HITECH and Business Associate Compliance – The Key Points

The following is an outline of a presentation I’ve done on new Business Associate compliance and risk issues under the Health Information Technology for Economic and Clinical Health Act (HITECH), the portion of the American Recovery and Reinvestment Act (ARRA) dealing principally with electronic health records (EHRs).

HITECH compliance is both possible and necessary, but needs to be approached with care, a willingness to analyze difficult legislative provisions, and a sense of humor. Professional help is highly recommended. If you are so inclined, an alcoholic beverage after a HITECH work session – not before! – is also recommended.

If you’d like a copy of the presentation let me know and I’ll send it along. Good luck!


1. Title XIII of the American Recovery and Reinvestment Act of 2009, H.R. 1, Pub.L. 111-5 (February 17, 2009)

a. “ARRA” or “the Stimulus Bill

b. 407 pages

2. Title XIII of ARRA: Health Information Technology for Economic and Clinical Health Act – “HITECH Act”

a. 53 pages

3. Subtitle D: Privacy

a. 21 pages

ARRA was principally intended as stimulus vehicle. HITECH was drafted principally to provide funding for electronic health records (EHRs) and related activities. Subtitle D was added to provide additional legal protections given increased use of electronic systems for healthcare use. My opinion: It was hastily drafted, will be hard to interpret in some cases, and will have unintended consequences.

Compare: HIPAA Administrative Simplification was principally intended for claims processing reform, and wound up reforming healthcare privacy and security.

B. Principal HITECH Concepts (in order of current importance)

1. Extend regulation over key healthcare IT players (Business Associates)

2. Create new security breach notification requirements

3. Increase penalties and tighten enforcement

4. Tighten some PHI use and disclosure limitations

5. Tweak patient/consumer data access rights

C. Business Associates Overview

1. The Old Business Associate (BA) Rules

As a matter of jurisdiction HIPAA applies only to Covered Entities (CE), defined by statute to include health plans, health care clearinghouses and health care providers. See 45 CFR § 160.103

The “Business Associate” (BA) was therefore created to allow CEs to use non-Ces to work with Protected Health Information (PHI) on their behalf, without the PHI losing legal protection. A BA is therefore defined as a person to whom a CE discloses PHI so the person can carry out, assist with, or perform a function or activity on behalf of the CE. 45 CFR § 160.103. BA examples include:

  • · Claims processing, transcription service, application services providers, utilization review, quality assurance, etc.
  • · Legal, actuarial, accounting, collections, consulting, accreditation, financial, etc. services
  • · “Any other function or activity regulated by” HIPAA

2. The Old Business Associate Contracts Rules

A CE may disclose Protected Health Information (PHI) to/allow a BA to create or receive PHI on CE’s behalf upon “satisfactory assurance” BA will “appropriately safeguard” PHI. 45 CFR § 164.502. A “satisfactory assurance” is a Business Associate Contract (BAC) including required provisions (or equivalent memorandum of understanding if governmental entities, plan document provisions if group health plan). 45 CFR § 164.504(e). A BAC must include the following provisions:

  • · Establish permitted uses/disclosures of PHI by BA on behalf of CE, and may permit it for “proper management and administration” of BA
  • · Prohibit PHI uses/disclosures not permitted by BAC, or “as required by law”
  • · BA to use “appropriate safeguards” to prevent non-permitted uses/disclosures of all PHI, and implement “administrative, physical and technical safeguards” to protect confidentiality, integrity, availability of electronic PHI
  • · Report to CE any non-permitted use/disclosure of PHI, and any “security incident of which [the BA] becomes aware”
  • · Ensure that BA agents/subcontractors agree to same “conditions/restrictions” as BA, and implements “reasonable and appropriate safeguards to protect it”
  • · Makes PHI available for individual access and amendment, and provide for accounting of disclosures
  • · Make BA “internal practices, books and records” available to DHHS for review in determining CE’s HIPAA compliance
  • · Provide for return/destruction/”escrow” of PHI upon termination of BAC
  • · Authorize termination of BAC if CE “determines” that BA has “violated a material term” of the BAC

