And Now for Another Problem with HITECH Compliance: Business Associates and Minimum Necessary

Now that we are well under way with renegotiating our Business Associate Contracts – aren’t we? – it’s time to start worrying about a potentially bigger problem: Application of the “minimum necessary rule” to Business Associates.

I will be quoting regulation chapter and verse, which is unexciting but necessary for this issue. The tl;dr short version is:  The minimum necessary rule was amended by the Omnibus Rule to apply to Business Associates. The requirements for its implementation, however, were not. Whether this was intentional or not, the effect is that Business Associates are required to comply with the minimum necessary policies of the Covered Entity responsible for the PHI. This will not be easy, and in some situations may be impossible unless the Covered Entity is willing to adopt a Business Associate’s proposed minimum necessary policies. Since a failure to comply with applicable minimum necessary policies – and perhaps a failure to have minimum necessary policies – which apply to a given use or disclosure of PHI makes that use or disclosure unauthorized, any such use or disclosure will be presumed to be a reportable breach, unless specific analysis demonstrates that it does not meet the definition.

This is not a good result. It may be an artifact of the drafting of the amendments to the minimum necessary rule, or it may be intentional. Either way, unless and until it is clarified, it creates risks of compliance violations and difficulties in policy creation, management and dissemination.

Here’s the long version.

Simple Principle, Problematic Implementation.

The minimum necessary rule is based on a simple-sounding, unobjectionable principle. That principle was stated as follows before the Omnibus Rule amendments:

When using or disclosing protected health information or when requesting protected health information from another covered entity, a covered entity must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.

45 CFR 164.502(b)(1). This simple principle required some work for implementation, however, in the following implementation specifications::

(1)  In order to comply with § 164.502(b) . . .  a covered entity must meet the requirements of paragraphs (d)(2) through (d)(5) of this section with respect to a request for, or the use and disclosure of, protected health information.

(2)  Implementation specifications: Minimum necessary uses of protected health information. (i) A covered entity must identify: (A) Those persons or classes of persons, as appropriate, in its workforce who need access to protected health information to carry out their duties; and (B) For each such person or class of persons, the category or categories of protected health information to which access is needed and any conditions appropriate to such access. (ii) A covered entity must make reasonable efforts to limit the access of such persons or classes identified in paragraph (d)(2)(i)(A) of this section to protected health information consistent with paragraph (d)(2)(i)(B) of this section.

(3) For any type of disclosure that it makes on a routine and recurring basis, a covered entity must implement policies and procedures (which may be standard protocols) that limit the protected health information disclosed to the amount reasonably necessary to achieve the purpose of the disclosure. (ii) For all other disclosures, a covered entity must: (A) Develop criteria designed to limit the protected health information disclosed to the information reasonably necessary to accomplish the purpose for which disclosure is sought; and (B) Review requests for disclosure on an individual basis in accordance with such criteria.

45 CFR 164.514(d) (emphasis added). The rule then goes on to provide that a “covered entity may rely” on the terms of another party’s request as the minimum necessary when making specified disclosures to public officials; “the information is requested by another covered entity”; or if the information is “requested by a professional who is a member of its [the covered entity’s] workforce or is a business associate of the covered entity for purposes of providing professional services to the covered entity, if the professional represents that the information requested in the minimum necessary for the stated purpose[.]” 45 CFR 164.514(d)(3)(iii).

Even if only applicable to Covered Entities, these are requirements only an auditor could love. Serious compliance requires a more or less detailed description of all processes, functions and activities which could involve PHI, from clerical and professional to compliance, governance and support. It also means matching (or revising) position descriptions to these process/function/activity descriptions, and figuring out what the “minimum necessary” is for each process/function/activity associated with the position, and incorporating all of this in written policies. By comparison, for example, Washington State’s Health Care Information Act, which has been adapted to conform to HIPAA in most areas, has a “need to know” standard for disclosures with no policy implementation requirements, suggesting a legal standard of deference to reasonable judgment without detailed documentation.

Whether or not that might be a better standard (or one that’s easier to comply with), and whether or not all Covered Entities in fact went through the necessary analyses and wrote up appropriate minimum necessary policies, this was the requirement for Covered Entities before the Omnibus Rule. And the Covered Entity’s minimum necessary policies would not have been applicable to its Business Associates unless such application were included in their Business Associate Contract – which is not a provision required by the Business Associate Contract regulations.

