1. Vol. 78 Friday,
No. 17 January 25, 2013
Part II
Department of Health and Human Services
Office of the Secretary
45 CFR Parts 160 and 164
Modifications to the HIPAA Privacy, Security, Enforcement, and Breach
Notification Rules Under the Health Information Technology for Economic
and Clinical Health Act and the Genetic Information Nondiscrimination Act;
Other Modifications to the HIPAA Rules; Final Rule
sroberts on DSK5SPTVN1PROD with
VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00001 Fmt 4717 Sfmt 4717 E:FRFM25JAR2.SGM 25JAR2
2. 5566 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations
DEPARTMENT OF HEALTH AND I. Executive Summary and Background ii. Summary of Major Provisions
HUMAN SERVICES A. Executive Summary This omnibus final rule is comprised
of the following four final rules:
Office of the Secretary i. Purpose of the Regulatory Action
1. Final modifications to the HIPAA
Need for the Regulatory Action Privacy, Security, and Enforcement
45 CFR Parts 160 and 164
This final rule is needed to strengthen Rules mandated by the Health
the privacy and security protections Information Technology for Economic
RIN 0945–AA03 and Clinical Health (HITECH) Act, and
established under the Health Insurance
Portability and Accountability of 1996 certain other modifications to improve
Modifications to the HIPAA Privacy, the Rules, which were issued as a
Security, Enforcement, and Breach Act (HIPAA) for individual’s health
information maintained in electronic proposed rule on July 14, 2010. These
Notification Rules Under the Health modifications:
Information Technology for Economic health records and other formats. This
final rule also makes changes to the • Make business associates of covered
and Clinical Health Act and the Genetic entities directly liable for compliance
HIPAA rules that are designed to
Information Nondiscrimination Act; with certain of the HIPAA Privacy and
increase flexibility for and decrease
Other Modifications to the HIPAA Security Rules’ requirements.
burden on the regulated entities, as well
Rules
as to harmonize certain requirements • Strengthen the limitations on the
with those under the Department’s use and disclosure of protected health
AGENCY: Office for Civil Rights, information for marketing and
Human Subjects Protections regulations.
Department of Health and Human fundraising purposes, and prohibit the
These changes are consistent with, and
Services. sale of protected health information
arise in part from, the Department’s
ACTION: Final rule. obligations under Executive Order without individual authorization.
13563 to conduct a retrospective review • Expand individuals’ rights to
SUMMARY: The Department of Health and of our existing regulations for the receive electronic copies of their health
Human Services (HHS or ‘‘the purpose of identifying ways to reduce information and to restrict disclosures
costs and increase flexibilities under the to a health plan concerning treatment
Department’’) is issuing this final rule
HIPAA Rules. We discuss our specific for which the individual has paid out of
to: Modify the Health Insurance
burden reduction efforts more fully in pocket in full.
Portability and Accountability Act
the Regulatory Impact Analysis. • Require modifications to, and
(HIPAA) Privacy, Security, and
This final rule is comprised of four redistribution of, a covered entity’s
Enforcement Rules to implement notice of privacy practices.
statutory amendments under the Health final rules, which have been combined
to reduce the impact and number of • Modify the individual authorization
Information Technology for Economic and other requirements to facilitate
and Clinical Health Act (‘‘the HITECH times certain compliance activities need
to be undertaken by the regulated research and disclosure of child
Act’’ or ‘‘the Act’’) to strengthen the immunization proof to schools, and to
entities.
privacy and security protection for enable access to decedent information
individuals’ health information; modify Legal Authority for the Regulatory by family members or others.
the rule for Breach Notification for Action • Adopt the additional HITECH Act
Unsecured Protected Health Information enhancements to the Enforcement Rule
The final rule implements changes to
(Breach Notification Rule) under the the HIPAA Rules under a number of not previously adopted in the October
HITECH Act to address public comment authorities. First, the final rule modifies 30, 2009, interim final rule (referenced
received on the interim final rule; the Privacy, Security, and Enforcement immediately below), such as the
modify the HIPAA Privacy Rule to Rules to strengthen privacy and security provisions addressing enforcement of
strengthen the privacy protections for protections for health information and noncompliance with the HIPAA Rules
genetic information by implementing to improve enforcement as provided for due to willful neglect.
section 105 of Title I of the Genetic by the Health Information Technology 2. Final rule adopting changes to the
Information Nondiscrimination Act of for Economic and Clinical Health HIPAA Enforcement Rule to incorporate
2008 (GINA); and make certain other (HITECH) Act, enacted as part of the the increased and tiered civil money
modifications to the HIPAA Privacy, American Recovery and Reinvestment penalty structure provided by the
Security, Breach Notification, and Act of 2009 (ARRA). The rule also HITECH Act, originally published as an
Enforcement Rules (the HIPAA Rules) to includes final modifications to the interim final rule on October 30, 2009.
