Note: See
Transition at §164.532 for discussion of two year transition for
existing business associate agreements. See also
Sample Business Associate Contract contained in the August 14, 2002 revisions.
Comment: Many commenters continued to recommend various modifications to the business associate standard, unrelated to the proposed modifications. For example, some commenters urged that the Department eliminate the business associate requirements entirely. Several commenters urged that the Department exempt covered entities from having to enter into contracts with business associates who are also covered entities under the Privacy Rule. Alternatively, one commenter suggested that the Department simplify the requirements by requiring a covered entity that is a business associate to specify in writing the uses and disclosures the covered entity is permitted to make as a business associate.
Other commenters requested that the Department allow business associates to self-certify or be certified by a third party or HHS as compliant with the Privacy Rule, as an alternative to the business associate contract requirement.
Certain commenters urged the Department to modify the Rule to eliminate the need for a contract with accreditation organizations. Some commenters suggested that the Department do so by reclassifying private accreditation organizations acting under authority from a government agency as health oversight organizations, rather than as business associates.
Response: The proposed modifications regarding business associates were intended to address the concerns of commenters with respect to having insufficient time to reopen and renegotiate what could be thousands of contracts for some covered entities by the compliance date of the Privacy Rule. The proposed modifications did not address changes to the definition of, or requirements for, business associates generally. The Department has, in previous guidance, as well as in the preamble to the December 2000 Privacy Rule, explained its position with respect to most of the above concerns. However, the Department summarizes its position in response to such comments briefly below.
The Department recognizes that most covered entities acquire the services of a variety of other persons or entities to assist in carrying covered entities’ health care activities. The business associate provisions are necessary to ensure that individually identifiable health information created or shared in the course of these relationships is protected. Further, without the business associate provisions, covered entities would be able to circumvent the requirements of the Privacy Rule simply by contracting out certain of its functions.
With respect to a contract between a covered entity and a business associate who is also a covered entity, the Department restates its position that a covered entity that is a business associate should be restricted from using or disclosing the protected health information it creates or receives as a business associate for any purposes other than those explicitly provided for in its contract. Further, to modify the provisions to require or permit a type of written assurance, other than a contract, by a covered entity would add unnecessary complexity to the Rule.
Additionally, the Department at this time does not believe that a business associate certification process would provide the same kind of protections and guarantees with respect to a business associate’s actions that are available to a covered entity through a contract under State law. With respect to certification by a third party, it is unclear whether such a process would allow for any meaningful enforcement (such as termination of a contract) for the actions of a business associate. Further, the Department could not require that a business associate be certified by a third party. Thus, the Privacy Rule still would have to allow for a contract between a covered entity and a business associate.
The Privacy Rule explicitly defines organizations that accredit covered entities as business associates. See the definition of “business associate” at § 160.103. The Department defined such organizations as business associates because, like other business associates, they provide a service to the covered entity during which much protected health information is shared. The Privacy Rule treats all organizations that provide accreditation services to covered entities alike. The Department has not been persuaded by the comments that those accreditation organizations acting under grant of authority from a government agency should be treated differently under the Rule and relieved of the conditions placed on other such relationships. However, the Department understands concerns regarding the burdens associated with the business associate contract requirements. The Department clarifies that the business associate provisions may be satisfied by standard or model contract forms which could require little or no modification for each covered entity. As an alternative to the business associate contract, these final modifications permit a covered entity to disclose a limited data set of protected health information, not including direct identifiers, for accreditation and other health care operations purposes subject to a data use agreement. See § 164.514(e).
Comment: A number of commenters continued to express concern over a covered entity’s perceived liability with respect to the actions of its business associate. Some commenters requested further clarification that a covered entity is not responsible for or required to monitor the actions of its business associates. It also was suggested that such language expressly be included in the Rule’s regulatory text. One commenter recommended that the Rule provide that business associates are directly liable for their own failure to comply with the Privacy Rule. Another commenter urged that the Department eliminate a covered entity’s obligation to mitigate any harmful effects caused by a business associate’s improper use or disclosure of protected health information.