This has been changed by the Omnibus Rule, but in ways which may be more problematic than anticipated.

Do Business Associates Have the Authority to Adopt Minimum Necessary Policies?

The Omnibus Rule amendments expanded the simple minimum necessary principle by a simple amendment, shown in the bolded text:

When using or disclosing protected health information or when requesting protected health information from another covered entity or business associate, a covered entity or business associate must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.

45 CFR 164.502(b)(1). The Omnibus Rule did not, however, amend the implementation specifications, and that’s a problem. When the minimum necessary rule applied only to Covered Entities, the terms of the implementation specifications consistently limited the obligation to comply with those specifications to Covered Entities  as well. With the expansion of .502(b) to include Business Associates, however, the failure to amend the implementation specifications means that Business Associates now have an obligation to comply with the Covered Entity’s minimum necessary policies. Here are the implementation specifications, with bold to call attention to the fact that this regulation applies only to Covered Entities:

(1)  In order to comply with § 164.502(b) . . .  a covered entity must meet the requirements of paragraphs (d)(2) through (d)(5) of this section with respect to a request for, or the use and disclosure of, protected health information.

(2)  Implementation specifications: Minimum necessary uses of protected health information. (i) A covered entity must identify: (A) Those persons or classes of persons, as appropriate, in its workforce who need access to protected health information to carry out their duties; and (B) For each such person or class of persons, the category or categories of protected health information to which access is needed and any conditions appropriate to such access. (ii) A covered entity must make reasonable efforts to limit the access of such persons or classes identified in paragraph (d)(2)(i)(A) of this section to protected health information consistent with paragraph (d)(2)(i)(B) of this section.

(3) For any type of disclosure that it makes on a routine and recurring basis, a covered entity must implement policies and procedures (which may be standard protocols) that limit the protected health information disclosed to the amount reasonably necessary to achieve the purpose of the disclosure. (ii) For all other disclosures, a covered entity must: (A) Develop criteria designed to limit the protected health information disclosed to the information reasonably necessary to accomplish the purpose for which disclosure is sought; and (B) Review requests for disclosure on an individual basis in accordance with such criteria.

45 CFR 164.514(d) (emphasis added). By the same token, because the implementation specifications of 45 CFR 164.514(d)(3)(iii) were not amended:

  • Only a Covered Entity may rely on the terms of a public official’s request as the minimum necessary when making specified disclosures to public officials.
  • Only a Covered Entity may rely on the terms of a request for information from a Covered Entity, and apparently neither Covered Entities nor Business Associates may rely upon a request from a Business Associate.
  • Only a Covered Entity may rely on the terms of a request for information from a professional, and then only when the professional is employed by or a Business Associate of the Covered Entity.

In other words, Business Associates do not appear to have the authority to adopt their own minimum necessary policies or rely on third party representations in making minimum necessary determinations, but must comply with the Covered Entity’s minimum necessary policies.  If they don’t there could be a serious problem, since a minimum necessary violation may be a reportable breach, as specifically stated in the preamble to the Omnibus Rule:

Comment: Many commenters expressed concern that violations of the minimum necessary standard may trigger breach notification obligations.

Response: We do not believe it would be appropriate to exempt minimum necessary violations from the breach notification obligations as we do not believe that all minimum necessary violations present a low probability that the protected health information has been compromised. Thus, uses or disclosures that impermissibly involve more than the minimum necessary information, in violation of §§ 164.502(b) and 164.514(d), may qualify as breaches. Such incidents must be evaluated as any other impermissible uses or disclosures to determine whether breach notification is not required.

Preamble to Omnibus Rule, 78 Fed.Reg. at 5644. There are some significant problems, however, in extending Covered Entity minimum necessary policies to Business Associates.

Problem Situations for the Amended Rule

Consider the following situations:

