Standards for Privacy of Individually Identifiable Health Information. Final Privacy Rule Preamble.. Section 164.504(e) - Business Associates


Comment: Many commenters generally opposed the business partner standard and questioned the Secretary's legal authority under section 1172(a) of HIPAA to require business partner contracts. Others stated that the proposed rule imposed too great a burden on covered entities with regard to monitoring their business partners' actions. Commenters stated that they did not have the expertise to adequately supervise their business partners' activities - including billing, accounting, and legal activities - to ensure that protected health information is not inappropriately disclosed. Commenters argued that business partners are not "under the control" of health care providers, and that the rule would significantly increase the cost of medical care. Many commenters stated that the business partner provisions would be very time consuming and expensive to implement, noting that it is not unusual for a health plan or hospital to have hundreds of business partners, especially if independent physicians and local pharmacies are considered business partners. Many physician groups pointed out that their business partners are large providers, hospitals, national drug supplier and medical equipment companies, and asserted that it would be impossible, or very expensive, for a small physician group to attempt to monitor the activity of large national companies. Commenters stated that complex contract terms and new obligations would necessitate the investment of significant time and resources by medical and legal personnel, resulting in substantial expenses. Many commenters proposed that the duty to monitor be reduced to a duty to terminate the contractual arrangement upon discovery of a failure to comply with the privacy requirements.

In addition, many commenters argued that covered entities should have less responsibility for business partners' actions regarding the use and disclosure of protected health information. The proposed rule would have held covered entities responsible for the actions of their business partners when they "knew or reasonably should have known" of improper use of protected health information and failed to take reasonable steps to cure a breach of the business partner contract or terminate the contract. Many commenters urged that the term "knew or should have known" be clearly defined, with examples. Some commenters stated that covered entities should be liable only when they have actual knowledge of the material breach of the privacy rules by the business partner. Others recommended creation of a process by which a business partner could seek advice to determine if a particular disclosure would be appropriate. Some commenters stated that, in order to create an environment that would encourage covered entities to report misuses of protected health information, a covered entity should not be punished if it discovered an inappropriate disclosure.

Response: With regard to our authority to require business associate contracts, we clarify that Congress gave the Department explicit authority to regulate what uses and disclosures of protected health information by covered entities are "authorized." If covered entities were able to circumvent the requirements of these rules by the simple expedient of contracting out the performance of various functions, these rules would afford no protection to individually identifiable health information and be rendered meaningless. It is thus reasonable to place restrictions on disclosures to business associates that are designed to ensure that the personal medical information disclosed to them continues to be protected and used and further disclosed only for appropriate (i.e., permitted or required) purposes.

We do not agree that business associate contracts would necessarily have complex terms or result in significant time and resource burdens. The implementation specifications for business associate contracts set forth in § 164.504 are straightforward and clear. Nothing prohibits covered entities from having standard contract forms which could require little or no modification for many business associates.

In response to comments that the "knew or should have known" standard in the proposed rule was too vague or difficult to apply, and concerns that we were asking too much of small entities in monitoring the activities of much larger business associates, we have changed the rule. Under the final rule, we put responsibility on the covered entity to take action when it "knew of a pattern of activity or practice of the business associate that constituted, respectively, a material breach or violation of the business associate's obligation under the contract..." This will preclude confusion about what a covered entity 'should have known.' We interpret the term "knew" to include the situation where the covered entity has credible evidence of a violation. Covered entities cannot avoid responsibility by intentionally ignoring problems with their contractors. In addition, we have eliminated the requirement that a covered entity actively monitor and ensure protection by its business associates. However, a covered entity must investigate credible evidence of a violation by a business associate and act upon any such knowledge.

In response to the concern that the covered entity should not be punished if it discovers an inappropriate disclosure by its business associate, § 164.504(e) provides that the covered entity is not in compliance with the rule if it fails to take reasonable steps to cure the breach or end the violation, while § 164.530(f) requires the covered entity to mitigate, to the extent practicable, any resultant harm. The breach itself does not cause a violation of this rule.

Comment: Some commenters voiced support for the concept of business partners. Moreover, some commenters urged that the rule apply directly to those entities that act as business partners, by restricting disclosures of protected health information after a covered entity has disclosed it to a business partner.

Response: We are pleased that commenters supported the business associate standard and we agree that there are advantages to legislation that directly regulates most entities that use or disclose protected health information. However, we reiterate that our jurisdiction under the statute limits us to regulate only those covered entities listed in § 160.102.