Response: The Privacy Rule does not require a covered entity to actively monitor the actions of its business associates nor is the covered entity responsible or liable for the actions of its business associates. Rather, the Rule only requires that, where a covered entity knows of a pattern of activity or practice that constitutes a material breach or violation of the business associate’s obligations under the contract, the covered entity take steps to cure the breach or end the violation. See § 164.504(e)(1). The Department does not believe a regulatory modification is necessary in this area. The Department does not have the statutory authority to hold business associates, that are not also covered entities, liable under the Privacy Rule.
With respect to mitigation, the Department does not accept the commenter’s suggestion. When protected health information is used or disclosed inappropriately, the harm to the individual is the same, regardless of whether the violation was caused by the covered entity or a by business associate. Further, this provision is not an absolute standard intended to require active monitoring of the business associate or mitigation of all harm caused by the business associate. Rather, the provision applies only if the covered entity has actual knowledge of the harm, and requires mitigation only “to the extent practicable” by the covered entity. See § 164.530(f).
Comment: Several commenters asked the Department to provide additional clarification as to who is and is not a business associate for purposes of the Rule. For example, commenters questioned whether researchers were business associates. Other commenters requested further clarification as to when a health care provider would be the business associate of another health care provider. One commenter asked the Department to clarify whether covered entities that engage in joint activities under an organized health care arrangement (OHCA) are required to have a business associate contract. Several commenters asked the Department to clarify that a business associate agreement is not required with organizations or persons where contact with protected health information would result inadvertently (if at all), for example, janitorial services.
Response: The Department provides the following guidance in response to commenters. Disclosures from a covered entity to a researcher for research purposes as permitted by the Rule do not require a business associate contract. This remains true even in those instances where the covered entity has hired the researcher to perform research on the covered entity’s own behalf because research is not a covered function or activity. However, the Rule does not prohibit a covered entity from entering into a business associate contract with a researcher if the covered entity wishes to do so. Notwithstanding the above, a covered entity must enter into a data use agreement, as required by § 164.514(e), prior to disclosing a limited data set for research purposes to a researcher.
With respect to business associate contracts between health care providers, the Privacy Rule explicitly excepts from the business associate requirements disclosures by a covered entity to a health care provider for treatment purposes. See § 164.502(e)(1). Therefore, any covered health care provider (or other covered entity) may share protected health information with a health care provider for treatment purposes without a business associate contract. The Department does not intend the Rule to interfere with the sharing of information among health care providers for treatment. However, this exception does not preclude one health care provider from establishing a business associate relationship with another health care provider for some other purpose. For example, a hospital may enlist the services of another health care provider to assist in the hospital’s training of medical students. In this case, a business associate contract would be required before the hospital could allow the health care provider access to patient health information.
As to disclosures among covered entities who participate in an organized health care arrangement, the Department clarifies that no business associate contract is needed to the extent the disclosure relates to the joint activities of the OHCA.
The Department also clarifies that a business associate contract is not required with persons or organizations whose functions, activities, or services do not involve the use or disclosure of protected health information, and where any access to protected health information by such persons would be de minimus, if at all. For example, a health care provider is not required to enter into a business associate contract with its janitorial service because the performance of such service does not involve the use or disclosure of protected health information. In this case, where a janitor has contact with protected health information incidentally, such disclosure is permissible under § 164.502(a)(1)(iii) provided reasonable safeguards are in place.
The Department is aware that similar questions still remain with respect to the business associate provisions of the Privacy Rule and intends to provide technical assistance and further clarifications as necessary to address these questions.
Comment: A few commenters urged that the Department modify the Privacy Rule’s requirement for a covered entity to take reasonable steps to cure a breach or end a violation of its business associate contract by a business associate. One commenter recommended that the requirement be modified instead to require a covered entity who has knowledge of a breach to ask its business associate to cure the breach or end the violation. Another commenter argued that a covered entity only should be required to take reasonable steps to cure a breach or end a violation if the business associate or a patient reports to the privacy officer or other responsible employee of the covered entity that a misuse of protected health information has occurred.