45 CFR §§ 164.314(a), .504(e)

PHI protection is enforced because a CE may be penalized if CE “knew of a pattern of activity or practice” of the BA “that constituted a material breach or violation” of the BAC, unless:

  • · The CE took “reasonable steps to cure the breach or end the violation” and, “if such steps were unsuccessful:”
  • · Terminated the BAC, if “feasible,” or if not “feasible” reported the problem to DHHS

45 CFR §.504(e)(1)(ii). HIPAA provides no jurisdiction to penalize BAs.

D. The New HITECH BA Rules: Summary

1. Subtitle D incorporates the following HIPAA regulatory terms incorporated by reference

  • · Business Associate, Covered Entity, disclose, health care operations, health plan, health care provider, payment, protected health information, use

2. BAs are now required to comply with HIPAA security regulations, and HITECH security requirements

3. BAs required to comply with HITECH privacy requirements

4. HITECH privacy and security requirements incorporated in BACs

5. BAs required to terminate BAC or notify DHHS of CE breach or violation

6. BAs may be audited by DHHS

7. BAs subject to civil and criminal penalties for HIPAA privacy or security regulation violations

E. Business Associates Security Drill-Down

1. BAs are now required to comply with the HIPAA Security Rule:

Sections 164.308, 164.310, 164.312, and 164.316 of [the HIPAA security regulations] shall apply to a business associate of a covered entity in the same manner that such sections apply to the covered entity. The additional requirements of this title that relate to security and that are made applicable with respect to covered entities shall also be applicable to such a business associate and shall be incorporated into the business associate agreement between the business associate and the covered entity.

HITECH § 13401(a)

2. The regulations Included for compliance are the following:

a. 45 CFR §164.308: Administrative safeguards

i. Standard: Security management process

A. Specifications

I. Risk analysis ®: “Accurate and thorough assessment of potential risks and vulnerabilities”

II. Risk management ®: Security measures “sufficient to reduce risks and vulnerabilities,” to ensure confidentiality, integrity and availability, protect against reasonably anticipated threats or hazards, protect against improper uses or disclosures, and ensure workforce compliance

III. Sanction policy ®: Against workforce for failure to comply with security policies and procedures

IV. Information system activity review ®: Regular review of audit logs, access reports, security incident tracking reports

ii. Standard: Assigned security responsibility

A. No separate specification; identify security official responsible for policy and procedure development and implementation

iii. Standard: Workforce security

A. Specifications

I. Authorization and/or supervision (A): Of workforce with access to electronic protected health information

II. Workforce clearance procedure (A): For determination whether access rights are appropriate

III. Termination procedures (A): To end access to electronic protected health information when employment terminated or clearance determined inappropriate

iii. Standard: Information access management

A. Specifications

I. Isolate health care clearinghouse functions (R)

II. Access authorization (A): Policies and procedures to grant users access to system resources allowing access to electronic protected health information (e.g. workstations, transactions, processes)

III. Access establishment and modification (A): Policies and procedures to establish, document, review and modify users’ access authorizations

iv. Standard: Security awareness and training program (all workforce, “including management”)

A. Specifications

I. Security reminders (A)

II. Protection from “malicious software” (A): Guarding against, detecting, reporting viruses, etc.

III. Log-in monitoring (A): Procedures for monitoring log-in attempts and reporting “discrepancies”

IV. Password management (A): Creation, changing and safeguarding

v. Standard: Contingency planning (emergency and “other occurrences” such as fire, vandalism, system failure, natural disaster) for information systems

A. Specifications

I. Data backup plan (R)

II. Disaster recovery plan (R)

IV. Emergency mode operation (R)

V. Plan testing and revision (A)

VI. Applications and data criticality analysis (A): “Assess relative criticality of specific applications and data”

vi. Standard: Evaluation

A. No separate specification; “technical and nontechnical evaluation,” periodic and “in response to environmental or operational changes,” of extent to which policies and procedures meet Security Rule requirements

vii. Standard: Business associates

A. Specifications (45 CFR § 164.314)

I. Contract or “other arrangement” required before covered entity “may permit a business associate to create, receive, maintain, or transmit electronic protected health information” on its behalf

a. Not required for transmissions to providers for treatment, by group health plan, HMO, health insurance issuer on behalf of group health plan to plan sponsor, or transmission to government agencies providing public benefits

