OCR Rule Exempts PHI “Conduits”
Organizations that serve as “conduits” of protected health information are not covered by the draft privacy and security modifications to HIPAA, according to an HHS lawyer and privacy expert. Some stand-alone PHR firms such as Google Health and Microsoft Health Vault would also be exempt in certain situations.
HHS’s Office for Civil Rights lawyer Adam Greene described the exemption during a July 9 meeting with the Health IT Policy Committee’s Privacy and Security Tiger Team (transcript available on the HHS Web site). Greene provided an overview of the proposed regulation, released on July 8, which begins rulemaking on the privacy and security provisions within the HITECH Act of the American Recovery and Reinvestment Act.
Organizations that are “mere conduits” for the electronic transport of PHI would not be considered business associates when working with HIPAA covered entities such as providers, health plans, or claims clearinghouses, Greene said.
A conduit, which has “only random or infrequent access as necessary to support the transport of the information,” would not be covered by the rule as a business associate—even if handling unencrypted PHI, Greene said. Conduits could include the U.S. Postal Service, certain private couriers, and other electronic couriers.
Certain Exemptions for Google Health, Microsoft
While some PHR providers are covered under HIPAA in the proposed rule, only those PHR vendors that are offering their product “on behalf of covered entities” would be covered, Greene said. This most likely does not include PHR vendors like Google or Microsoft, although there could be situations based on the agreement between the vendor and a covered entity that a PHR vendor would be covered by the privacy rule.
“To the extent that [PHR vendors are] providing services directly to individuals rather than on behalf of a covered entity, they are neither covered entities, nor business associates,” Greene said. “Now, it could be theoretically that they serve both functions. It could be that they have a line of business that goes directly to individuals, but they also have contracts with particular covered entities to offer their tool on behalf of the covered entity, in which case they may be a business associate in some respects, but not others.”
For example, if Google Health was contracted to create and operate a PHR solution for a covered entity, it would be considered a business associate and covered by the privacy rule. But if a covered entity merely allows patients to upload their medical records from a provider’s patient portal to the stand-alone Google Health PHR, Google would not be covered because it is not “acting on behalf of the covered entity.”
Business Associates Liable for Subcontractors
One of the most significant modifications that the HITECH Act makes to HIPAA is extending covered entity status to business associates. In discussing the change, Greene clarified that subcontractors of business associates would be required to adhere to HIPAA, as would their subcontractors, he said.
“Additionally, anyone they may contract with as a subcontractor who creates, receives, maintains, or transmits PHI on behalf of them would also be a BA, so it continues to go down the chain as necessary,” Greene said.
Each business associate in the chain is required to have a full-fledged business associate agreement with its respective subcontractor. Covered providers would only need to enter into a HIPAA-compliant business associate contract with the first business associate. That BA is then liable for the contract with its subcontractor and any violations committed by that entity, just as the covered entity is responsible for violations of the BA.
A member of the committee asked Greene what recourse a patient has if, three or four levels down into a subcontractor chain, a patient’s PHI is sold or divulged inappropriately.
“Do I go after the covered entity? Do I go after business entity number one, number two, number three to get to number four?” asked Dixie Baker, Tiger Team member and senior vice president and technical fellow at Science Applications International Corporation.
The patient’s best recourse would be to file an official complaint with OCR, which would conduct an investigation, Greene said. Entities that violate the privacy rule face sanctions of $50,000 per violation and up to $1.5 million per year for multiple violations.
A new aspect of the proposed rule also gives state attorneys general the authority to enforce the rule. Greene noted subcontractor business associates are required to issue breach notifications up the chain of agreements to the original covered entity, which would then be required to contact patients.
Comments on the draft rule are being accepted until September 13, 2010.