Response: It is expected that a covered entity with evidence of a violation will ask its business associate, where appropriate, to cure the breach or end the violation. Further, the Department intends that whether a covered entity “knew” of a pattern or practice of the business associate in breach or violation of the contract will be consistent with common principles of law that dictate when knowledge can be attributed to a corporate entity. Regardless, a covered entity’s training of its workforce, as required by § 164.530(b), should address the recognition and reporting of violations to the appropriate responsible persons with the entity.
Comment: Several commenters requested clarification as to whether a business associate is required to provide individuals with access to their protected health information as provided by § 164.524 or an accounting of disclosures as provided by § 164.528, or amend protected health information as required by § 164.526. Some commenters wanted clarification that the access and amendment provisions apply to the business associate only if the business associate maintains the original designated record set of the protected health information.
Response: Under the Rule, the covered entity is responsible for fulfilling all of an individual’s rights, including the rights of access, amendment, and accounting, as provided for by '§ 164.524, 164.526, and 164.528. With limited exceptions, a covered entity is required to provide an individual access to his or her protected health information in a designated record set. This includes information in a designated record set of a business associate, unless the information held by the business associate merely duplicates the information maintained by the covered entity. However, the Privacy Rule does not prevent the parties from agreeing through the business associate contract that the business associate will provide access to individuals, as may be appropriate where the business associate is the only holder of the, or part of the, designated record set.
As governed by § 164.526, a covered entity must amend protected health information about an individual in a designated record set, including any designated record sets (or copies thereof) held by a business associate. Therefore, the Rule requires covered entities to specify in the business associate contract that the business associate will make protected health information available for amendment and will incorporate amendments accordingly. The covered entity itself is responsible for addressing requests from individuals for amendment and coordinating such requests with its business associate. However, the Privacy Rule also does not prevent the parties from agreeing through the contract that the business associate will receive and address requests for amendment on behalf of the covered entity.
With respect to accounting, § 164.528 requires a covered entity to provide an accounting of certain disclosures, including certain disclosures by its business associate, to the individual upon request. The business associate contract must provide that the business associate will make such information available to the covered entity in order for the covered entity to fulfill its obligation to the individual. As with access and amendment, the parties can agree through the business associate contract that the business associate will provide the accounting to individuals, as may be appropriate given the protected health information held by, and the functions of, the business associate.
Comment: One commenter asked whether a business associate agreement in electronic form, with an electronic signature, would satisfy the Privacy Rule’s business associate requirements.
Response: The Privacy Rule generally allows for electronic documents to qualify as written documents for purposes of meeting the Rule’s requirements. This also applies with respect to business associate agreements. However, currently, no standards exist under HIPAA for electronic signatures. Thus, in the absence of specific standards, covered entities should ensure any electronic signature used will result in a legally binding contract under applicable State or other law.
Comment: Certain commenters raised concerns with the Rule’s classification of attorneys as business associates. A few of these commenters urged the Department to clarify that the Rule’s requirement at § 164.504(e)(2)(ii)(H), which requires a contract to state the business associate must make information relating to the use or disclosure of protected health information available to the Secretary for purposes of determining the covered entity’s compliance with the Rule, not apply to protected health information in possession of a covered entity’s lawyer. Commenters argued that such a requirement threatens to impact attorney-client privilege. Others expressed concern over the requirement that the attorney, as a business associate, must return or destroy protected health information at termination of the contract. It was argued that such a requirement is inconsistent with many current obligations of legal counsel and is neither warranted nor useful.
Response: The Department does not modify the Rule in this regard. The Privacy Rule is not intended to interfere with attorney-client privilege. Nor does the Department anticipate that it will be necessary for the Secretary to have access to privileged material in order to resolve a complaint or investigate a violation of the Privacy Rule. However, the Department does not believe that it is appropriate to exempt attorneys from the business associate requirements.