B. Contract must include provisions (45 CFR 164.314(a) that:

I. Business associate will “implement administrative, physical and technical safeguards that reasonably and appropriately protect” electronic protected health information

II. Any business associate agent or subcontractor will also implement such safeguards

III. Business associate will report “any security incident of which it becomes aware”

IV. Contract may be terminated for breach of material term

b. 45 CFR §164.310: Physical safeguards

i. Standard: Facility access controls: Policies and procedures to limit physical access to information systems, while permitting authorized access

A. Specifications:

I. Contingency operations (A): Procedures for access to restore lost data under disaster recovery and emergency mode operations

II. Facility security plan (A): To safeguard facility and equipment against unauthorized access, tampering, theft

III. Access control and validation (A): Control and validate individuals’ access to facility and equipment, including visitor control and software testing/revision access control

IV. Maintenance records (A): Security-related facility elements (e.g. hardware, walls, doors, locks)

ii. Standard: Workstation use

A. No separate specification; policies and procedures to specify proper workstation functions, manner of performing functions, and physical attributes of workstation “surroundings”

iii. Standard: Workstation security

B. No separate specification; physical safeguards to restrict access to authorized users

iv. Standard: Device and media controls (hardware, electronic media)

A. Specifications:

I. Disposal (R)

II. Media Re-use (R)

III. Accountability (A): Records of “movement of hardware and electronic media and any person responsible therefore”

IV. Data backup and storage (A): “Create retrievable, exact copy of electronic protected health information, when needed, before movement of equipment”

c. 45 CFR §164.312: Technical safeguards

i. Standard: Access controls

A. Specifications:

I. Unique user identification (R): Unique name or number for identifying and tracking

II. Emergency access procedure (R): For obtaining access to electronic protected health information

III. Automatic log-off (A): Session termination after predetermined period of inactivity

IV. Encryption and decryption (A): Electronic protected health information in storage

ii. Standard: Audit controls

A. No separate specification; “hardware, software or procedural mechanisms that record and examine” system activity

iii. Standard: Integrity (protection against improper alteration or destruction)

A. Specification (A): Electronic mechanisms

iv. Standard: Person/entity authentication (confirmation of identity)

A. No separate specification; procedures to verify identity

v. Standard: Transmission security

A. Specifications:

I. Integrity controls (A): Ensure information is not improperly modified without detection

II. Encryption (A)

d. 45 CFR §164.316: Policies and procedures documentation

i Standard: Policies and procedures

A. No separate specification; may be changed at any time but changes must be documented

ii Standard: Documentation (policies and procedures; security actions, activities, assessment; in writing or electronic)

A. Specifications:

I. Time limit (R): Six years from later of creation or applicability

II. Availability (R): To individuals responsible for implementing documented procedures (presumably also to DHHS)

III. Updates (R): Periodic review, and in response to “environmental or operational changes”

3. Security regulations not included:

a. 45 CFR § 164.304: Definitions. Lack of inclusion confusing but not a problem – defined terms used in HITECH and Security Rule.

b. 45 CFR § 164.306: General rules – Security objectives, flexible approach, required vs. addressable specifications, maintenance. Lack of inclusion implies less discretion? Or nothing in particular?

c. 45 CFR § 164.314: Organizational requirements – Business associate contracts. Lack of inclusion confusing but meaningless? Is a business associate required to have a business associate contract with subcontractors or not?

F. HITECH Security Requirements Included

“This title” presumably means Title XIII – not just Subtitle D

1. Subtitle D requirements:

a. § 13401 – redundant, recursive

b. § 13401 – security breach notification

2. Other Title XIII security requirements – future standards adopted under § 3004?

G. BA Security Compliance Requirements

1. Implement security program meeting all the security regulation requirements

2. Also review CMS Sample Interview and Document Request for HIPAA Security Onsite Investigations and Compliance Reviews for supplemental perspective

3. Coordinate with CE(s) – some security measures may interfere with common or shared activities or systems

Examples: Transmission encryption, system access, authorization roles – there are others

Look for problems with differing risk tolerances

H. New BAC Privacy Rules

[A Business Associate may use and disclose PHI obtained pursuant to a BAC only] in compliance with each applicable requirement of [45 CFR § 164.504(e).] The additional requirements of this subtitle that relate to privacy and that are made applicable with respect to covered entities shall also be applicable to such a business associate and shall be incorporated into the business associate agreement between the business associate and the covered entity.

