A recent article in the Wall Street Journal, "Heart Gadgets Test Privacy Law Limits," raised three items in relation to HIPAA that all entities handling patient information need to consider. First, whether medical device and pharmaceutical companies qualify as a covered entity, business associate or subcontractor post-HITECH Act. Second, the patient's right to access data that is considered protected health information. As delineated in the regulations, the general definition of PHI is "identifying information created or received by an employer or a healthcare entity that relates to an individual's physical or mental health condition and is transmitted or maintained in any medium." And, third, whether or not companies can sell the PHI to health systems and insurers for a profit.
In turn, a business associate, as defined by the HIPAA Rules, is "a person who performs functions or activities on behalf of, or certain services for, a covered entity that involve the use or disclosure of protected health information" (emphasis added). A subcontractor is a person who contracts with a business associate and stores, handles or transmits PHI. Regardless, under Section 164.308(b) of the Security Rule and 164.502(e) of the Privacy Rule, a covered entity or business associate is required to enter into an arrangement known as a business associate agreement to provide parameters and some legal protection when a contracted entity is handling PHI.
Effective Feb. 18, 2010, Section 13408 of the HITECH Act provides that health information organizations, e-prescribing gateways, vendors of personal health records and other persons that facilitate data transmission and require access to PHI, regardless of their status as a covered entity, business associate or subcontractor, are subject to business associate agreements in accordance with the HIPAA Rules.
Therefore, medical device and pharmaceutical companies can be classified as a qualifying entity subject to HIPAA and the HITECH Act. As such, they are subject to handling, storing and transmitting in accordance with the requisite laws and regulations. The consequences from civil and criminal monetary penalties alone are significant. Since the HITECH Act expressly expanded HIPAA's requirements to business associates and subcontractors, the same standards for access to medical records, business associate agreements and other provisions equally apply.
Section 13410(d) of the Health Information Technology for Economic and Clinical Health Act authorizes penalties to be assessed for violations of the Privacy Rule. In February 2011, HHS issued a Final Notice of Determination and held Cignet Health, a business associate, liable for $4.3 million in civil monetary penalties when they denied 41 patients access to their medical records. As OCR Director Georgina Verdugo indicated, “covered entities and business associates must uphold their responsibility to provide patients with access to their medical records, and adhere closely to all of HIPAA's requirements." And, "The U.S. Department of Health and Human Services will continue to investigate and take action against those organizations that knowingly disregard their obligations under these rules." This area should be considered in drafting business associate agreements. Therefore, business associates such as Medtronic are required to release the PHI to the patient requesting the information, unless one of the exceptions is met, and the patient is informed.
Failure of a business associate to comply with the HITECH Act and relevant Privacy and Security Rule provisions subjects them, under the Enforcement Rule, to the same penalties as a covered entity. Therefore, it is imperative that business associates, covered entities and subcontractors review all relevant laws and regulations to ensure compliance. By conducting both an internal and external risk assessment, potential vulnerabilities can be identified. And, if appropriate exceptions exist that would enable PHI to be sold by a business associate, a detailed explanation could be constructed proactively.
In sum, whether an entity is considered a covered entity, business associate or subcontractor is irrelevant in terms of complying with HIPAA, the HITECH Act and relevant provisions, as well as the potential penalties. A patient's access to their PHI applies equally to business associates as it does to covered entities. Therefore, a comprehensive risk assessment and business associate agreement must be constructed to mitigate the risk of liability associated with selling PHI as a revenue generating business line.
Footnotes:
1See, 45 CFR Subtitle A (10-1-10 Edition), §160.103 at 777.
Rachel V. Rose, JD, MBA, is a principal at Rachel V. Rose – Attorney at Law, PLLC in Houston, TX. Her practice focuses on healthcare and corporate law. She can be contacted at rvrose@rvrose.com.
Due Diligence Mitigates Liability Exposure Under HIPAA and the HITECH Act
HIPAA/HITECH Risk Assessments: Are the Standards Being Met?
Classifying the entity
Are medical device or pharmaceutical companies designated as a qualifying entity subject to HIPAA and the HITECH Act? Yes. In general, a provider that "transmits any health information in electronic form in connection with a transaction covered by this subchapter" is considered a covered entity.1 Moreover, according to the 45 CFR §160.103(2)(ii)(3), "a covered entity may be a business associate of another covered entity." In fact, CMS recognized that as a government agency, it is subject to HIPAA, the HITECH Act and related rules in an October 2012 report issued by the Office of the Inspector General, "CMS Response to Breaches and Medical Identity Theft."In turn, a business associate, as defined by the HIPAA Rules, is "a person who performs functions or activities on behalf of, or certain services for, a covered entity that involve the use or disclosure of protected health information" (emphasis added). A subcontractor is a person who contracts with a business associate and stores, handles or transmits PHI. Regardless, under Section 164.308(b) of the Security Rule and 164.502(e) of the Privacy Rule, a covered entity or business associate is required to enter into an arrangement known as a business associate agreement to provide parameters and some legal protection when a contracted entity is handling PHI.
