NRPM: Standards for Privacy of Individually Identifiable Health Information. 6. Application to business partners. (§ 164.506(e))


In § 164.506(e), we propose to require covered entities to take specific steps to ensure that protected health information disclosed to a business partner remains protected. We intend these provisions to allow customary business relationships in the health care industry to continue while providing privacy protections to the information shared in these relationships. Business partners would not be permitted to use or disclose protected health information in ways that would not be permitted of the covered entity itself under these rules.

Other than for purposes of consultation or referral for treatment, we would allow covered entities to disclose protected health information to business partners only pursuant to a written contract that would, among other specified provisions, limit the business partner’s uses and disclosures of protected health information to those permitted by the contract, and would impose certain security, inspection and reporting requirements on the business partner. We would hold the covered entity responsible for certain violations of this proposed rule made by their business partners, and require assignment of responsibilities when a covered entity acts as a business partner of another covered entity.

Under this proposed rule, a business partner would be acting on behalf of a covered entity, and we propose that its use or disclosure of protected health information be limited to the same extent that the covered entity for whom they are acting would be limited. Thus, a business partner could have no more authority to use or disclose protected health information than that possessed by the covered entity from which the business partner received the information. We would note that a business partner’s authority to use and disclose protected health information could be further restricted by its contract with a covered entity, as described below.

We are not proposing to require the business partners of covered entities to develop and distribute a notice of information practices, as provided in proposed § 164.512. A business partner would, however, be bound by the terms of the notice of the covered entity from which it obtains protected health information. See proposed § 164.506(e). We are proposing this approach so that individuals could rely on the notices that they receive from the covered entities to which they disclose protected health information. If the business partners of a covered entity were able to make wider use or make more disclosures than the covered entity, the patients or enrollees of the covered entity would have difficulty knowing how their information was being used and to whom it was being disclosed.

We are also proposing that a business partner’s use and disclosure of protected health information be limited by the terms of the business partner’s contractual agreement with the covered entity. We propose that a contract between a covered entity and a business partner could not grant the business partner authority to make uses or disclosures of protected health information that the covered entity itself would not have the authority to make. The contract between a covered entity and a business partner could further limit the business partner’s authority to use or disclose protected health information as agreed to by the parties. Further, the business partner would have to apply the same limitations to its subcontractors (or persons with similar arrangements) who assist with or carry out the business partner’s activities.

To help ensure that the uses and disclosures of business partners are limited to those recognized as appropriate by the covered entities from whom they receive protected health information, subject to the exception discussed below, we are proposing that covered entities be prohibited from disclosing protected health information to a business partner unless the covered entity has entered into a written contract with the business partner that meets the requirements of this subsection. See proposed § 164.506(e)(2)(i).

The contract requirement that we are proposing would permit covered entities to exercise control over their business partners’ activities and provides documentation of the relationship between the parties, particularly the scope of the uses and disclosures of protected health information that business partners could make. The presence of a contract also would formalize the relationship, better assuring that key questions such as security, scope of use and disclosure, and access by subject individuals are adequately addressed and that the roles of the respective parties are clarified. Finally, a contract can bind the business partner to return any protected health information from the covered entity when the relationship is terminated.

In lieu of a contracting requirement, we considered imposing only affirmative duties on covered entities to ensure that their relationships with business partners conformed to the standards discussed in the previous paragraph. Such an approach could be considered less burdensome and restrictive, because we would be leaving it to the parties to determine how to make the standards effective. We rejected this approach primarily because we believe that in the vast majority of cases, the only way that the parties could establish a relationship with these terms would be through contract. We also determined that the value of making the terms explicit through a written contract would better enable the parties to know their roles and responsibilities, as well as better enable the Secretary to exercise her oversight role. In addition, we understand that most covered entities already enter into contracts in these situations and therefore this proposal would not disturb general business practice. We invite comment on whether there are other contractual or non-contractual approaches that would afford an adequate level of protection to individuals’ protected health information. We also invite comment on the specific provisions and terms of the proposed approach.

We are proposing one exception to the contracting requirement: when a covered entity consults with or makes a referral to another covered entity for the treatment of an individual, we would propose that the sharing of protected health information pursuant to that consultation or referral not be subject to the contracting requirement described above. See proposed § 164.506(e)(1)(i). Unlike most business partner relationships, which involve the systematic sharing of protected health information under a business relationship, consultation and referrals for treatment occur on a more informal basis among peers, and are specific to a particular individual. Such exchanges of information for treatment also appear to be less likely to raise concerns about further impermissible use or disclosure, because providers receiving such information are unlikely to have a commercial or other interest in using or disclosing the information. We invite comment on the appropriateness of this exception, and whether there are additional exceptions that should be included in the final regulation.

We note that covered health care providers receiving protected health information for consultation or referral purposes would still be subject to this rule, and could not use or disclose such protected health information for a purpose other than the purpose for which it was received (i.e., the consultation or referral). Further, we note that providers making disclosures for consultations or referrals should be careful to inform the receiving provider of any special limitations or conditions to which the disclosing provider has agreed to impose (e.g., the disclosing provider has provided notice to its patients that it will not make disclosures for research).

We are proposing that covered entities be accountable for the uses and disclosures of protected health information by their business partners. A covered entity would be in violation of this rule if the covered entity knew or reasonably should have known of a material breach of the contract by a business partner and it failed to take reasonable steps to cure the breach or terminate the contract. See proposed § 164.506(e)(2)(iii). A covered entity that is aware of impermissible uses and disclosures by a business partner would be responsible for taking such steps as are necessary to prevent further improper use or disclosures and, to the extent practicable, for mitigating any harm caused by such violations. This would include, for example, requiring the business partner to retrieve inappropriately disclosed information (even if the business partner must pay for it) as a condition of continuing to do business with the covered entity. A covered entity that knows or should know of impermissible use of protected health information by its business partner and fails to take reasonable steps to end the breach would be in violation of this rule.

We considered requiring covered entities to terminate relationships with business partners if the business partner committed a serious breach of contact terms required by this subpart or if the business partner exhibited a pattern or practice of behavior that resulted in repeated breaches of such terms. We rejected that approach because of the substantial disruptions in business relationships and customer service when terminations occur. We instead require the covered entity to take reasonable steps to end the breach and mitigate its effects. We would expect covered entities to terminate the arrangement if it becomes clear that a business partner cannot be relied upon to maintain the privacy of protected health information provided to it. We invite comments on our approach here and whether requiring automatic termination of business partner contracts would be warranted in any circumstances.

We also considered imposing more strict liability on covered entities for the actions of their business partners, just as principals are strictly liable for the actions of their agents under common law. We decided, however, that this could impose too great a burden on covered entities, particularly small providers. We are aware that, in some cases, the business partner will be larger and more sophisticated with respect to information handling than the covered entity. Therefore we instead opted to propose that covered entities monitor use of protected health information by business partners, and be held responsible only when they knew or should have known of improper use of protected health information.

Our intention in this section is to recognize the myriad of business relationships that currently exist and to ensure that when they involve the exchange of protected health information, the roles and responsibilities of the different parties with respect to the protected health information are clear. We do not propose to fundamentally alter the types of business relationships that exist in the health care industry or the manner in which they function. We request comments on the extent to which our proposal would disturb existing contractual or other arrangements among covered entities and business partners.