HITECH § 13404(a)

1. 45 CFR § 164.504(e): Privacy regulations BAC standard and specifications (see above)

2. Other privacy regulation compliance not required of BAs – except as provided in old BAC required provisions

3. BAC compliance now required of BAs by law

4. HITECH privacy requirements applied to BAs

a. “This subtitle” presumably means Subtitle D, not Title XIII

b. Subtitle D requirements applicable to CEs (see below) – health plan PHI disclosure restrictions, new minimum necessary provisions, new EHR accounting of disclosures rules, new patient access to information rules, new limitations on EHR sales and marketing

I. BAC Compliance

HITECH §§ 13401(a), 13404(a) provide that HITECH requirements “of this title” (security) and “of this subtitle” (privacy) “shall be incorporated into the business associate agreement between the business associate and the covered entity.”

Does “shall be incorporated” mean:

  • · “Are hereby incorporated by law” without further action required by the parties?
  • · That the parties “are hereby directed to incorporate the requirements into their BACs” by amendment or update?

No OCR guidance as of drafting date, so here are some suggestions for dealing with BACs:

  • · If OCR says amend, amend
  • · If OCR says amend right away, we have a lot of work to do fast
  • · If OCR says amend but enforcement will be stayed, we have a lot of work to do but hopefully more time to do it in
  • · If OCR says incorporated by law, amend anyway

1) Statutory provisions are hard to interpret as contract terms – especially HITECH

2) Statutory obligations do not define details of contract compliance

  • · E.g. security breach notification requirements do not specify CE notice terms, procedures for response coordination, cost allocations, etc.
  • · Staged amendment processes

1) Implement new forms to use going forward – new and renewing contracts

2) Ensure BACs are identified and subject to management

3) Communicate SOON with key BA or CE business partners

J. New BAC Termination Rules:

Section 164.504(e)(1)(ii) of title 45, Code of Federal Regulations, shall apply to a business associate . . . in the same manner that such section applies to a covered entity, with respect to compliance with the standards in sections 164.502(e) and 164.504(e) of such title, except that in applying such section 164.504(e)(1)(ii) each reference to the business associate, with respect to a contract, shall be treated as a reference to the covered entity involved in such contract.

HITECH § 13404(b)

  • · 45 CFR § 164.504(e)(1)(ii): Termination of business associate contract for breach
  • · 45 CFR § 164.502(e), .504(e): Business associate disclosure and contract standards and specifications

K. Old BAC Termination Rule

A covered entity is not in compliance with the standards in §164.502(e) and paragraph (e) of this section, if the covered entity knew of a pattern of activity or practice of the business associate that constituted a material breach or violation of the business associate’s obligation under the contract or other arrangement, unless the covered entity took reasonable steps to cure the breach or end the violation, as applicable, and, if such steps were unsuccessful: (A) Terminated the contract or arrangement, if feasible; or (B) If termination is not feasible, reported the problem to [DHHS]

45 CFR § 164.504(e)(1)(ii)

L. Interpretation of the New Termination Rule

Here’s the old rule, with “Business Associate” substituted for “Covered Entity” and vice-versa, to demonstrate how this works.