improve their workability and Breach Notification Rule, which will 3. Final rule on Breach Notification
effectiveness and to increase flexibility replace an interim final rule originally for Unsecured Protected Health
for and decrease burden on the published in 2009 as required by the Information under the HITECH Act,
regulated entities. HITECH Act. Second, the final rule which replaces the breach notification
revises the HIPAA Privacy Rule to rule’s ‘‘harm’’ threshold with a more
DATES: Effective date: This final rule is increase privacy protections for genetic objective standard and supplants an
effective on March 26, 2013. information as required by the Genetic interim final rule published on August
Compliance date: Covered entities Information Nondiscrimination Act of 24, 2009.
and business associates must comply 2008 (GINA). Finally, the Department 4. Final rule modifying the HIPAA
with the applicable requirements of this uses its general authority under HIPAA Privacy Rule as required by the Genetic
final rule by September 23, 2013. to make a number of changes to the Information Nondiscrimination Act
sroberts on DSK5SPTVN1PROD with
Rules that are intended to increase (GINA) to prohibit most health plans
FOR FURTHER INFORMATION CONTACT: workability and flexibility, decrease from using or disclosing genetic
Andra Wicks 202–205–2292. burden, and better harmonize the information for underwriting purposes,
SUPPLEMENTARY INFORMATION: requirements with those under other which was published as a proposed rule
Departmental regulations. on October 7, 2009.
VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00002 Fmt 4701 Sfmt 4700 E:FRFM25JAR2.SGM 25JAR2
3. Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations 5567
iii. Costs and Benefits revising and distributing new notices of and the impossibility of monetizing the
privacy practices to inform individuals value of individuals’ privacy and
This final rule is anticipated to have of their rights and how their information dignity, which we believe will be
an annual effect on the economy of $100 is protected; (ii) costs to covered entities enhanced by the strengthened privacy
million or more, making it an related to compliance with breach and security protections, expanded
economically significant rule under notification requirements; (iii) costs to a individual rights, and improved
Executive Order 12866. Accordingly, we portion of business associates to bring enforcement enabled by the rule. We
have prepared a Regulatory Impact their subcontracts into compliance with also believe that some entities affected
Analysis that presents the estimated business associate agreement by the rule will realize cost savings as
costs and benefits of the proposed rule. requirements; and (iv) costs to a portion
The total cost of compliance with the a result of provisions that simplify and
of business associates to achieve full
rule’s provisions is estimated to be streamline certain requirements, and
compliance with the Security Rule. We
between $114 million and $225.4 summarize these costs in Table 1 below increase flexibility, under the HIPAA
million in the first year of and explain the components and Rules. However, we are unable to
implementation and approximately distribution of costs in detail in the quantify such cost savings due to a lack
$14.5 million annually thereafter. Costs Regulatory Impact Analysis. of data. We describe such benefits in the
associated with the rule include: (i) We are not able to quantify the Regulatory Impact Analysis.
Costs to HIPAA covered entities of benefits of the rule due to lack of data
TABLE 1—ESTIMATED COSTS OF THE FINAL RULE
Cost element Approximate number of affected entities Total cost
Notices of Privacy Practices ........... 700,000 covered entities ....................................................................... $55.9 million.
Breach Notification Requirements .. 19,000 covered entities ......................................................................... 14.5 million.1
Business Associate Agreements .... 250,000–500,000 business associates of covered entities ................... 21 million–42 million.
Security Rule Compliance by Busi- 200,000–400,000 business associates of covered entities ................... 22.6 million–113 million.
ness Associates.
Total ......................................... ................................................................................................................ 114 million–225.4 million.
B. Statutory and Regulatory Background ‘‘covered entities’’: health care providers with their business associates that
who conduct covered health care provide satisfactory assurances that the
i. HIPAA and the Privacy, Security, and
transactions electronically, health plans, business associates will appropriately
Enforcement Rules
and health care clearinghouses. safeguard the electronic protected
The HIPAA Privacy, Security, and The HIPAA Privacy Rule, 45 CFR Part health information they create, receive,
Enforcement Rules implement certain of 160 and Subparts A and E of Part 164, maintain, or transmit on behalf of the
the Administrative Simplification requires covered entities to have covered entities.
provisions of title II, subtitle F, of the safeguards in place to ensure the The HIPAA Enforcement Rule, 45
Health Insurance Portability and privacy of protected health information, CFR Part 160, Subparts C–E, establishes
Accountability Act of 1996 (HIPAA) sets forth the circumstances under rules governing the compliance
(Pub. L. 104–191), which added a new which covered entities may use or responsibilities of covered entities with
part C to title XI of the Social Security disclose an individual’s protected respect to the enforcement process,
Act (sections 1171–1179 of the Social health information, and gives including the rules governing
Security Act, 42 U.S.C. 1320d–1320d– individuals rights with respect to their investigations by the Department, rules
8). The HIPAA Administrative protected health information, including governing the process and grounds for
Simplification provisions provided for rights to examine and obtain a copy of establishing the amount of a civil money
the establishment of national standards their health records and to request penalty where a violation of a HIPAA
for the electronic transmission of certain corrections. Covered entities that engage Rule has been found, and rules
health information, such as standards business associates to work on their governing the procedures for hearings
for certain health care transactions behalf must have contracts or other and appeals where the covered entity
conducted electronically and code sets arrangements in place with their challenges a violation determination.