Comment: Many commenters strongly opposed the provision in the proposed rule requiring business partner contracts to state that individuals whose protected health information is disclosed under the contract are intended third party beneficiaries of the contract. Many noted that HIPAA did not create a private right of action for individuals to enforce a right to privacy of medical information, and questioned the Secretary's authority to create such a right through regulation. Others questioned whether the creation of such a right was appropriate in light of the inability of Congress to reach consensus on the question, and perceived the provision as a "back door" attempt to create a right that Congress did not provide. Some commenters noted that third party beneficiary law varies from state to state, and that a third party beneficiary provision may be unenforceable in some states. These commenters suggested that the complexity and variation of state third party beneficiary law would increase cost and confusion with limited privacy benefits.

Commenters predicted that the provision would result in a dramatic increase in frivolous litigation, increased costs throughout the health care system, and a chilling effect on the willingness of entities to make authorized disclosures of protected information. Many commenters predicted that fear of lawsuits by individuals would impede the flow of communications necessary for the smooth operation of the health care system, ultimately affecting quality of care. For example, some predicted that the provision would inhibit providers from making authorized disclosures that would improve care and reduce medical errors. Others predicted that it would limit vendors' willingness to support information systems requirements. One large employer stated that the provision would create a substantial disincentive for employers to sponsor group health plans. Another commenter noted that the provision creates an anomaly in that individuals may have greater recourse against business partners and covered entities that contract with them than against covered entities acting alone.

However, some commenters strongly supported the concept of providing individuals with a mechanism to enforce the provisions of the rule, and considered the provision among the most important privacy protections in the proposed rule.

Response: We eliminate the requirement that business associate contracts contain a provision stating that individuals whose protected health information is disclosed under the contract are intended third-party beneficiaries of the contract.

We do not intend this change to affect existing laws regarding when individuals may be third party beneficiaries of contracts. If existing law allows individuals to claim third party beneficiary rights, or prohibits them from doing so, we do not intend to affect those rules. Rather, we intend to leave this matter to such other law.

Comment: Some commenters objected to the proposed rule's requirement that the business partner must return or destroy all protected health information received from the covered entity at the termination of the business partner contract. Commenters argued that business partners will need to maintain business records for legal and/or financial auditing purposes, which would preclude the return or destruction of the information. Moreover, they argued that computer back-up files may contain protected health information, but business partners cannot be expected to destroy entire electronic back-up files just because part of the information that they contain is from a client for whom they have completed work.

Response: We modify the proposed requirement that the business associate must return or destroy all protected health information received from the covered entity when the business associate contract is terminated. Under the final rule, a business associate must return or destroy all protected health information when the contract is terminated if feasible and lawful. The business partner contract must state that privacy protections continue after the contract ends, if there is a need for the business associate to retain any of the protected health information and for as long as the information is retained. In addition, the permissible uses of information after termination of the contract must be limited to those activities that make return or destruction of the information not feasible.

Comment: Many commenters recommended that providers and plans be excluded from the definition of "business partner" if they are already governed by the rule as covered entities. Providers expressed particular concern about the inclusion of physicians with hospital privileges as business partners of the hospital, as each hospital would be required to have written contracts with and monitor the privacy practices of each physician with privileges, and each physician would be required to do the same for the hospital. Another commenter argued that consultations between covered entities for treatment or referral purposes should not be subject to the business partner contracting requirement.

Response: The final rule retains the general requirement that, subject to the exceptions below, a covered entity must enter into a business associate contract with another covered entity when one is providing services to or acting on behalf of the other. We retain this requirement because we believe that a covered entity that is a business associate should be restricted from using or disclosing the protected health information it creates or receives through its business associate function for any purposes other than those that are explicitly detailed in its contract.

However, the final rule expands the proposed exception for disclosures of protected health information by a covered health care provider to another health care provider. The final rule allows such disclosures without a business associate contract for any activities that fall under the definition of "treatment." We agree with the commenter that the administrative burdens of requiring contracts in staff privileges arrangements would not be outweighed by any potential privacy enhancements from such a requirement. Although the exception for disclosure of protected health information for treatment could be sufficient to relieve physicians and hospitals of the contract requirement, we also believe that this arrangement does not meet the true meaning of "business associate," because both the hospital and physician are providing services to the patient, not to each other. We therefore also add an exception to § 164.502(e)(1) that explicitly states that a contract is not required when the association involves a health care facility and another health care provider with privileges at that facility, if the purpose is providing health care to the individual. We have also added other exceptions in § 164.502(e)(1)(ii) to the requirement to obtain "satisfactory assurances" under § 164.502(e)(1)(i). We do not require a business associate arrangement between group health plans and their plan sponsors because other, albeit analogous, requirements apply under § 164.504(f) that are more tailored to the specifics of that legal relationship. We do not require business associate arrangements between government health plans providing public benefits and other agencies conducting certain functions for the health plan, because these arrangements are typically very constrained by other law.

