NRPM: Standards for Privacy of Individually Identifiable Health Information. ii. Scope of the contractual agreement.

11/03/1999

We are also proposing that a business partner’s use and disclosure of protected health information be limited by the terms of the business partner’s contractual agreement with the covered entity. We propose that a contract between a covered entity and a business partner could not grant the business partner authority to make uses or disclosures of protected health information that the covered entity itself would not have the authority to make. The contract between a covered entity and a business partner could further limit the business partner’s authority to use or disclose protected health information as agreed to by the parties. Further, the business partner would have to apply the same limitations to its subcontractors (or persons with similar arrangements) who assist with or carry out the business partner’s activities.

To help ensure that the uses and disclosures of business partners would be limited to those recognized as appropriate by the covered entities from whom they receive protected health information, subject to the exception discussed below, we are proposing that covered entities be prohibited from disclosing protected health information to a business partner unless the covered entity has entered into a written contract with the business partner that meets the requirements of this subsection. See proposed § 164.506(e)(2)(i). The written contract between a covered entity and a business partner would be required to:

  • prohibit the business partner from further using or disclosing the protected health information for any purpose other than the purpose stated in the contract.
  • prohibit the business partner from further using or disclosing the protected health information in a manner that would violate the requirements of this proposed rule if it were done by the covered entity. As discussed above, the covered entity could not permit the business partner to make uses or disclosures that the covered entity could not make.
  • require the business partner to maintain safeguards as necessary to ensure that the protected health information is not used or disclosed except as provided by the contract. We are only proposing a general requirement; the details can be negotiated to meet the particular needs of each arrangement. For example, if the business partner is a two-person firm the contractual provisions regarding safeguards may focus on controlling physical access to a computer or file drawers, while a contract with a business partner with 500 employees would address use of electronic technologies to provide security of electronic and paper records.
  • require the business partner to report to the covered entity any use or disclosure of the protected health information of which the business partner becomes aware that is not provided for in the contract.
  • require the business partner to ensure that any subcontractors or agents to whom it provides protected health information received from the covered entity will agree to the same restrictions and conditions that apply to the business partner with respect to such information.
  • establish how the covered entity would provide access to protected health information to the subject of that information, as would be required under § 164.514, when the business partner has made any material alteration in the information. The covered entity and the business partner would determine in advance how the covered entity would know or could readily ascertain, when a particular individual’s protected health information has been materially altered by the business partner, and how the covered entity could provide access to such information.
  • require the business partner to make available its internal practices, books and records relating to the use and disclosure of protected health information received from the covered entity to HHS or its agents for the purposes of enforcing the provisions of this rule.
  • establish how the covered entity would provide access to protected health information to the subject of that information, as would be required under § 164.514, in circumstances where the business partner will hold the protected health information and the covered entity will not.
  • require the business partner to incorporate any amendments or corrections to protected health information when notified by the covered entity that the information is inaccurate or incomplete.
  • at termination of the contract, require the business partner to return or destroy all protected health information received from the covered entity that the business partner still maintains in any form to the covered entity and prohibit the business partner from retaining such protected health information in any form.
  • state that individuals who are the subject of the protected health information disclosed are intended to be third party beneficiaries of the contract.
  • authorize the covered entity to terminate the contract, if the covered entity determines that the business partner has repeatedly violated a term of the contract required by this paragraph.

Each specified contract term above would be considered a separate implementation specification under this proposal for situations in which a contract is required, and, as discussed below, a covered entity would be responsible for assuring that each such implementation standard is met by the business partner. See proposed § 164.506(e)(2). The contract could include any additional arrangements that do not violate the provisions of this regulation.

The contract requirement that we are proposing would permit covered entities to exercise control over their business partners’ activities and provide documentation of the relationship between the parties, particularly the scope of the uses and disclosures of protected health information that business partners could make. The presence of a contract also would formalize the relationship, better ensuring that key questions such as security, scope of use and disclosure, and access by individuals are adequately addressed and that the roles of the respective parties are clarified. Finally, a contract can bind the business partner to return any protected health information from the covered entity when the relationship is terminated.