and unique identifiers for health care business associates to ensure that the Since the promulgation of the HIPAA
providers and employers. The HIPAA business associates safeguard protected Rules, legislation has been enacted
Administrative Simplification health information, and use and requiring modifications to the Rules. In
provisions also required the disclose the information only as particular, the Health Information
establishment of national standards to permitted or required by the Privacy Technology for Economic and Clinical
protect the privacy and security of Rule. Health (HITECH) Act, which was
personal health information and
The HIPAA Security Rule, 45 CFR enacted on February 17, 2009, as title
established civil money penalties for
Part 160 and Subparts A and C of Part XIII of division A and title IV of division
violations of the Administrative
164, applies only to protected health B of the American Recovery and
Simplification provisions. The
information in electronic form and Reinvestment Act of 2009 (ARRA),
Administrative Simplification
requires covered entities to implement Public Law 111–5, modifies certain
provisions of HIPAA apply to three
sroberts on DSK5SPTVN1PROD with
certain administrative, physical, and provisions of the Social Security Act
types of entities, which are known as
technical safeguards to protect this pertaining to the HIPAA Rules, as well
1 The costs associated with breach notification electronic information. Like the Privacy as requires certain modifications to the
will be incurred on an annual basis. All other costs Rule, covered entities must have Rules themselves, to strengthen HIPAA
are expected in the first year of implementation. contracts or other arrangements in place privacy, security, and enforcement. The
VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00003 Fmt 4701 Sfmt 4700 E:FRFM25JAR2.SGM 25JAR2
4. 5568 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations
Act also provides new requirements for implement the strengthened privacy, individual’s protected health
notification of breaches of unsecured security, and enforcement provisions information, and the right to restrict
protected health information by covered through rulemakings and related certain disclosures of protected health
entities and business associates. In actions. On August 24, 2009, the information to a health plan for
addition, the Genetic Information Department published interim final payment or health care operations
Nondiscrimination Act of 2008 (GINA) regulations to implement the breach purposes. In addition, the NPRM
calls for changes to the HIPAA Privacy notification provisions at section 13402 proposed to further modify the
Rule to strengthen privacy protections of the HITECH Act (74 FR 42740), Enforcement Rule to implement more of
for genetic information. This final rule which were effective September 23, the HITECH Act’s changes to HIPAA
implements the modifications required 2009. Similarly, the Federal Trade enforcement.
by GINA, as well as most of the privacy, Commission (FTC) published final In addition to the proposed
security, and enforcement provisions of regulations implementing the breach modifications to implement the HITECH
the HITECH Act. This final rule also notification provisions at section 13407 Act, the NPRM also proposed certain
includes certain other modifications to for personal health record vendors and other modifications to the HIPAA Rules.
the HIPAA Rules to improve their their third party service providers on The NPRM proposed to permit the use
workability and effectiveness. August 25, 2009 (74 FR 42962), effective of compound authorizations for
September 24, 2009. For purposes of conditioned and unconditioned
ii. The Health Information Technology research activities and requested
determining to what information the
for Economic and Clinical Health Act comment regarding permitting
HHS and FTC breach notification
The HITECH Act is designed to regulations apply, the Department also authorizations for future research.
promote the widespread adoption and issued, first on April 17, 2009 Additionally, the NPRM proposed to
interoperability of health information (published on April 27, 2009, 74 FR modify the Privacy Rule’s application to
technology. Subtitle D of title XIII, 19006), and then later with its interim the individually identifiable health
entitled ‘‘Privacy,’’ supports this goal by final rule, the guidance required by the information of decedents and to permit
adopting amendments designed to HITECH Act under 13402(h) specifying covered entities that obtain the
strengthen the privacy and security the technologies and methodologies that agreement of a parent to provide proof
protections for health information render protected health information of immunization without written
established by HIPAA. These provisions unusable, unreadable, or indecipherable authorization to schools that are
include extending the applicability of to unauthorized individuals. required to have such information.
certain of the Privacy and Security Additionally, to conform the provisions
Rules’ requirements to the business iii. The Genetic Information
of the Enforcement Rule to the HITECH
associates of covered entities; requiring Nondiscrimination Act
Act’s tiered and increased civil money
that Health Information Exchange penalty structure, which became The Genetic Information
Organizations and similar organizations, effective on February 18, 2009, the Nondiscrimination Act of 2008
as well as personal health record Department published an interim final (‘‘GINA’’), Pub. L. 110–233, 122 Stat.
