February 14, 2013. Today, we finish examining the business associate definition, focusing on exceptions, as modified by the Final Rule: Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications of the HIPAA Rules, which was published in the Federal Register on January 25, 2013. The effective date of the Final Rule is March 26, 2013, and covered entities and business associates must comply by September 23, 2013.
Paragraph (4) of the modified definition outlines 4 exceptions (45 CFR 160.103, Definitions, as shown at 78 Federal Register 5688):
(4) Business associate does not include:
(i) A health care provider, with respect to disclosures by a covered entity to the health care provider concerning the treatment of the individual.
(ii) A plan sponsor, with respect to disclosures by a group health plan (or by a health insurance issuer or HMO with respect to a group health plan) to the plan sponsor, to the extent that the requirements of 164.504(f) [Standard: Requirements for group health plans] of this subchapter apply and are met.
(iii) A government agency, with respect to determining eligibility for, or enrollment in, a government health plan that provides public benefits and is administered by another government agency, or collecting protected health information for such purposes, to the extent such activities are authorized by law.
(iv) A covered entity participating in an organized health care arrangement that performs a function or activity as described by paragraph (1)(i) of this definition for or on behalf of such organized health care arrangement, or that provides a service as described in paragraph (1)(ii) of this definition to or for such organized health care arrangement by virtue of such activities or services.
In general, these exclusions have been a part of the HIPAA Rules, but three have been moved from other parts of the Rules, as described below, to the definition, and wording has been tightened or modified (e.g., in (iii), protected health information has been substituted for individually identifiable health information). [78 Federal Register 5574]
Exception (iv) was part of the predecessor definition of business associate at 45 CFR 160.103(2), with slight changes in wording, but not substance.
The Final Rule discusses items (i)-(iii): “Sections 164.308(b)(2) [Standard: Business associate contracts and other arrangements “does not apply”] and 164.502(e)(1)(ii) [Standard: Disclosures to business associates “does not apply”] of the HIPAA Rules currently describe certain circumstances, such as when a covered entity discloses protected health information to a health care provider concerning the treatment of an individual [i], in which a covered entity is not required to enter into a business associate contract or other arrangement with the recipient of the protected health information. We proposed to [and did, in the Final Rule] move these provisions to the definition of ‘business associate’ itself as exceptions to make clear that the Department does not consider the recipients of the protected health information in these circumstances to be business associates. The movement of these exceptions also was intended to help clarify that a person or an entity is a business associate if the person or entity meets the definition of ‘business associate,’ even if a covered entity, or business associate with respect to a subcontractor, fails to enter into the required business associate contract with the person or entity.” [78 Federal Register 5574]
Tomorrow, we begin to examine new definitions in the Final Rule, and next week we look at modifications in the Final Rule regarding enforcement.