A [Business Associate] is not in compliance with the standards in §164.502(e) and paragraph (e) of this section, if the [Business Associate] knew of a pattern of activity or practice of the [Covered Entity] that constituted a material breach or violation of the [Covered Entity’s] obligation under the contract or other arrangement, unless the [Business Associate] took reasonable steps to cure the breach or end the violation, as applicable, and, if such steps were unsuccessful: (A) Terminated the contract or arrangement, if feasible; or (B) If termination is not feasible, reported the problem to [DHHS]

45 CFR § 164.504(e)(1)(ii)

  • · How will this work in real life? How can a CE violate a BAC? (There are several ways I can think of)
  • · What BAs might learn about CE violations? Should CEs include some kind of BAs in compliance programs, e.g. violation hot lines?
  • · What traps exist? Can e.g. a BA law firm ethically report a CE violation?
  • · How to draft sensible BAC terms around this? Can the same kinds of terms be used for all contracts? Maybe include CE reporting and escalation requirements prior to DHHS notice or termination?
  • · Note risk of new, enhanced penalties for BAs for failure to notify or terminate

M. New Rules on HIPAA Criminal/Civil Penalties

Applicable to both CEs and BAs

In the case of a business associate that violates any provision of subsection (a) or (b), the provisions of sections 1176 and 1177 of the Social Security Act (42 U.S.C. 1320d–5, 1320d–6) shall apply to the business associate with respect to such violation in the same manner as such provisions apply to a person who violates a provision of part C of title XI of such Act.

HITECH § 13404(c)

  • · 42 USC § 1320d-6: HIPAA criminal penalties
  • · 42 USC § 1320d-5: HIPAA civil penalties

N. The Old Civil Penalties Rules

1. $100 per violation of Privacy or Security Rule requirement or prohibition

2. Maximum $25,000 per calendar year per “identical” requirement or prohibition

  • · Example: Unencrypted transmission = $100 penalty
  • · 250 unencrypted transmissions = $25,000 penalty
  • · 10,000 unencrypted transmissions = $25,000 penalty

3. “Continuing” violations (e.g. failure to conduct risk assessment) counted at one violation per day until cured

45 CFR §§ 164.404, .406

4. Affirmative defenses: Violation due to “reasonable cause,” not “willful neglect,” and under correction. 45 CFR § 160.410

5. Penalty aggravation/mitigation factors: Nature, harm caused by violation; intentional violation vs. violation “beyond control;” compliance history; financial factors. 45 CFR § 164.408

O. The New Civil Penalties Rules

  • · Violation not known (despite due diligence): Remains at $100/violation to $25,000 maximum
  • · Violation due to “reasonable cause:” Increased to $1,000/violation to $100,000 maximum
  • · Violation due to “willful neglect:” Increased to $500,000/violation to $1.5 million maximum

HITECH § 13410

  • · All penalties currently effective
  • · DHHS required to publish regulations on “willful neglect” and required to impose penalties for it beginning February 17, 2011
  • · State attorneys general granted civil penalties jurisdiction – and attorneys fees for successful action
  • · Affected individuals may be awarded penalty share per regulations to be effective beginning February 17, 2012

1. New penalty regime changes the BA calculus

a) Is the contract worth the risk?

b) Can the BA provide the same (or similar) services without PHI?

c) Some organizations clearly not – RHIOs, QIOs, etc.

d) Some organizations might be able to, for some services – consulting, accounting, law, etc.

e) Should the BA increase fees to meet increased regulatory burdens and risks?

P. Effective Dates and Potential for Extension Pending Regulations?

“Unless otherwise specified:” Feb. 17, 2010. HITECH § 13423.

  • · BA security regulation compliance: No.
  • · HITECH § 113401(c) requires annual “guidance,” compliance not contingent
  • · BAC compliance (if amendment required): Some elements; mostly not
  • · HITECH § 13404(a) requires incorporation of HITECH CE privacy requirements in BAC; some require regulations to be effective

Q. New Privacy Rules – PHI: Health Plan Disclosures

1. Existing Rule: 45 CFR § 164.522

(a)(1) Standard: right of an individual to request restriction of uses and disclosures.

(i) A covered entity must permit an individual to request that the covered entity restrict:

(A) Uses or disclosures of protected health information about the individual to carry out treatment, payment, or health care operations; and

(B) Disclosures permitted under § 164.510(b).

(ii) A covered entity is not required to agree to a restriction.