vendors that provide services to covered rule on October 30, 2009 (74 FR 56123), 881, prohibits discrimination based on
entities, shall be treated as business effective November 30, 2009. an individual’s genetic information in
associates; requiring HIPAA covered The Department published a notice of both the health coverage (Title I) and
entities and business associates to proposed rulemaking (NPRM) on July employment (Title II) contexts. In
provide for notification of breaches of 14, 2010, (75 FR 40868) to implement addition to the nondiscrimination
‘‘unsecured protected health many of the remaining privacy, security, provisions, section 105 of Title I of
information’’; establishing new and enforcement provisions of the GINA contains new privacy protections
limitations on the use and disclosure of HITECH Act. The public was invited to for genetic information, which require
protected health information for comment on the proposed rule for 60 the Secretary of HHS to revise the
marketing and fundraising purposes; days following publication. The Privacy Rule to clarify that genetic
prohibiting the sale of protected health comment period closed on September information is health information and to
information; and expanding individuals’ 13, 2010. The Department received prohibit group health plans, health
rights to access their protected health about 300 comments on the NPRM. insurance issuers (including HMOs),
information, and to obtain restrictions The NPRM proposed to extend the and issuers of Medicare supplemental
on certain disclosures of protected applicability of certain of the Privacy policies from using or disclosing genetic
health information to health plans. In and Security Rules’ requirements to the information for underwriting purposes.
addition, subtitle D adopts provisions business associates of covered entities, On October 7, 2009, the Department
designed to strengthen and expand making business associates directly published a proposed rule to strengthen
HIPAA’s enforcement provisions. liable for violations of these the privacy protections for genetic
We discuss these statutory provisions requirements. Additionally, the NPRM information under the HIPAA Privacy
in more detail below where we describe proposed to define a subcontractor as a Rule by implementing the protections
section-by-section how this final rule business associate to ensure any for genetic information required by
implements the provisions. We do not protected health information the GINA and making related changes to the
address in this rulemaking the subcontractor creates or receives on Rule. The 60-day public comment
accounting for disclosures requirement behalf of the business associate is period for the proposed rule closed on
in section 13405 of the Act, which is the appropriately safeguarded. The NPRM December 7, 2009. The Department
subject of a separate proposed rule proposed to establish new limitations received about 25 comments on the
published on May 31, 2011, at 76 FR on the use and disclosure of protected proposed rule.
31426, or the penalty distribution health information for marketing and
II. Overview of the Final Rule
sroberts on DSK5SPTVN1PROD with
methodology requirement in section fundraising purposes and to prohibit the
13410(c) of the Act, which will be the sale of protected health information In this final rule the Department
subject of a future rulemaking. without an authorization. The NPRM finalizes the modifications to the HIPAA
Since enactment of the HITECH Act a also proposed to expand an individual’s Privacy, Security, and Enforcement
number of steps have been taken to right to obtain an electronic copy of an Rules to implement many of the
VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00004 Fmt 4701 Sfmt 4700 E:FRFM25JAR2.SGM 25JAR2
5. Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations 5569
privacy, security, and enforcement modifications to the HIPAA Rules, and the modifications to the Breach
provisions of the HITECH Act and make we proposed to add a provision at Notification Rule and the changes to the
other changes to the Rules; modifies the § 160.105 to address the compliance HIPAA Privacy Rule under GINA. We
Breach Notification Rule; finalizes the date generally for implementation of understand that some covered entities,
modifications to the HIPAA Privacy new or modified standards in the business associates, and subcontractors
Rule to strengthen privacy protections HIPAA Rules. We proposed that remain concerned that a 180-day period
for genetic information; and responds to § 160.105 would provide that with does not provide sufficient time to come
the public comments received on the respect to new standards or into compliance with the modifications.
proposed and interim final rules. implementation specifications or However, we believe not only that
Section III below describes the effective modifications to standards or providing a 180-day compliance period
and compliance dates of the final rule. implementation specifications in the best comports with section 1175(b)(2) of
Section IV describes the changes to the HIPAA Rules, except as otherwise the Social Security Act, 42 U.S.C.
HIPAA Privacy, Security, and provided, covered entities and business 1320d–4, and our implementing
Enforcement Rules under the HITECH associates would be required to comply provision at § 160.104(c)(1), which
Act and other modifications that were with the applicable new or modified require the Secretary to provide at least
proposed in July 2010, as well as the standards or implementation a 180-day period for covered entities to
modifications to the Enforcement Rule specifications no later than 180 days comply with modifications to standards
under the HITECH Act that were from the effective date of any such and implementation specifications in
addressed in the interim final rule change. For future modifications to the the HIPAA Rules, but also that
published in October 2009. Section V HIPAA Rules necessitating a longer providing a 180-day compliance period
describes the changes to the Breach compliance period, we would specify a best protects the privacy and security of
Notification Rule. Section VI discusses longer period in the regulatory text. patient information, in accordance with
the changes to the HIPAA Privacy Rule Finally, we proposed to retain the the goals of the HITECH Act.
