Definition, Part (4)–Personal Health Record Vendor

February 12, 2013 American Recovery and Reinvestment Act, Health IT and HITECH, HIPAA Law, Privacy, Security No Comments

February 12, 2013.  Today, we examine the role of the personal health record vendor in paragraph (3)—the third paragraph of four—of the business associate definition, as modified by the Final Rule:  Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications of the HIPAA Rules, which was published in the Federal Register on January 25, 2013.  The effective date of the Final Rule is March 26, 2013, and covered entities and business associates must comply by September 23, 2013.

Here is the second of three parts of this paragraph, which is the subject of today’s post:

(3) Business associate includes:

“(ii) A person that offers a personal health record to one or more individuals on behalf of a covered entity.”  [78 Federal Register 5688]

Again, as a reminder, “business associate means, with respect to a covered entity, a person.”  [emphasis added]  As defined at 45 CFR 160.103, person means “a natural person, trust or estate, partnership, corporation, professional association or corporation, or other entity, public or private.”

The Final Rule modified the definition of business associate to include explicitly a personal health record vendor under certain conditions to enable provisions of the HITECH Act, and discusses the role of the personal health record vendor as follows:

“As with data transmission services [discussed in the February 11, 2013, post], determining whether a personal health record vendor is a business associate is a fact specific determination.  A personal health record vendor is not a business associate of a covered entity solely by virtue of entering into an interoperability relationship with a covered entity.  For example, when a personal health record vendor and a covered entity establish the electronic means for a covered entity’s electronic health record to send protected health information to the personal health record vendor pursuant to the individual’s written authorization, it does not mean that the personal health record vendor is offering the personal health record on behalf of the covered entity, even if there is an agreement between the personal health record vendor and the covered entity governing the exchange of data (such as an agreement specifying the technical specifications for exchanging of data or specifying that such data shall be kept confidential).  In contrast, when a covered entity hires a vendor to provide and manage a personal health record service the covered entity wishes to offer its patients or enrollees, and provides the vendor with access to protected health information in order to do so, the personal health record vendor is a business associate.

“A personal health record vendor may offer personal health records directly to individuals and may also offer personal health records on behalf of covered entities.  In such cases, the personal health record vendor is only subject to HIPAA as a business associate with respect to personal health records that are offered to individuals on behalf of covered entities.

“[A] personal health record vendor that offers a personal health record to a patient on behalf of a covered entity does not act merely as a conduit.  Rather, the personal health record vendor is maintaining protected health information on behalf of the covered entity (for the benefit of the individual).  Further, a personal health record vendor that operates a personal health record on behalf of a covered entity is a business associate if it has access to protected health information, regardless of whether the personal health record vendor actually exercises this access….  As with other aspects of the definition of ‘business associate,’ we intend to provide future guidance on when a personal health record vendor is a business associate for purposes of the HIPAA Rules.”  [78 Federal Register 5572]

Tomorrow, we take up the third of three parts of paragraph (3) of the modified definition of business associate:  subcontractors.

Tags: accessbehalf of covered entitiesbusiness associatecompliance dateconduitcovered entitydata transmission servicesdefinitioneffective dateelectronic health recordelectronic meansenrolleeguidanceHIPAAHIPAA Final RuleHITECH ActinteroperabilityMarch 26 2013modificationpatientpersonal health recordpersonal health record vendorSeptember 23 2013Subcontractorwritten authorization
No Comments
Share
0

You also might be interested in

Gmail, Google Apps for Business HIPAA Business Associate Agreements

Gmail, Google Apps for Business HIPAA Business Associate Agreements

Oct 21, 2013

The Health Insurance Portability and Accountability of Act demands that[...]

The Definition of Secretary

May 11, 2009

This posting is one of several that outline the HITECH[...]

HIPAA Final Rule: Genetic Information Nondiscrimination Act: Underwriting Prohibitions

Feb 18, 2013

February 18, 2013.  Today, we examine underwriting prohibitions as they[...]

Leave a Reply Cancel Reply

Categories

  • 5010
  • American Recovery and Reinvestment Act
  • Enforcement
  • GINA
  • Health Care Reform
  • Health IT and HITECH
  • HIPAA Law
  • Identifiers
  • Meaningful Use
  • Privacy
  • Red Flags Rules
  • Security
  • Transactions & Code Sets
  • Uncategorized

Recent Posts

  • Contracting with Vendors that are NOT HIPAA Business Associates: Best Practices
  • HIPAA Breach: Who You Gonna Call?
  • Can I Be Sued for a HIPAA Violation?
  • Business Associate Agreements – a First Look at Indemnification
  • Gmail, Google Apps for Business HIPAA Business Associate Agreements

Archives

Contact Us

We're currently offline. Send us an email and we'll get back to you, asap.

Send Message
HIPAA- Health Insurance Portability Accountability Act

© 2023 · hipaa.com

Prev Next