Comment: Many commenters expressed concern that required contracts for federal agencies would adversely affect oversight activities, including investigations and audits. Some health plan commenters were concerned that if HMOs are business partners of an employer then the employer would have a right to all personal health information collected by the HMO. A commenter wanted to be sure that authorization would not be required for accreditation agencies to access information. A large manufacturing company wanted to make sure that business associate contracts were not required between affiliates and a parent corporation that provides administrative services for a sponsored health plan. Attorney commenters asserted that a business partner contract would undermine the attorney/client relationship, interfere with attorney/client privilege, and was not necessary to protect client confidences. A software vendor wanted to be excluded because the requirements for contracts were burdensome and government oversight intrusive. Some argued that because the primary purpose of medical device manufacturers is supplying devices, not patient care, they should be excluded.

Response: We clarify in the above discussion of the definition of "business associate" that a health insurance issuer or an HMO providing health insurance or health coverage to a group health plan does not become a business associate simply by providing health insurance or health coverage. The health insurance issuer or HMO may perform additional functions or activities or provide additional services, however, that would give rise to a business associate relationship. However, even when an health insurance issuer or HMO acts as a business associate of a group health plan, the group health plan has no right of access to the other protected health information maintained by the health insurance issuer or HMO. The business associate contract must constrain the uses and disclosures of protected health information obtained by the business associate through the relationship, but does not give the covered entity any right to request the business associate to disclose protected health information that it maintains outside of the business associate relationship to the group health plan. Under HIPAA, employers are not covered entities, so a health insurance issuer or HMO cannot act as a business associate of an employer. See § 164.504(f) with respect to disclosures to plan sponsors from a group health plan or health insurance issuer or HMO with respect to a group health plan.

With respect to attorneys generally, the reasons the commenters put forward to exempt attorneys from this requirement were not persuasive. The business associate requirements will not prevent attorneys from disclosing protected health information as necessary to find and prepare witness, nor from doing their work generally, because the business associate contract can allow disclosures for these purposes. We do not require business associate contracts to identify each disclosure to be made by the business associate; these disclosures can be identified by type or purpose. We believe covered entities and their attorneys can craft agreements that will allow for uses and disclosures of protected health information as necessary for these activities. The requirement for a business associate contract does not interfere with the attorney-client relationship, nor does it override professional judgement of business associates regarding the protected health information they need to discharge their responsibilities. We do not require covered entities to second guess their professional business associates' reasonable requests to use or disclose protected health information in the course of the relationship.

The attorney-client privilege covers only a small portion of information provided to attorneys and so is not a substitute for this requirement. More important, attorney-client privilege belongs to the client, in this case the covered entity, and not to the individual who is the subject of the information. The business associate requirements are intended to protect the subject of the information.

With regard to government attorneys and other government agencies, we recognize that federal and other law often does not allow standard legal contracts among governmental entities, but instead requires agreements to be made through the Economy Act or other mechanisms; these are generally reflected in a memorandum of understanding (MOU). We therefore modify the proposed requirements to allow government agencies to meet the required "satisfactory assurance" through such MOUs that contain the same provisions required of business associate contracts. As discussed elsewhere, we believe that direct regulation of entities receiving protected health information can be as or more effective in protecting health information as contracts. We therefore also allow government agencies to meet the required "satisfactory assurances" if law or regulations impose requirements on business associates consistent with the requirements specified for business associate contracts.

We do not believe that the requirement to have a business associate contract with agencies that are performing the specified services for the covered entity or undertaking functions or activities on its behalf undermines the government functions being performed. A business associate arrangement requires the business associate to maintain the confidentiality of the protected health information and generally to use and disclose the information only for the purposes for which it was provided. This does not undermine government functions. We have exempted from the business associate requirement certain situations in which the law has created joint uses or custody over health information, such as when law requires another government agency to determine the eligibility for enrollment in a covered health plan. In such cases, information is generally shared across a number of government programs to determine eligibility, and often is jointly maintained. We also clarify that health oversight activities do not give rise to a business associate relationship, and that protected health information may be disclosed by a covered entity to a health oversight agency pursuant to § 164.512(d).

We clarify for purposes of the final rule that accreditation agencies are business associates of a covered entity and are explicitly included within the definition. During accreditation, covered entities disclose substantial amounts of protected health information to other private persons. A business associate contract basically requires the business associate to maintain the confidentiality of the protected health information that it receives and generally to use and disclose such information for the purposes for which it was provided. As with attorneys, we believe that requiring a business associate contract in this instance provides substantial additional privacy protection without interfering with the functions that are being provided by the business associate.