to strengthen privacy protections for compliance date provisions at In addition, to make clear to the
genetic information. §§ 164.534 and 164.318, which provide industry our expectation that going
the compliance dates of April 14, 2003, forward we will provide a 180-day
III. Effective and Compliance Dates compliance date for future
and April 20, 2005, for initial
With respect to the HITECH Act implementation of the HIPAA Privacy modifications to the HIPAA Rules, we
requirements, section 13423 of the Act and Security Rules, respectively, for adopt the provision we proposed at
provides that the provisions in subtitle historical purposes only. § 160.105, which provides that with
D took effect one year after enactment, respect to new or modified standards or
i.e., on February 18, 2010, except as Overview of Public Comments implementation specifications in the
specified otherwise. However, there are Most of the comments addressing the HIPAA Rules, except as otherwise
a number of exceptions to this general proposed compliance periods as provided, covered entities and business
rule. For example, the tiered and outlined above fell into three categories. associates must comply with the
increased civil money penalty First, several commenters supported the applicable new or modified standards or
provisions of section 13410(d) were proposed compliance timelines and implementation specifications no later
effective for violations occurring after agreed that 180 days is sufficient time than 180 days from the effective date of
the date of enactment, and sections for covered entities, business associates, any such change. In cases where a
13402 and 13407 of the Act regarding and subcontractors of all sizes to come future modification necessitates a longer
breach notification required interim into compliance with the final rule. compliance period, the Department will
final rules within 180 days of Second, a few commenters supported expressly provide for one, as it has done
enactment, with effective dates 30 days the proposed 180-day compliance in this rulemaking with respect to the
after the publication of such rules. Other period, but expressed concern that the time permitted for business associate
provisions of the Act have later effective Department may wish to extend the 180- agreements to be modified.
dates. For example, the provision at day compliance period in the future, if For the reasons proposed, the final
section 13410(a)(1) of the Act providing it issues modifications or new rule also retains the compliance date
that the Secretary’s authority to impose provisions that require a longer provisions at §§ 164.534 and 164.318,
a civil money penalty will only be compliance period. Third, several which provide the compliance dates of
barred to the extent a criminal penalty commenters requested that the April 14, 2003, and April 20, 2005, for
has been imposed, rather than in cases Department extend the 180-day initial implementation of the HIPAA
in which the offense in question merely compliance period both with regard to Privacy and Security Rules,
constitutes an offense that is criminally the modifications contained in this final respectively. We note that § 160.105
punishable, became effective for rule and with regard to the more general regarding the compliance date of new or
violations occurring on or after February proposed compliance deadline, as they modified standards or implementation
18, 2011. The discussion below believe 180 days is an insufficient specifications does not apply to
generally pertains to the statutory amount of time for covered entities, modifications to the provisions of the
provisions that became effective on business associates, and subcontractors HIPAA Enforcement Rule, because such
February 18, 2010, or, in a few cases, on to come into compliance with the provisions are not standards or
a later date. modified rules, particularly with regard implementation specifications (as the
to changes in technology. terms are defined at § 160.103). Such
Proposed Rule provisions are in effect and apply at the
We proposed that covered entities and Final Rule time the final rule becomes effective or
business associates would have 180 The final rule is effective on March as otherwise specifically provided. In
sroberts on DSK5SPTVN1PROD with
days beyond the effective date of the 26, 2013. Covered entities and business addition, as explained above, our
final rule to come into compliance with associates of all sizes will have 180 days general rule for a 180-day compliance
most of the rule’s provisions. We beyond the effective date of the final period for new or modified standards
believed that a 180-day compliance rule to come into compliance with most would not apply where we expressly
period would suffice for future of the final rule’s provisions, including provide a different compliance period in
VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00005 Fmt 4701 Sfmt 4700 E:FRFM25JAR2.SGM 25JAR2
6. 5570 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations
the regulation for one or more of the regulatory changes below are covered entity and, thus, information
provisions. For purposes of this rule, the based. reported to a PSO may include
180-day compliance period would not protected health information that the
2. Subpart A—General Provisions,
govern the time period required to PSO may analyze on behalf of the
Section 160.102—Applicability
modify those business associate covered provider. The analysis of such
agreements that qualify for the longer This section sets out to whom the information is a patient safety activity
transition period in § 164.532, as we HIPAA Rules apply. We proposed to for purposes of PSQIA and the Patient
discuss further below. add and include in this final rule a new Safety Rule, 42 CFR 3.10, et seq. While
Finally, the provisions of section paragraph (b) to make clear, consistent the HIPAA Rules as written would treat
13402(j) of the HITECH Act apply to with the HITECH Act, that certain of the a PSO as a business associate when the
breaches of unsecured protected health standards, requirements, and PSO was performing quality analyses
information discovered on or after implementation specifications of the and other activities on behalf of a
September 23, 2009, the date of the subchapter apply to business associates. covered health care provider, we
publication of the interim final rule. 3. Subpart A—General Provisions, proposed this change to the definition of
Thus, during the 180 day period before Section 160.103—Definitions ‘‘business associate’’ to more clearly
compliance with this final rule is align the HIPAA and Patient Safety
Section 160.103 contains definitions Rules.
required, covered entities and business of terms that appear throughout the
associates are still required to comply HIPAA Rules. The final rule modifies a Overview of Public Comment
with the breach notification number of these definitions to Commenters on this topic supported
requirements under the HITECH Act implement the HITECH Act and make the express inclusion of patient safety
and must continue to comply with the other needed changes. activities within the definition of
requirements of the interim final rule.
a. Definition of ‘‘Business Associate’’ ‘‘business associate.’’