  • A small physician practice (Covered Entity) outsources its EMR, including technical administration, to an IT services vendor (Business Associate). The physician practice has minimum necessary policies which cover its own processes:  Healthcare diagnosis and treatment, billing, office administration. Because it has outsourced its IT functions, it doesn’t have (and doesn’t know how to draft) minimum necessary policies for database administration, help desk functions, network security and a number of related processes, functions and activities included in the outsourced services.
  • A hospital (Covered Entity) outsources its billing functions to a vendor (Business Associate). The vendor experiences a potential security breach. It would ordinarily have it investigated by its database administrator, but the hospital’s policies make security breach investigation a function of the compliance officer.
  • A health information organization (“HIO”) provides health information exchange services including secure messaging, a record locator service and master patient index, to several hospitals, physician practices and related support organizations. The HIO is the Business Associate of all these Covered Entities, and Subcontractor to some Business Associates authorized to use the system. Whose minimum necessary policies apply to the HIO?
  • A quality improvement organization (“QIO”) provides analytical and consulting services as a Business Associate of multiple Covered Entities. The QIO wants to engage a consulting firm to perform a quality audit to help it improve its operations; the audit will entail access to PHI. The auditors will be providing professional services, but not for a Covered Entity. It therefore cannot rely on the auditors requests to define the scope of minimum necessary PHI, and QIO’s Covered Entity clients are not likely to have policies covering this area. (After all, they don’t need to.)
  • And so on – I invite you to submit your own.

In other words, a Covered Entity’s policies somehow need to anticipate and include provisions for the functions, activities and services Business Associates may provide, even if the Covered Entity has no specific information about how those are performed (Business Associate operational processes, job descriptions, practical PHI requirements, etc.) and no expertise allowing it to draft appropriate policies. For that matter, a Covered Entity’s policies need to anticipate and include provisions applicable to the Business Associate’s governance functions, carried out for its “proper management and administration” and to carry out its “legal responsibilities.” Can a small physician practice Covered Entity contracting with a large, publicly-traded EMR vendor Business Associate really draft minimum necessary policies which would meet the vendor’s financial compliance obligations?

And of course there is the question, how do you pass minimum necessary policies along? The Business Associate Contracts regulations were not amended to include an explicit requirement to comply with a Covered Entity’s minimum necessary policies, and it is not clear whether the minimum necessary provisions included in OCR’s sample Business Associate Contract form are intended to be optional or not. However, the Business Associate Contract implementation specifications do include the following requirement:

[The Business Associate Contract must] establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart [the Privacy Rule], if done by the covered entity[.]

45 CFR 164.504(e)(2)(i)  (emphasis added). Since a Covered Entity is required to comply with its own minimum necessary policies in order to comply with the Privacy Rule, a Business Associate Contract must pass along a requirement of compliance with the Covered Entity’s minimum necessary policies.

This obligation has probably been honored at least as often the breach as in the execution, but is now growing real teeth with the regulatory extension of the minimum necessary rule to Business Associates. The implicit, assumed or perhaps sometimes overlooked requirement that Covered Entities pass along their minimum necessary policies now needs to become an explicit, analyzed and probably often negotiated part of the Business Associate Contract – with additional complexities in transmission of the policies down a Business Associate chain, where that is present, of course.  (See here for a presentation discussing such chains.)

Managing the Minimum Necessary Problem.

There are probably a lot of arrangements where a Covered Entity’s minimum necessary policies work fine for a Business Associate. An outsourced billing service, for example, probably performs functions its hospital client understands quite well, with job descriptions that fit within those the hospital uses. In relatively simple cases like this, one way of dealing with this issue is by requiring the Covered Entity at the top of the chain to provide its minimum necessary policies, and require them to be passed along in any downstream Business Associate Contract. This would at least give Business Associates notice of potential issues, and perhaps an opportunity to negotiate.

In other situations it may not be so clear, or the Covered Entity may have no resources or expertise which lets it draft reasonable policies. In those cases, the parties might agree to have the Business Associate draft minimum necessary policies which the Covered Entity can adopt for purposes of the Business Associate’s services.

OCR will be providing additional guidance and perhaps amended minimum necessary regulations, which may resolve these issues, whenever they are published. Until then, my own strategy is to try to raise these issues with clients, and negotiate terms under which (for example) a Business Associate can require a Covered Entity to adopt policies covering the Business Associates’ needs. This is far from ideal, and I will keep trying to figure out something better . . . and would welcome suggestions!

Categories

Tags

bill gates cert christiansen it blog cobiT coco contract law do it yourself ehr issues ehrs electronic health records electronic health recores electronic medical records eula hackers healthcare system healthy information networks hipaa hitech information security information security duty information security theory infosec integrated information security standard of care integreated information security it law it risk it security legal counsel medical records nasa dod hacker network security newbie lawyers opering system risk acceptance risk assessment risk management risk theory secuirty rule security incident response poilicy security legislation self help strategic information security ufo hacking vista windows vista

Worthwhile Links