HIPAA Final Rule: More on Business Associate Uses & Disclosures in the Business Associate Contract

March 11, 2013.  Today, we continue going through the HIPAA Privacy Rule, section by section, as modified in the Final Rule:  Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications of the HIPAA Rules, which was published in the Federal Register on January 25, 2013.  The effective date of the Final Rule is March 26, 2013, and covered entities and business associates must comply by September 23, 2013.

Our focus last week was on 45 CFR 164.502: Uses and disclosures of protected health information:  General Rules, and, on Friday, March 8, on 45 CFR 164.502(e):  “(1) Standard: Disclosures to business associates, and (2) Implementation specification: Documentation.” Today, we focus on the modified provisions at 164.504(e)(1):  Uses and disclosures: Organizational requirements–Standard:  Business associate contracts, that were referenced in 45 CFR 164.502(e):  164.504(e)(1), (e)(2), (e)(3), and (e)(5).

“164.504(e)(1) Standard: Business associate contracts.

“(i) The contract or other arrangement required by 45 CFR 164.502(e)(2) must meet the requirements of paragraph (e)(2), (e)(3), or (e)(5) of this section, as applicable.

“(ii) A covered entity is not in compliance with the standards in 164.502(e) and this paragraph, if the covered entity knew of a pattern of activity or practice of the business associate that constituted a material breach or violation of the business associate’s obligation under the contract or other arrangement, unless the covered entity took reasonable steps to cure the breach or end the violation, as applicable, and, if such steps were unsuccessful, terminated the contract or arrangement, if feasible.

“(iii) A business associate is not in compliance with the standards in 164.502(e) and this paragraph, if the business associate knew of a pattern of activity or practice of a subcontractor that constituted a material breach or violation of the subcontractor’s obligation under the contract or other arrangement, unless the business associate took reasonable steps to cure the breach or end the violation, as applicable, and, if such steps were unsuccessful, terminated the contract or arrangement, if feasible.

“164.504(e)(2) Implementation specifications: Business associate contracts. A contract between the covered entity and a business associate must:

“(i) Establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of [the HIPAA Privacy Rule], if done by the covered entity, except that:

“(A) The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) [Implementation specifications:  Other requirements for contracts and other arrangements, at 78 Federal Register 5698] of this section; and

“(B) The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity.

“(ii) Provide that the business associate will:

“(A) Not use or further disclose the information other than as permitted or required by the contract or as required by law;

“(B) Use appropriate safeguards and comply, where applicable, with [the HIPAA Security Rule] with respect to electronic protected health information, to prevent use or disclosure of the information other than as provided for by its contract;

“(C) Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware, including breaches of unsecured protected health information as required by 45 CFR 164.410 [Breach Notification Rule:  Notification by a business associate, as modified at 78 Federal Register 5695];

“(D) In accordance with
 164.502(e)(1)(ii), ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such information;

“(E) Make available protected health information in accordance with 164.524 [Access of individuals to protected health information, as modified at 78 Federal Register 5701-5702];

“(F) Make available protected health information for amendment and incorporate any amendments to protected health information in accordance with 164.526 [Amendment of protected health information];

“(G) Make available the information required to provide an accounting of disclosures in accordance with
§ 164.528 [Accounting of disclosures of protected health information];

“(H) To the extent the business associate is to carry out a covered entity’s obligation under [the HIPAA Privacy Rule], comply with the requirements of [the HIPAA Privacy Rule] that apply to the covered entity in the performance of such obligation.

“(I) Make its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, the covered entity available to the Secretary for purposes of determining the covered entity’s compliance with this subpart; and

“(J) At termination of the contract, if feasible, return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity that the business associate still maintains in any form and retain no copies of such information or, if such return or destruction is not feasible, extend the protections of the contract to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible.

“(iii) Authorize termination of the contract by the covered entity, if the covered entity determines that the business associate has violated a material term of the contract.

“(e)(3) Implementation specifications: Other arrangements. (i) If a covered entity and its business associate are both governmental entities:

“(A) The covered entity may comply with this paragraph and 164.314(a)(1) [HIPAA Security Rule: Standard:  Business associate contracts or other arrangements, as modified at 78 Federal Register 5694], if applicable, by entering into a memorandum of understanding with the business associate that contains terms that accomplish the objectives of paragraph (e)(2) of this section and 164.314(a)(2) [Implementation specifications], if applicable.

“(B) The covered entity may comply with this paragraph and 164.314(a)(1), if applicable, if other law (including regulations adopted by the covered entity or its business associate) contains requirements applicable to the business associate that accomplish the objectives of paragraph (e)(2) of this section and 164.314(a)(2), if applicable.

“(ii) If a business associate is required by law to perform a function or activity on behalf of a covered entity or to provide a service described in the definition of business associate in 45 CFR 160.103 [as modified at 78 Federal Register 5688] to a covered entity, such covered entity may disclose protected health information to the business associate to the extent necessary to comply with the legal mandate without meeting the requirements of this paragraph and 164.314(a)(1), if applicable, provided that the covered entity attempts in good faith to obtain satisfactory assurances as required by paragraph (e)(2) of this section and 164.314(a)(1), if applicable, and, if such attempt fails, documents the attempt and the reasons that such assurances cannot be obtained.

“(iii) The covered entity may omit from its other arrangements the termination authorization required by paragraph (e)(2)(iii) of this section, if such authorization is inconsistent with the statutory obligations of the covered entity or its business associate.

“(iv) A covered entity may comply with this paragraph and 164.314(a)(1) if the covered entity discloses only a limited data set to a business associate for the business associate to carry out a health care operations function and the covered entity has a data use agreement with the business associate that complies with 164.514(e)(4) [Implementation specifications:  [Limited data set] Data use agreement, as modified at 78 Federal Register 5700] and
 164.314(a)(1), if applicable.

“(e)(5) Implementation specifications: Business associate contracts with subcontractors. The requirements of
 45 CFR 164.504(e)(2) through (e)(4) apply to the contract or other arrangement required by 164.502(e)(1)(ii) between a business associate and a business associate that is a subcontractor in the same manner as such requirements apply to contracts or other arrangements between a covered entity and business associate.”

78 Federal Register 5697

On January 25, 2013, the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) launched a Business Associate Contract Web site with Sample Business Associate Agreement Provisions that provides guidance to covered entities on preparing appropriate business associate agreements with required provisions, including those discussed in this posting.

Tomorrow, we close the presentation of 45 CFR 164.502 with 164.502(f):  Standard:  Deceased individuals.

Leave a Reply

Your email address will not be published. Required fields are marked *