We believe that this transition period
provides covered entities and business The HIPAA Privacy and Security Final Rule
associates with adequate time to come Rules permit a covered entity to disclose The final rule adopts the proposed
into compliance with the revisions in protected health information to a modification.
this final rule and at the same time to business associate, and allow a business
continue to fulfill their breach associate to create, receive, maintain, or ii. Inclusion of Health Information
notification obligations under the transmit protected health information Organizations (HIO), E-Prescribing
HITECH Act. on its behalf, provided the covered Gateways, and Other Persons That
entity obtains satisfactory assurances in Facilitate Data Transmission; as Well as
IV. Modifications to the HIPAA Vendors of Personal Health Records
the form of a contract or other
Privacy, Security, and Enforcement
arrangement that the business associate Proposed Rule
Rules Under the HITECH Act; Other
will appropriately safeguard the Section 13408 of the HITECH Act
Modifications to the HIPAA Rules
information. The HIPAA Rules define provides that an organization, such as a
The discussion below provides a ‘‘business associate’’ generally to mean Health Information Exchange
section-by-section description of the a person who performs functions or Organization, E-prescribing Gateway, or
final rule, as well as responds to public activities on behalf of, or certain Regional Health Information
comments where substantive comments services for, a covered entity that Organization, that provides data
were received regarding particular involve the use or disclosure of transmission of protected health
provisions. protected health information. We information to a covered entity (or its
proposed a number of modifications to business associate) and that requires
A. Subparts A and B of Part 160: the definition of ‘‘business associate’’ to
Statutory Basis and Purpose, access on a routine basis to such
implement the HITECH Act, to conform protected health information must be
Applicability, Definitions, and the term to the statutory provisions of
Preemption of State Law treated as a business associate for
the Patient Safety and Quality purposes of the Act and the HIPAA
Subpart A of Part 160 of the HIPAA Improvement Act of 2005 (PSQIA), 42 Privacy and Security Rules. Section
Rules contains general provisions that U.S.C. 299b–21, et seq., and to make 13408 also provides that a vendor that
apply to all of the HIPAA Rules. Subpart other changes to the definition. contracts with a covered entity to allow
B of Part 160 contains the regulatory i. Inclusion of Patient Safety the covered entity to offer a personal
provisions implementing HIPAA’s Organizations health record to patients as part of the
preemption provisions. We proposed to covered entity’s electronic health record
amend a number of these provisions. Proposed Rule
shall be treated as a business associate.
Some of the proposed, and now final, We proposed to add patient safety Section 13408 requires that such
changes are necessitated by the statutory activities to the list of functions and organizations and vendors enter into a
changes made by the HITECH Act and activities a person may undertake on written business associate contract or
GINA, while others are of a technical or behalf of a covered entity that give rise other arrangement with the covered
conforming nature. to a business associate relationship. entity in accordance with the HIPAA
PSQIA, at 42 U.S.C. 299b–22(i)(1), Rules.
1. Subpart A—General Provisions,
provides that Patient Safety In accordance with the Act, we
Section 160.101—Statutory Basis and
Organizations (PSOs) must be treated as proposed to modify the definition of
Purpose
business associates when applying the ‘‘business associate’’ to explicitly
This section sets out the statutory Privacy Rule. PSQIA provides for the designate these persons as business
sroberts on DSK5SPTVN1PROD with
basis and purpose of the HIPAA Rules. establishment of PSOs to receive reports associates. Specifically, we proposed to
We proposed and include in this final of patient safety events or concerns from include in the definition: (1) A Health
rule a technical change to include providers and provide analyses of Information Organization, E-prescribing
references to the provisions of GINA events to reporting providers. A Gateway, or other person that provides
and the HITECH Act upon which most reporting provider may be a HIPAA data transmission services with respect
VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00006 Fmt 4701 Sfmt 4700 E:FRFM25JAR2.SGM 25JAR2
7. Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations 5571
to protected health information to a health information through a network, that a vendor offering a personal health
covered entity and that requires routine including providing record locator record to a patient on behalf of a
access to such protected health services and performing various covered entity only acts as a conduit
information; and (2) a person who offers oversight and governance functions for because there is no access by the vendor
a personal health record to one or more electronic health information exchange, to protected health information; another
individuals on behalf of a covered have more than ‘‘random’’ access to commenter suggested that personal
entity. protected health information and thus, health record vendors be business
We proposed to refer to ‘‘Health would fall within the definition of associates only when they have routine
Information Organization’’ in the NPRM ‘‘business associate.’’ access to protected health information.