With respect to the requirement for the return or destruction of protected health information, the Rule requires the return or destruction of all protected health information at termination of the contract only where feasible or permitted by law. Where such action is not feasible, the contract must state that the information will remain protected after the contract ends for as long as the information is maintained by the business associate, and that further uses and disclosures of the information will be limited to those purposes that make the return or destruction infeasible.
Comment: One commenter was concerned that the business associate provisions regarding the return or destruction of protected health information upon termination of the business associate agreement conflict with various provisions of the Bank Secrecy Act, which require financial institutions to retain certain records for up to five years. The commenter further noted that there are many State banking regulations that require financial institutions to retain certain records for up to ten years. The commenter recommended that the Department clarify, in instances of conflict with the Privacy Rule, that financial institutions comply with Federal and State banking regulations.
Response: The Department does not believe there is a conflict between the Privacy Rule and the Bank Secrecy Act retention requirements or that the Privacy Rule would prevent a financial institution that is a business associate of a covered entity from complying with the Bank Secrecy Act. The Privacy Rule generally requires a business associate contract to provide that the business associate will return or destroy protected health information upon the termination of the contract; however, it does not require this if the return or destruction of protected health information is infeasible. Return or destruction would be considered “infeasible” if other law, such as the Bank Secrecy Act, requires the business associate to retain protected health information for a period of time beyond the termination of the business associate contract. The Privacy Rule would require that the business associate contract extend the protections of the contract and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible. In this case, the business associate would have to limit the use or disclosure of the protected health information to purposes of the Bank Secrecy Act or State banking regulations.
Comment: A commenter requested clarification concerning the economic impact on business associates of the cost-based copying fees allowed to charged to individuals who request a copy of their medical record under the right of access provided by the Privacy Rule. See § 164.524. According to the commenter, many hospitals and other covered entities currently outsource their records reproduction function for fees that often include administrative costs over and above the costs of copying. In some cases, the fees may be set in accordance with State law. The Privacy Rule, at § 164.524(c)(4), however, permits only reasonable, cost-based copying fees to be charged to individuals seeking to obtain a copy of their medical record under their right of access. The commenter was concerned that others seeking copies of all or part of the medical record, such as payers, attorneys, or entities that have the individual’s authorization, would try to claim the limited copying fees provided in § 164.524(c)(4). The commenter asserted that such a result would drastically alter the economics of the outsourcing industry, driving outsourcing companies out of business, and raising costs for the health industry as a whole. A clarification that the fee structure in § 164.524(c)(4) applies only to individuals exercising their right of access was sought.
Response: The Department clarifies that the Rule, at § 164.524(c)(4), limits only the fees that may be charged to individuals, or to their personal representatives in accordance with § 164.502(g), when the request is to obtain a copy of protected health information about the individual in accordance with the right of access. The fee limitations in § 164.524(c)(4) do not apply to any other permissible disclosures by the covered entity, including disclosures that are permitted for treatment, payment or health care operations, disclosures that are based on an individual’s authorization that is valid under § 164.508, or other disclosures permitted without the individual’s authorization as specified in § 164.512.
The fee limitation in § 164.524(c)(4) is intended to assure that the right of access provided by the Privacy Rule is available to all individuals, and not just to those who can afford to do so. Based on the clarification provided, the Department does not anticipate that this provision will cause any significant disruption in the way that covered entities do business today. To the extent hospitals and other entities outsource this function because it is less expensive than doing it themselves, the fee limitation for individuals seeking access under § 164.524 will affect only a portion of this business; and, in these cases, hospitals should still find it economical to outsource these activities, even if they can only pass on a portion of the costs to the individual.