With regard to affiliates, § 164.504(d) permits affiliates to designate themselves as a single covered entity for purposes of this rule. (See § 164.504(d) for specific organizational requirements.) Affiliates that choose to designate themselves as a single covered entity for purposes of this rule will not need business associate contracts to share protected health information. Absent such designation, affiliates are business associates of the covered entity if they perform a function or service for the covered entity that necessitates the use or disclosure of protected health information.

Software vendors are business associates if they perform functions or activities on behalf of, or provide specified services to, a covered entity. The mere provision of software to a covered entity would not appear to give rise to a business associate relationship, although if the vendor needs access to the protected health information of the covered entity to assist with data management or to perform functions or activities on the covered entity's behalf, the vendor would be a business associate. We note that when an employee of a contractor, like a software or IT vendor, has his or her primary duty station on-site at a covered entity, the covered entity may choose to treat the employee of the vendor as a member of the covered entity's workforce, rather than as a business associate. See the preamble discussion to the definition of workforce, § 160.103.

With regard to medical device manufacturers, we clarify that a device manufacturer that provides "health care" consistent with the rule's definition, including being a "supplier" under the Medicare program, is a health care provider under the final rule. We do not require a business associate contract when protected health information is shared among health care providers for treatment purposes. However, a device manufacturer that does not provide "health care" must be a business associate of a covered entity if that manufacturer receives or creates protected health information in the performance of functions or activities on behalf of, or the provision of specified services to, a covered entity.

As to financial institutions, they are business associates under this rule when they conduct activities that cause them to meet the definition of business associate. See the preamble discussion of the definition of "payment" in § 164.501, for an explanation of activities of a financial institution that do not require it to have a business associated contract.

Disease managers may be health care providers or health plans, if they otherwise meet the respective definitions and perform disease management activities on their own behalf. However, such persons may also be business associates if they perform disease management functions or services for a covered entity.

Comment: Other commenters recommended that certain entities be included within the definition of "business partner," such as transcription services; employee representatives; in vitro diagnostic manufacturers; private state and comparative health data organizations; state hospital associations; warehouses; "whistleblowers," credit card companies that deal with health billing; and patients.

Response: We do not list all the types of entities that are business associates, because whether an entity is a business associate depends on what the entity does, not what the entity is. That is, this is a definition based on function; any entity performing the function described in the definition is a business associate. Using one of the commenters' examples, a state hospital association may be a business associate if it performs a service for a covered entity for which protected health information is required. It is not a business associate by virtue of the fact that it is a hospital association, but by virtue of the service it is performing.

Comment: A few commenters urged that certain entities, i.e., collection agencies and case managers, be business partners rather than covered entities for purposes of this rule.

Response: Collection agencies and case managers are business associates to the extent that they provide specified services to or perform functions or activities on behalf of a covered entity. A collection agency is not a covered entity for purposes of this rule. However, a case manager may be a covered entity because, depending on the case manager's activities, the person may meet the definition of either a health care provider or a health plan. See definitions of "health care provider" and "health plan" in § 164.501.

Comment: Several commenters complained that the proposed HIPAA security regulation and privacy regulation were inconsistent with regard to business partners.

Response: We will conform these policies in the final Security Rule.

Comment: One commenter expressed concern that the proposal appeared to give covered entities the power to limit by contract the ability of their business partners to disclose protected health information obtained from the covered entity regardless of whether the disclosure was permitted under proposed § 164.510, "Uses and disclosures for which individual authorization is not required" (§ 164.512 in the final rule). Therefore, the commenter argued that the covered entity could prevent the business partner from disclosing protected health information to oversight agencies or law enforcement by omitting them from the authorized disclosures in the contract.

In addition, the commenter expressed concern that the proposal did not authorize business partners and their employees to engage in whistleblowing. The commenter concluded that this omission was unintended since the proposal's provision at proposed § 164.518(c)(4) relieved the covered entity, covered entity's employees, business partner, and the business partner's employees from liability for disclosing protected health information to law enforcement and to health oversight agencies when reporting improper activities, but failed to specifically authorize business partners and their employees to engage in whistleblowing in proposed § 164.510(f), "Disclosures for law enforcement."

Response: Under our statutory authority, we cannot directly regulate entities that are not covered entities; thus, we cannot regulate most business associates, or 'authorize' them to use or disclose protected health information. We agree with the result sought by the commenter, and accomplish it by ensuring that such whistle blowing disclosures by business associates and others do not constitute a violation of this rule on the part of the covered entity.