(iii) A covered entity that agrees to a restriction under paragraph (a)(1)(i) of this section may not use or disclose protected health information in violation of such restriction, except that, if the individual who requested the restriction is in need of emergency treatment and the restricted protected health information is needed to provide the emergency treatment, the covered entity may use the restricted protected health information, or may disclose such information to a health care provider, to provide such treatment to the individual§13405(a)

45 CFR § 164.522

2. New Mandatory Restriction:

REQUESTED RESTRICTIONS ON CERTAIN DISCLOSURES OF HEALTH INFORMATION.—In the case that an individual requests under paragraph (a)(1)(i)(A) of section 164.522 of title 45, Code of Federal Regulations, that a covered entity restrict the disclosure of the protected health information of the individual, notwithstanding paragraph (a)(1)(ii) of such section, the covered entity must comply with the requested restriction if—

(1) except as otherwise required by law, the disclosure is to a health plan for purposes of carrying out payment or health care operations (and is not for purposes of carrying out treatment); and

(2) the protected health information pertains solely to a health care item or service for which the health care provider involved has been paid out of pocket in full.

HITECH §13405(a)

3. Questions and Implications:

  • · What is “out of pocket?” Cash? Check? Credit card?
  • · Prudent approach: Accept cash. (Why not?) Consider whether to accept checks (stop payment risk), credit cards (dispute risk)
  • · How are indirect and referred providers notified? Do they have independent duties to restrict information from first provider (paid in full) even if they are not?
  • · Review policies, procedures processes and information system controls and modify as needed to implement restrictions
  • · What if information is needed for plan coverage decisions? Individual informed consent?

R. New Privacy Rules: Minimum Necessary

1. Existing Rules: 45 CFR § 164.502(b)

When using or disclosing protected health information or when requesting protected health information from another covered entity, a covered entity must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.

This requirement does not apply to:

(i) Disclosures to a health care provider for treatment;

(ii) Uses or disclosures made to the individual, as permitted under paragraph (a)(1)(i) of this section or as required by paragraph (a)(2)(i) of this section;

(iii) Uses or disclosures made pursuant to an authorization under § 164.508.

(iv) Disclosures made to the Secretary in accordance with subpart C of part 160 of this subchapter;

(v) Uses or disclosures that are required by law, as described by § 164.512(a); and

(vi) Uses or disclosures that are required for compliance with applicable requirements of this subchapter.

a. Applies to requests for PHI by Covered Entities, as well as their disclosures

  • · For recurring types of disclosures, implement policies identifying persons or classes of persons permitted to receive, and scope of information
  • · For all other types of disclosures, case-by-case determination using pre-established criteria

45 CFR § 164.514(d)

2. New Rule:

a. Two phase compliance:

  • · Statutory Compliance: February 17, 2009 – August 17, 2010+ (18+ months)
  • · Regulatory Compliance: Regulation effective date forward

b. Statutory period: The following provision applies:

A covered entity shall be treated as being in compliance with section 164.502(b)(1) . . . with respect to the use, disclosure, or request of protected health information only if the covered entity limits such protected health information, to the extent practicable, to the limited data set . . . or, if needed by such entity, to the minimum necessary to accomplish the intended purpose of such use, disclosure, or request, respectively.

Subject to same exceptions as apply under regulations

HITECH § 13405(b)

3. A limited data set is protected health information that excludes the following direct identifiers of the individual or of relatives, employers, or household members of the individual:

  • · Name address, phone, fax, email, SSN, other ID, vehicle/device ID, URL/IP address, biometrics, photos
  • · Limited data set may only be used for health care operations, research, public health reporting

45 CFR § 164.514(d)(2), (3)


Agreement required. A covered entity may use or disclose a limited data set under paragraph (e)(1) of this section only if the covered entity obtains satisfactory assurance, in the form of a data use agreement that meets the requirements of this section, that the limited data set recipient will only use or disclose the protected health information for limited purposes.

45 CFR § 164.514(d)(4)

4. Questions and Implications:

  • · Clearly applies to payment, health care operations, most other uses and disclosures
  • · What is the “practicable extent” for use of a limited data set?
  • · When do you “need” to use a broader data set?
  • · Probably for almost all payment, many health care operations
  • · Can a Covered Entity still rely on requestor representations about “necessary” scope?
  • · Need to review, probably revise minimum necessary policies
  • · What about limited data set agreements?
  • · How does all this integrate into business associate contracting?