We proposed to define the term “business partner” to mean, with respect to a covered entity, a person to whom the covered entity discloses protected health information so that the person can carry out, assist with the performance of, or perform on behalf of, a function or activity for the covered entity. “Business partner” would have included contractors or other persons who receive protected health information from the covered entity (or from another business partner of the covered entity) for the purposes described in the previous sentence, including lawyers, auditors, consultants, third-party administrators, health care clearinghouses, data processing firms, billing firms, and other covered entities. “Business partner” would have excluded persons who are within the covered entity’s workforce, as defined in this section.
This rule reflects the change in the name from “business partner” to “business associate,” included in the Transactions Rule.
In the final rule, we change the definition of “business associate” to clarify the circumstances in which a person is acting as a business associate of a covered entity. The changes clarify that the business association occurs when the right to use or disclose the protected health information belongs to the covered entity, and another person is using or disclosing the protected health information (or creating, obtaining and using the protected health information) to perform a function or activity on behalf of the covered entity. We also clarify that providing specified services to a covered entity creates a business associate relationship if the provision of the service involves the disclosure of protected health information to the service provider. In the proposed rule, we had included a list of persons that were considered to be business partners of the covered entity. However, it is not always clear whether the provision of certain services to a covered entity is “for” the covered entity or whether the service provider is acting “on behalf of” the covered entity. For example, a person providing management consulting services may need protected health information to perform those services, but may not be acting “on behalf of” the covered entity. This we believe led to some general confusion among the commenters as to whether certain arrangements fell within the definition of a business partner under the proposed rule. The construction of the final rule clarifies that the provision of the specified services gives rise to a business associate relationship if the performance of the service involves disclosure of protected health information by the covered entity to the business associate. The specified services are legal, actuarial, accounting, consulting, management, administrative accreditation, data aggregation, and financial services. The list is intended to include the types of services commonly provided to covered entities where the disclosure of protected health information is routine to the performance of the service, but when the person providing the service may not always be acting “on behalf of” the covered entity.
In the final rule, we reorganize the list of examples of the functions or activities that may be conducted by business associates. We place a part of the proposed list in the portion of the definition that addresses when a person is providing functions or activities for or on behalf of a covered entity. We place other parts of the list in the portion of the definition that specifies the services that give rise to a business associate relationship, as discussed above. We also have expanded the examples to provide additional guidance and in response to questions from commenters.
We have added data aggregation to the list of services that give rise to a business associate relationship. Data aggregation, as discussed below, is where a business associate in its capacity as the business associate of one covered entity combines the protected health information of such covered entity with protected health information received by the business associate in its capacity as a business associate of another covered entity in order to permit the creation of data for analyses that relate to the health care operations of the respective covered entities. Adding this service to the business associate definition clarifies the ability of covered entities to contract with business associates to undertake quality assurance and comparative analyses that involve the protected health information of more than one contracting covered entity. For example, a state hospital association could act as a business associate of its member hospitals and could combine data provided to it to assist the hospitals in evaluating their relative performance in areas such as quality, efficiency and other patient care issues. As discussed below, however, the business associate contracts of each of the hospitals would have to permit the activity, and the protected health information of one hospital could not be disclosed to another hospital unless the disclosure is otherwise permitted by the rule.
The definition also states that a business associate may be a covered entity, and that business associate excludes a person who is part of the covered entity’s workforce.
We also clarify in the final rule that a business association arises with respect to a covered entity when a person performs functions or activities on behalf of, or provides the specified services to or for, an organized health care health care arrangement in which the covered entity participates. This change recognizes that where covered entities participate in certain joint arrangements for the financing or delivery of health care, they often contract with persons to perform functions or to provide services for the joint arrangement. This change is consistent with changes made in the final rule to the definition of health care operations, which permits covered entities to use or disclose protected health information not only for their own health care operations, but also for the operations of an organized health care arrangement in which the covered entity participates. By making these changes, we avoid the confusion that could arise in trying to determine whether a function or activity is being provided on behalf of (or if a specified service is being provided to or for) a covered entity or on behalf of or for a joint enterprise involving the covered entity. The change clarifies that in either instance the person performing the function or activity (or providing the specified service) is a business associate.