Effective Feb. 18, 2010, Section 13408 of the HITECH Act provides that health information organizations, e-prescribing gateways, vendors of personal health records and other persons that facilitate data transmission and require access to PHI, regardless of their status as a covered entity, business associate or subcontractor, are subject to business associate agreements in accordance with the HIPAA Rules.
Therefore, medical device and pharmaceutical companies can be classified as a qualifying entity subject to HIPAA and the HITECH Act. As such, they are subject to handling, storing and transmitting in accordance with the requisite laws and regulations. The consequences from civil and criminal monetary penalties alone are significant. Since the HITECH Act expressly expanded HIPAA's requirements to business associates and subcontractors, the same standards for access to medical records, business associate agreements and other provisions equally apply.
Patient access rights
In the article, the tension between patients wanting to have access to their health data from a medical device, which is implanted in them, and a medical device company is highlighted. According to a representative of a medical device maker quoted in the article, "Federal rules prohibit giving Ms. Hubbard's data to anyone but her doctor and hospital. Our customers are physicians and hospitals." In general, 45 C.F.R. §164.524, Access of Individuals to Protected Health Information, sets forth the parameters of the HIPAA Privacy Rule. Included in these standards are the circumstances for providing protected health information to a patient and exceptions. Nothing in the scenario of the PHI being transmitted from a patient's implant to a medical device company, who would be classified as a business associate in this instance invokes an exception to deny the patient's request.Section 13410(d) of the Health Information Technology for Economic and Clinical Health Act authorizes penalties to be assessed for violations of the Privacy Rule. In February 2011, HHS issued a Final Notice of Determination and held Cignet Health, a business associate, liable for $4.3 million in civil monetary penalties when they denied 41 patients access to their medical records. As OCR Director Georgina Verdugo indicated, “covered entities and business associates must uphold their responsibility to provide patients with access to their medical records, and adhere closely to all of HIPAA's requirements." And, "The U.S. Department of Health and Human Services will continue to investigate and take action against those organizations that knowingly disregard their obligations under these rules." This area should be considered in drafting business associate agreements. Therefore, business associates such as Medtronic are required to release the PHI to the patient requesting the information, unless one of the exceptions is met, and the patient is informed.
Selling patient data for a profit
Another issue raised by the article is companies creating a separate business unit in order to sell "the data to health systems or insurers that could use it to predict diseases and possibly lower their costs," further calling it "the currency of the future." Yet, 45 CFR §164.514(C)(4) requires covered entities to "ensure that any agents to whom it provides the limited data set agrees to the same restrictions and conditions that apply to the limited data set recipient with respect to such information." While certain exceptions may exist when the PHI is de-identified, as the OCR indicated, an individual's "right to an accounting of the disclosures of their protected health information by a covered entity or the covered entity's business associates" is inherent in HIPAA.Failure of a business associate to comply with the HITECH Act and relevant Privacy and Security Rule provisions subjects them, under the Enforcement Rule, to the same penalties as a covered entity. Therefore, it is imperative that business associates, covered entities and subcontractors review all relevant laws and regulations to ensure compliance. By conducting both an internal and external risk assessment, potential vulnerabilities can be identified. And, if appropriate exceptions exist that would enable PHI to be sold by a business associate, a detailed explanation could be constructed proactively.
In sum, whether an entity is considered a covered entity, business associate or subcontractor is irrelevant in terms of complying with HIPAA, the HITECH Act and relevant provisions, as well as the potential penalties. A patient's access to their PHI applies equally to business associates as it does to covered entities. Therefore, a comprehensive risk assessment and business associate agreement must be constructed to mitigate the risk of liability associated with selling PHI as a revenue generating business line.
Footnotes:
1See, 45 CFR Subtitle A (10-1-10 Edition), §160.103 at 777.
Rachel V. Rose, JD, MBA, is a principal at Rachel V. Rose – Attorney at Law, PLLC in Houston, TX. Her practice focuses on healthcare and corporate law. She can be contacted at rvrose@rvrose.com.
More Articles by Rachel V. Rose:
Learning From Wall Street: How Healthcare Providers Can Benefit From JPMorgan's London Trading ExperienceDue Diligence Mitigates Liability Exposure Under HIPAA and the HITECH Act
HIPAA/HITECH Risk Assessments: Are the Standards Being Met?