S. Accounting of Disclosures

1. Existing Rule:

Individual entitled to accounting for disclosures made for six years prior to request, except for:

  • · Treatment, payment, health care operations;
  • · To the individual;
  • · Incidental to permitted uses and disclosures
  • · Pursuant to an authorization
  • · Directories, care support, certain notifications
  • · National security
  • · To correctional institutions or law enforcement
  • · As part of a limited data set

45 CFR § 164.528(a)

2. New Requirements:

a. Grandfathered, delayed compliance:

i. Current EHR users: January 1, 2014 (may be extended by rule to 2016)

ii. EHR acquired after January 1, 2009: Date of acquisition or January 1, 2011 (may be extended by rule to 2013)

3. New rules for EHR disclosures

(1) IN GENERAL.—In applying section 164.528 of title 45, Code of Federal Regulations, in the case that a covered entity uses or maintains an electronic health record with respect to protected health information—

(A) the exception under paragraph (a)(1)(i) of such section shall not apply to disclosures through an electronic health record made by such entity of such information; and

(B) an individual shall have a right to receive an accounting of disclosures described in such paragraph of such information made by such covered entity during only the three years prior to the date on which the accounting is requested.

HITECH § 13405(c)

4. New rules for BA disclosures

In response to an request from an individual for an accounting, a covered entity shall elect to provide either an—

(A) accounting, as specified under paragraph (1), for disclosures of protected health information that are made by such covered entity and by a business associate acting on behalf of the covered entity; or

(B) accounting, as specified under paragraph (1), for disclosures that are made by such covered entity and provide a list of all business associates acting on behalf of the covered entity, including contact information for such associates (such as mailing address, phone, and email address). A business associate included on a list under subparagraph (B) shall provide an accounting of disclosures (as required under paragraph (1) for a covered entity) made by the business associate upon a request made by an individual directly to the business associate for such an accounting.

HITECH § 13405(c)

3. Questions and Implications:

a. Treatment, payment, health care operations disclosures from EHRs will be added

  • · Can your existing EHR track them now? Will it be able to then? Will the EHR you are going to buy be able to do it?

b. Applies whenever external entities are given access

  • · Disclosure means the release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information.
  • · Use means . . . the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information.
  • · So what about e.g. independent ER contractor physicians using a hospital EHR in an OHCA?

c. If you disclose addresses only, will your BAs be able to respond? Will they want to?

T. Patient Access to PHI

1. Existing Rule: 45 CFR § 164.524

An individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set, except for:

  • · Psychotherapy notes;
  • · Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding;
  • · Certain information subject to Clinical Laboratory Improvement Act (CLIA), certain information about correctional inmates, certain research or Privacy Act-protected information, certain information received under confidentiality;
  • · Information a licensed professional has determined could cause harm to life or physical safety

2. New Rule:

In applying section 164.524 . . . in the case that a covered entity uses or maintains an electronic health record with respect to protected health information of an individual—

(1) the individual shall have a right to obtain from such covered entity a copy of such information in an electronic format and, if the individual chooses, to direct the covered entity to transmit such copy directly to an entity or person designated by the individual, provided that any such choice is clear, conspicuous, and specific; and

(2) notwithstanding paragraph (c)(4) of such section, any fee that the covered entity may impose for providing such individual with a copy of such information (or a summary or explanation of such information) if such copy (or summary or explanation) is in an electronic form shall not be greater than the entity’s labor costs in responding to the request for the copy (or summary or explanation).

HITECH § 13405(e)

3. Questions and Implications:

  • · How does the right to “direct the transmission” to a designated third party relate to authorization rights and requirements?
  • · Can you in fact quantify your costs of response?