rather than ‘‘Health Information
Exchange Organization’’ as used in the Overview of Public Comments Final Rule
Act because it is our understanding that Commenters generally supported the The final rule adopts the language
‘‘Health Information Organization’’ is inclusion of Health Information that expressly designates as business
the more widely recognized and Organizations, personal health record associates: (1) A Health Information
accepted term to describe an vendors, and similar entities in the Organization, E-prescribing Gateway, or
organization that oversees and governs definition of ‘‘business associate.’’ other person that provides data
the exchange of health-related However, commenters sought various transmission services with respect to
information among organizations.2 The clarifications as discussed below. protected health information to a
Act also specifically refers to Regional Commenters generally supported use covered entity and that requires routine
Health Information Organizations; of the term Health Information access to such protected health
however, we did not believe the Organization in lieu of more restrictive information; and (2) a person who offers
inclusion of the term in the definition terms, such as Regional Health a personal health record to one or more
of ‘‘business associate’’ was necessary as Information Organization. Some individuals on behalf of a covered
a Regional Health Information commenters suggested that the term entity.
Organization is simply a Health Health Information Organization be We decline to provide a definition for
Information Organization that governs defined, so as to avoid confusion as the Health Information Organization. We
health information exchange among industry develops, and suggested recognize that the industry continues to
organizations within a defined various alternatives for doing so. Several develop and thus the type of entities
geographic area.3 Further, the specific commenters recommended that the that may be considered Health
terms of ‘‘Health Information Office for Civil Rights (OCR) maintain a Information Organizations continues to
Organization’’ and ‘‘E-prescribing Web site link that lists current terms for evolve. For this reason, we do not think
Gateway’’ were included as merely entities that OCR considers to be Health it prudent to include in the regulation
illustrative of the types of organizations Information Organizations. a specific definition at this time. We
that would fall within this paragraph of Other commenters requested anticipate continuing to issue guidance
the definition of ‘‘business associate.’’ clarification on what it means to have in the future on our web site on the
We requested comment on the use of ‘‘access on a routine basis’’ to protected types of entities that do and do not fall
these terms within the definition and health information for purposes of the within the definition of business
whether additional clarifications or definition and determining whether associate, which can be updated as the
additions were necessary. certain entities are excluded as mere industry evolves.
Section 13408 also provides that the conduits. For example, commenters Regarding what it means to have
data transmission organizations that the asked whether the definition of business ‘‘access on a routine basis’’ to protected
Act requires to be treated as business associate would include broadband health information with respect to
associates are those that require access suppliers or internet service providers, determining which types of data
to protected health information on a vendors that only have the potential to transmission services are business
routine basis. Conversely, data come into contact with protected health associates versus mere conduits, such a
transmission organizations that do not information, or entities contracted on a determination will be fact specific based
require access to protected health contingency basis that may at some on the nature of the services provided
information on a routine basis would point in the future have access to and the extent to which the entity needs
not be treated as business associates. protected health information. Several access to protected health information
This is consistent with our prior document storage companies argued to perform the service for the covered
interpretation of the definition of that entities like theirs should be entity. The conduit exception is a
‘‘business associate,’’ through which we characterized as conduits, as they do not narrow one and is intended to exclude
have stated that entities that act as mere view the protected health information only those entities providing mere
conduits for the transport of protected they store. courier services, such as the U.S. Postal
health information but do not access the Several commenters sought Service or United Parcel Service and
information other than on a random or clarification regarding when personal their electronic equivalents, such as
infrequent basis are not business health record vendors would be internet service providers (ISPs)
associates. See http://www.hhs.gov/ocr/ considered business associates. For providing mere data transmission
privacy/hipaa/faq/providers/business/ example, commenters asked whether services. As we have stated in prior
245.html. In contrast, entities that personal health record vendors would guidance, a conduit transports
manage the exchange of protected be business associates when the vendor information but does not access it other
provided the personal health record in than on a random or infrequent basis as
2 Department of Health and Human Services collaboration with the covered entity, necessary to perform the transportation
Office of the National Coordinator for Health when the personal health record is service or as required by other law. For
sroberts on DSK5SPTVN1PROD with
Information Technology, The National Alliance for linked to a covered entity’s electronic example, a telecommunications
Health Information Technology Report to the Office health record, or when the personal company may have occasional, random
of the National Coordinator for Health Information
Technology: Defining Key Health Information health record is offered independently access to protected health information
Terms, Pg. 24 (2008). to the individual, among other when it reviews whether the data
3 Id. at 25. scenarios. One commenter suggested transmitted over its network is arriving
VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00007 Fmt 4701 Sfmt 4700 E:FRFM25JAR2.SGM 25JAR2
8. 5572 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations
at its intended destination. Such vendor is not a business associate of a Response to Other Public Comments
occasional, random access to protected covered entity solely by virtue of Comment: One commenter
health information would not qualify entering into an interoperability recommended that the term ‘‘person’’
the company as a business associate. In relationship with a covered entity. For used in describing who provides
contrast, an entity that requires access to example, when a personal health record transmission services to a covered entity
protected health information in order to vendor and a covered entity establish be clarified to apply also to entities and
perform a service for a covered entity, the electronic means for a covered organizations.