We also add language to the final rule that clarifies that the mere fact that two covered entities participate in an organized health care arrangement does not make either of the covered entities a business associate of the other covered entity. The fact that the entities participate in joint health care operations or other joint activities, or pursue common goals through a joint activity, does not mean that one party is performing a function or activity on behalf of the other party (or is providing a specified services to or for the other party).
In general under this provision, actions relating to the protected health information of an individual undertaken by a business associate are considered, for the purposes of this rule, to be actions of the covered entity, although the covered entity is subject to sanctions under this rule only if it has knowledge of the wrongful activity and fails to take the required actions to address the wrongdoing. For example, if a business associate maintains the medical records or manages the claims system of a covered entity, the covered entity is considered to have protected health information and the covered entity must ensure that individuals who are the subject of the information can have access to it pursuant to § 164.524.
The business associate relationship does not describe all relationships between covered entities and other persons or organizations. While we permit uses or disclosures of protected health information for a variety of purposes, business associate contracts or other arrangements are only required for those cases in which the covered entity is disclosing information to someone or some organization that will use the information on behalf of the covered entity, when the other person will be creating or obtaining protected health information on behalf of the covered entity, or when the business associate is providing the specified services to the covered entity and the provision of those services involves the disclosure of protected health information by the covered entity to the business associate. For example, when a health care provider discloses protected health information to health plans for payment purposes, no business associate relationship is established. While the covered provider may have an agreement to accept discounted fees as reimbursement for services provided to health plan members, neither entity is acting on behalf of or providing a service to the other.
Similarly, where a physician or other provider has staff privileges at an institution, neither party to the relationship is a business associate based solely on the staff privileges because neither party is providing functions or activities on behalf of the other. However, if a party provides services to or for the other, such as where a hospital provides billing services for physicians with staff privileges, a business associate relationship may arise with respect to those services. Likewise, where a group health plan purchases insurance or coverage from a health insurance issuer or HMO, the provision of insurance by the health insurance issuer or HMO to the group health plan does not make the issuer a business associate. In such case, the activities of the health insurance issuer or HMO are on their own behalf and not on the behalf of the group health plan. We note that where a group health plan contracts with a health insurance issuer or HMO to perform functions or activities or to provide services that are in addition to or not directly related to the provision of insurance, the health insurance issuer or HMO may be a business associate with respect to those additional functions, activities or services. We also note that covered entities are permitted to disclose protected health information to oversight agencies that act to provide oversight of federal programs and the health care system. These oversight agencies are not performing services for or on behalf of the covered entities and so are not business associates of the covered entities. Therefore HCFA, the federal agency that administers Medicare, is not required to enter into a business associate contract in order to disclose protected health information to the Department's Office of Inspector General.
We do not require a covered entity to enter into a business associate contract with a person or organization that acts merely as a conduit for protected health information (e.g., the US Postal Service, certain private couriers and their electronic equivalents). A conduit transports information but does not access it other than on a random or infrequent basis as may be necessary for the performance of the transportation service, or as required by law. Since no disclosure is intended by the covered entity and the probability of exposure of any particular protected health information to a conduit is very small, we do not consider a conduit to be a business associate of the covered entity.
We do not consider a financial institution to be acting on behalf of a covered entity, and therefore no business associate contract is required, when it processes consumer-conducted financial transactions by debit, credit or other payment card, clears checks, initiates or processes electronic funds transfers, or conducts any other activity that directly facilitates or effects the transfer of funds for compensation for health care. A typical consumer-conducted payment transaction is when a consumer pays for health care or health insurance premiums using a check or credit card. In these cases the identity of the consumer is always included and some health information (e.g., diagnosis or procedure) may be implied through the name of the health care provider or health plan being paid. Covered entities that initiate such payment activities must meet the minimum necessary disclosure requirements described in the preamble to § 164.514.