Comment: Some commenters suggested that the need to terminate contracts that had been breached would be particularly problematic when the contracts were with single-source business partners used by health care providers. For example, one commenter explained that when the Department awards single-source contracts, such as to a Medicare carrier acting as a fiscal intermediary that then becomes a business partner of a health care provider, the physician is left with no viable alternative if required to terminate the contract.

Response: In most cases, we expect that there will be other entities that could be retained by the covered entity as a business associate to carry out those functions on its behalf or provide the necessary services. We agree that under certain circumstances, however, it may not be possible for a covered entity to terminate a contract with a business associate. Accordingly, although the rule still generally requires a covered entity to terminate a contract if steps to cure such a material breach fail, it also allows an exception to this to accommodate those infrequent circumstances where there simply are no viable alternatives to continuing a contract with that particular business associate. It does not mean, however, that the covered entity can choose to continue the contract with a non-compliant business associate merely because it is more convenient or less costly than doing business with other potential business associates. We also require that if a covered entity determines that it is not feasible to terminate a non-compliant business associate, the covered entity must notify the Secretary.

Comment: Another commenter argued that having to renegotiate every existing contract within the 2-year implementation window so a covered entity can attest to "satisfactory assurance" that its business partner will appropriately safeguard protected health information is not practical.

Response: The 2-year implementation period is statutorily required under section 1175(b) of the Act. Further, we believe that two years provides adequate time to come into compliance with the regulation.

Comment: A commenter recommended that the business partner contract specifically address the issue of data mining because of its increasing prevalence within and outside the health care industry.

Response: We agree that protected health information should only be used by business associates for the purposes identified in the business associate contract. We address the issue of data mining by requiring that the business associate contract explicitly identify the uses or disclosures that the business associate is permitted to make with the protected health information. Aside from disclosures for data aggregation and business associate management, the business associate contract cannot authorize any uses or disclosures that the covered entity itself cannot make. Therefore, data mining by the business associate for any purpose not specified in the contract is a violation of the contract and grounds for termination of the contract by the covered entity.

Comment: One commenter stated that the rule needs to provide the ability to contract with persons and organizations to complete clinical studies, provide clinical expertise, and increase access to experts and quality of care.

Response: We agree, and do not prohibit covered entities from sharing protected health information under a business associate contract for these purposes.

Comment: A commenter requested clarification as to whether sister agencies are considered business partners when working together.

Response: It is unclear from the comment whether the "sister agencies" are components of a larger entity, are affiliated entities, or are otherwise linked. Requirements regarding sharing protected health information among affiliates and components are found in § 164.504.

Comment: One commenter stated that some union contracts specify that the employer and employees jointly conduct patient quality of care reviews. The commenter requested clarification as to whether this arrangement made the employee a business partner.

Response: An employee organization that agrees to perform quality assurance for a group health plan meets the definition of a business associate. We note that the employee representatives acting on behalf of the employee organization would be performing the functions of the organization, and the employee organization would be responsible under the business associate contract to ensure that the representatives abided by the restrictions and conditions of the contract. If the employee organization is a plan sponsor of the group health plan, the similar provisions of § 164.504(f) would apply instead of the business associate requirements. See § 164.502(e)(1).

Comment: Some commenters supported regulating employers as business partners of the health plan. These commenters believed that this approach provided flexibility by giving employers access to information when necessary while still holding employers accountable for improper use of the information. Many commenters, however, stressed that this approach would turn the relationship between employers, employees and other agents "on its head" by making the employer subordinate to its agents. In addition, several commenters objected to the business partner approach because they alleged it would place employers at risk for greater liability.

Response: We do not require a business associate contract for disclosure of protected health information from group health plans to employers. We do, however, put other conditions on the disclosure of protected health information from group health plans to employers who sponsor the plan. See further discussion in § 164.504 on disclosure of protected health information to employers.

Comment: One commenter expressed concern that the regulation would discourage organizations from participating with Planned Parenthood since pro bono and volunteer services may have no contract signed.

Response: We design the rule's requirements with respect to volunteers and pro bono services to allow flexibility to the covered entity so as not to disturb these arrangements. Specifically, when such volunteers work on the premises of the covered entity, the covered entity may choose to treat them as members of the covered entity's workforce or as business associates. See the definitions of business associate and workforce in § 160.103. If the volunteer performs its work off-site and needs protected health information, a business associate arrangement will be required. In this instance, where protected health information leaves the premises of the covered entity, privacy concerns are heightened and it is reasonable to require an agreement to protect the information. We believe that pro bono contractors will easily develop standard contracts to allow those activities to continue smoothly while protecting the health information that is shared.