such as a Health Information entity’s electronic health record to send Response: The term ‘‘person’’ as
Organization that manages the exchange protected health information to the defined at § 160.103 includes entities as
of protected health information through personal health record vendor pursuant well as natural persons.
a network on behalf of covered entities to the individual’s written Comment: One commenter asked
through the use of record locator authorization, it does not mean that the whether subcontractors that support
services for its participants (and other personal health record vendor is business associates with personal health
services), is not considered a conduit offering the personal health record on record related functions are subject to
and, thus, is not excluded from the behalf of the covered entity, even if the breach notification requirements
definition of business associate. We there is an agreement between the under the HIPAA Breach Notification
intend to issue further guidance in this personal health record vendor and the Rule or that of the FTC.
area as electronic health information covered entity governing the exchange Response: As discussed below, a
exchange continues to evolve. of data (such as an agreement specifying subcontractor that creates, receives,
We note that the conduit exception is the technical specifications for maintains, or transmits protected health
limited to transmission services information on behalf of a business
exchanging of data or specifying that
(whether digital or hard copy), associate, including with respect to
such data shall be kept confidential). In
including any temporary storage of personal health record functions, is a
contrast, when a covered entity hires a
transmitted data incident to such HIPAA business associate and thus, is
vendor to provide and manage a
transmission. In contrast, an entity that subject to the HIPAA Breach
maintains protected health information personal health record service the
covered entity wishes to offer its Notification Rule and not that of the
on behalf of a covered entity is a FTC. The analysis of whether a
business associate and not a conduit, patients or enrollees, and provides the
vendor with access to protected health subcontractor is acting on behalf of a
even if the entity does not actually view business associate is the same analysis
the protected health information. We information in order to do so, the
personal health record vendor is a as discussed above with respect to
recognize that in both situations, the whether a business associate is acting
entity providing the service to the business associate.
on behalf of a covered entity.
covered entity has the opportunity to A personal health record vendor may
access the protected health information. offer personal health records directly to iii. Inclusion of Subcontractors
However, the difference between the individuals and may also offer personal Proposed Rule
two situations is the transient versus health records on behalf of covered
persistent nature of that opportunity. entities. In such cases, the personal We proposed in the definition of
For example, a data storage company health record vendor is only subject to ‘‘business associate’’ to provide that
that has access to protected health HIPAA as a business associate with subcontractors of a covered entity, i.e.,
information (whether digital or hard respect to personal health records that those persons that perform functions for
copy) qualifies as a business associate, are offered to individuals on behalf of or provide services to a business
even if the entity does not view the covered entities. associate other than in the capacity as
information or only does so on a a member of the business associate’s
We also clarify that, contrary to one workforce, are also business associates
random or infrequent basis. Thus,
commenter’s suggestion, a personal to the extent that they require access to
document storage companies
maintaining protected health health record vendor that offers a protected health information. We also
information on behalf of covered personal health record to a patient on proposed to define ‘‘subcontractor’’ in
entities are considered business behalf of a covered entity does not act § 160.103 as a person who acts on behalf
associates, regardless of whether they merely as a conduit. Rather, the of a business associate, other than in the
actually view the information they hold. personal health record vendor is capacity of a member of the workforce
To help clarify this point, we have maintaining protected health of such business associate. Even though
modified the definition of ‘‘business information on behalf of the covered we used the term ‘‘subcontractor,’’
associate’’ to generally provide that a entity (for the benefit of the individual). which implies there is a contract in
business associate includes a person Further, a personal health record vendor place between the parties, the definition
who ‘‘creates, receives, maintains, or that operates a personal health record would apply to an agent or other person
transmits’’ (emphasis added) protected on behalf of a covered entity is a who acts on behalf of the business
health information on behalf of a business associate if it has access to associate, even if the business associate
covered entity. protected health information, regardless has failed to enter into a business
Several commenters sought of whether the personal health record associate contract with the person. We
clarification on when a personal health vendor actually exercises this access. requested comment on the use of the
record vendor would be providing a We believe the revisions to the term ‘‘subcontractor’’ and its proposed
personal health record ‘‘on behalf of’’ a definition of ‘‘business associate’’ definition.
covered entity and thus, would be a discussed above clarify these points. As The intent of the proposed extension
business associate for purposes of the with other aspects of the definition of of the Rules to subcontractors was to
sroberts on DSK5SPTVN1PROD with
HIPAA Rules. As with data transmission ‘‘business associate,’’ we intend to avoid having privacy and security
services, determining whether a provide future guidance on when a protections for protected health
personal health record vendor is a personal health record vendor is a information lapse merely because a
business associate is a fact specific business associate for purposes of the function is performed by an entity that
determination. A personal health record HIPAA Rules. is a subcontractor rather than an entity
VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00008 Fmt 4701 Sfmt 4700 E:FRFM25JAR2.SGM 25JAR2