U. Prohibition on EHR and PHI Sales

1. Existing Rule:

Sale or transfer as part of treatment, payment, healthcare operations not prohibited as long as other conditions met – remuneration not a factor

2. New Rules:

  • · Rule implementation: No longer than 18 months (August 17, 2010)
  • · Compliance: Six month from effective date (April 17, 2011)
  • · Effective date is publication of final rule + 2 months

A covered entity or business associate shall not directly or indirectly receive remuneration in exchange for any protected health information of an individual unless the covered entity obtained from the individual . . . a valid authorization that includes . . . a specification of whether the protected health information can be further exchanged for remuneration by the entity receiving protected health information of that individual.

HITECH § 13405(d)


  • · Public health activities
  • · Research, as long as “price charged reflects the costs of preparation and transmittal of the data for such purpose”
  • · Treatment of the individual
  • · Sale, transfer, merger, consolidation of a covered entity, where the successor will be a covered entity
  • · Remuneration “by a covered entity to a business associate for activities involving the exchange of protected health information that the business associate undertakes on behalf of and at the specific request of the covered entity pursuant to a business associate agreement.”
  • · Providing an individual with a copy of PHI

3. Questions and Implications:

What is “remuneration?”

  • · Stark definition: “Remuneration means any payment, discount, forgiveness of debt or other benefits made directly or indirectly, overtly, in cash or in kind.”

What is “exchange” of PHI? May covered entity transfer temporary possession to 3rd party for use?

Can you quantify research-related costs?

V. Marketing

1. Existing Rule:

Use or disclosure of PHI for marketing purposes requires authorization and notice if “direct or indirect remuneration” is paid, excluding face-to-face communications and “nominal” gifts

45 CFR § 164.508(a)(3)

“Marketing” is a communication about a product or service that encourages recipients to purchase or use the product or service, or an arrangement between a covered entity and any other entity where the covered entity discloses protected health information to the other entity, in exchange for direct or indirect remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service.

45 CFR § 164.501


Health-related product or service (or payment for such) provided by, or included in a plan of benefits of, the covered entity making the communication, including communications about entities in a health care provider or health plan network or added-value health-related products or services available only to a health plan enrollee.

Treatment of the individual; or

Case management or care coordination, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care.

2. New Rule:

A communication by a covered entity or business associate that is about a product or service and that encourages recipients of the communication to purchase or use the product or service shall not be considered a health care operation . . . unless the communication is made as described in subparagraph (i), (ii), or (iii) of paragraph (1) of the definition of marketing in section 164.501 of such title.

HITECH § 13406(a)(1)


A communication by a covered entity or business associate that is described in subparagraph (i), (ii), or (iii) of paragraph (1) of the definition of marketing . . . shall not be considered a health care operation . . . if the covered entity receives or has received direct or indirect payment in exchange for making such communication, except where—

Communication describes only a drug or biologic that is currently being prescribed for the recipient of the communication; and

Any payment received by such covered entity in exchange for making a communication described is reasonable; and either

The communication is made by the covered entity and the covered entity first obtains an authorization from the individual; or

The communication is made by a business associate on behalf of the covered entity and the communication is consistent with the written contract between such business associate and covered entity.

“Reasonable” to be determined by regulation

3. Questions and Implications:

  • · Read together with HITECH § 13405(d) (EHR and PHR sales)
  • · Note: Applies to communications on/after February 17, 2010
  • · Allows e.g. prescription refill reminders, not “switch” letters suggesting different drugs
  • · Will the rule on “reasonable” come out by February 17, 2010?

Related Posts


More HIPAA/HITECH and Joint IT Environments: Multiple Account Access

I’ve had some interesting follow-up from my previous posting about HIPAA/HITECH and cloud computing. One question was about my statement that users authorized by one Covered Entity whose Protected Health Information and applications are hosted in a joint IT environment shouldn’t have access to the Protected Health Information and applications of other Covered Entities hosted […]

Read story

Preliminary Thoughts on the HITECH/HIPAA NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under the Health Information Technology for Economic and Clinical Health Act

The Notice of Proposed Rule Making (“NPRM”) for the proposed new regulations amending the HIPAA regulations as required by HITECH have just been informally published here. The formal publication date in the Federal Register is probably going to be July 14, 2010. This is a brief heads-up on a few issues the NPRM seems to […]

Read story

6 Responses to HITECH and Business Associate Compliance – The Key Points