In lieu of a contracting requirement, we considered imposing only affirmative duties on covered entities to ensure that their relationships with business partners conformed to the standards discussed in the previous paragraph. Such an approach could be considered less burdensome and restrictive, because we would be leaving it to the parties to determine how to make the standards effective. We rejected this approach primarily because we believe that in the vast majority of cases, the only way that the parties could establish a relationship with these terms would be through contract. We also determined that the value of making the terms explicit through a written contract would better enable the parties to know their roles and responsibilities, as well as better enable the Secretary to exercise her oversight role. In addition, we understand that most covered entities already enter into contracts in these situations and therefore this proposal would not disturb general business practice. We invite comment on whether there are other contractual or non-contractual approaches that would afford an adequate level of protection to individuals’ protected health information. We also invite comment on the specific provisions and terms of the proposed approach.

We are proposing one exception to the contracting requirement: when a covered entity consults with or makes a referral to another covered entity for the treatment of an individual, we would propose that the sharing of protected health information pursuant to that consultation or referral not be subject to the contracting requirement described above. See proposed § 164.506(e)(1)(i). Unlike most business partner relationships, which involve the systematic sharing of protected health information under a business relationship, consultation and referrals for treatment occur on a more informal basis among peers, and are specific to a particular individual. Such exchanges of information for treatment also appear to be less likely to raise concerns about further impermissible use or disclosure, because health care providers receiving such information are unlikely to have a commercial or other interest in using or disclosing the information. We invite comment on the appropriateness of this exception, and whether there are additional exceptions that should be included in the final regulation.

We note that covered health care providers receiving protected health information for consultation or referral purposes would still be subject to this rule, and could not use or disclose such protected health information for a purpose other than the purpose for which it was received (i.e., the consultation or referral). Further, we note that providers making disclosures for consultations or referrals should be careful to inform the receiving provider of any special limitations or conditions to which the disclosing provider has agreed to impose (e.g., the disclosing provider has provided notice to its patients that it will not make disclosures for research).

Under the system that we are proposing, business partners (including business partners that are covered entities) that have contracts with more than one covered entity would have no authority to combine, aggregate or otherwise use for a single purpose protected health information obtained from more than one covered entity unless doing so would have been a lawful use or disclosure for each of the covered entities that supplied the protected health information that is being combined, aggregated or used. In addition, the business partner must be authorized through the contract or arrangement with each covered entity that supplied the protected health information to combine or aggregate the information. For example, a business partner of a health plan would be permitted to disclose information to another health plan for coordination of benefits purposes, if such a disclosure were authorized by the business partner’s contract with the covered entity that provided the protected health information. However, a business partner that is performing an audit of a group medical practice on behalf of several health plans could not combine protected health information that it had received from each of the plans, even if the business partner’s contracts with the plans attempted to allow such activity, because the plans themselves would not be permitted to exchange protected health information for such a purpose. A covered entity would not be permitted to obtain protected health information through a business partner that it could not otherwise obtain itself.

We further note that, as discussed above in section II.C.4, under our proposal a business partner generally could create a database of de-identified health information drawn from the protected health information of more than one covered entity with which it does business, and could use and disclose information and analyses from the database as they see fit, as long as there was no attempt to re-identify the data to create protected health information. In the example from the preceding paragraph, the business partner could review the utilization patterns of a group medical practice on behalf of several groups of plans by establishing a data base of de-identified health information drawn from all of its contracts with covered entities and review the use patterns of all of the individuals in the data base who had been treated by the medical group. The results of the analyses could be used by or distributed to any person, subject to the limitation that the data could not be identified. We would caution that business partners releasing such information and analyses would need to ensure that they do not inadvertently disclose protected health information by releasing examples or discussing specific cases in such a way that the information could be identified by people receiving the analysis or report.