Healthcare Law Advisor
February 2000 Vol. 2 No. 1
Likely Effects of Provisions Regarding
Business Partners Under
the Proposed Federal Privacy Rule
By Jackie Huchenski, Linda Abdel-Malek and Jessica Friedman
On November 3, 1999, President Clinton signed the Proposed Standards for Privacy of Individually Identifiable Health Information (the "Privacy Rule")(1). The Privacy Rule seeks to protect the privacy of individually identifiable health information, or "protected health information" ("PHI")(2). This issue of the Healthcare Law Advisor focuses on the Privacy Rule’s likely impact on Business Partners through its regulation of Covered Entities. Although the rule is not yet final, we are issuing this Advisor because the far-reaching consequences of the finalized Privacy Covered Entities and Business Partners necessitate planning as soon as possible.
The following healthcare business entitities will be affected by the Privacy Rule as described in this Advisor.
- "Covered Entities" include "health plans, health care clearinghouses and health care providers who transmit health information in electronic form"(3).
- "Business Partner" is "a person to whom [a] covered entity discloses protected health information so that the person can carry out, assist with the performance of, or perform on behalf of, a function or activity for the covered entity. ‘Business partner’ includes contractors or other persons who receive protected health information from the covered entity (or from another business partner of the covered entity) for the purposes described in the previous sentence, including lawyers, auditors, consultants, third-party administrators, health care clearinghouses, data processing firms, billing firms, and other covered entities. ‘Business partner’ excludes persons who are within the covered entity’s workforce"(4).
Disclosure of PHI by a Covered Entity to a Business Partner and Contract Requirements.
Covered Entities are permitted to disclose PHI to other Covered Entities for consultation or referral for treatment purposes however, such provider is prohibited from further use or disclosure of such PHI. For purposes other than consultation or referral for treatment, Covered Entities must receive "satisfactory assurance" from the Business Partner before disclosing PHI to the Business Partner or otherwise allowing the Business Partner to use such PHI. (See Privacy Rule 45 CFR § 164.506(e)(1).)
"Satisfactory assurance" consists of a contract between the Covered Entity and the Business Partner, which contract contains specific language regarding PHI. (See Privacy Rule 45 CFR § 164.506(e)(2).) Consequently, before a Covered Entity discloses PHI to a person or an entity for purposes other than referral or consultation for treatment purposes, there must be a contract in place which contains the following provisions:
- A prohibition against the use or disclosure by the Business Partner of PHI provided by the Covered Entity, other than as stated in the contract;
- A clause prohibiting the use or disclosure of PHI by the Business Partner in violation of the Privacy Rule;
A provision requiring the Business Partner to create and implement appropriate safeguards to prevent use or disclosure of the PHI other than as provided for in the contract;
Language requiring the Business Partner to report any use or disclosure not provided for in the contract to the Covered Entity;
A stipulation that the Business Partner ensure that its subcontractors and agents to whom the Business Partner discloses PHI abide by the restrictions contained both in the Privacy Rule and in the contract between the Covered Entity and such Business Partner;
A term establishing the manner in which the Business Partner will make PHI accessible to individuals who are the subjects of such PHI when the Business Partner is the only person or entity possessing such PHI; (according to the preamble of the proposed Privacy Rule, the contract must also contain terms stating how the Business Partner will apprise the Covered Entity of any alteration of information, and the method via which the Covered Entity can access such information)
A specification the Business Partner will make available to the Secretary of the Department of Health and Human Services the Business Partner’s internal practices, books, and records relating to the use and/or disclosure of PHI;
A requirement that the Business Partner return or destroy all PHI upon termination of the contract and retain no copies of such PHI;
A condition that the Business Partner incorporate any changes to PHI when notified by the Covered Entity to do so;
A provision that individuals who are the subjects of PHI disclosed to the Business Partner pursuant to the contract are intended third-party beneficiaries; and
A condition that, if the Business Partner violates any of the terms of the contract, the Covered Entity may terminate the contract.
(Privacy Rule 45 CFR § 164.506(e))
Compliance with Covered Entity’s Notice of Policies Regarding Use and Disclosure.
Every Covered Entity is required to promulgate and distribute to its enrollees a notice of its policies regarding use and disclosure of PHI (the "Notice") pursuant to the Privacy Rule. (See Privacy Rule 45 CFR § 164.512.) In addition to complying with the terms of the contract between the Covered Entity and its Business Partner, including the requirements of the Privacy Rule regarding use and disclosure of PHI, and applicable state law(5), a Business Partner must comply with the terms of the Covered Entity’s Notice as distributed to individuals who are the subject of such PHI. (See 64 Fed. Reg. 59948, preamble Section II.C.5(b)(i).) For example, if a Covered Entity’s policy, as described in its Notice, prohibits all disclosures for research purposes, the Business Partner will be similarly restricted from using or disclosing any PHI for research purposes
Covered Entity’s Liability and Duty to Mitigate Harm.
- Liability. A "material breach by a business partner of its obligations … will be considered to be noncompliance of the covered entity with the applicable requirements of this subpart, if the covered entity knew or should have known of such breach and failed to take reasonable steps to cure the breach or terminate the contract". (See Privacy Rule 45 CFR § 164.506(e)(iii).) The preamble to the proposed Privacy Rule, Section II.C.5(c), explains that a Covered Entity which is aware of impermissible uses of PHI by a Business Partner is responsible for taking steps to prevent further impermissible use and/or disclosure and for mitigating any harm caused by the Business Partner’s impermissible use and/or disclosure. (See 64 Fed. Reg. 59949-50.) A Covered Entity will be liable for breaches by its Business Partner only if: (1) the Covered Entity fails to take steps to cure a breach of which it is or should have been aware; or (2) the Covered Entity knows a breach by the Business Partner occurred and fails to take steps to prevent further impermissible use or disclosure by such Business Partner.
Duty to Monitor. According to the preamble to the proposed Privacy Rule, Sections II.H.5-II.H.6, a Covered Entity is not required to actively monitor the activities of its Business Partners. (See 64 Fed. Reg. 59991.) However, for any Business Partner which seriously or repeatedly violates the restrictions contained in the contract between the Covered Entity and the Business Partner, the Covered Entity is required to monitor the Business Partner’s continuing performance under the contract. (See 64 Fed. Reg. 59991.) Consequently, according to the preamble of the proposed Privacy Rule, until or unless the Business Partner seriously and/or repeatedly violates the contract, the Covered Entity has no duty to monitor its Business Partners.
Sanctions, Contract and Duty to Terminate. Additionally, the Secretary of the Department of Health and Human Services encourages Covered Entities to establish relationships with their Business Partners such that a Covered Entity sanctions its Business Partners for any impermissible use and/or disclosure of PHI. (See 64 Fed. Reg. 59991.) Language permitting the Covered Entity to monitor and sanction the Business Partner should therefore be included in the contract between them. The preamble reiterates that a Covered Entity is required to terminate its contract with any Business Partner if it becomes clear to the Covered Entity that the Business Partner cannot or will not maintain the privacy of PHI. (See 64 Fed. Reg. 59991.)
This Advisor was written by Jackie Huchenski, Linda Abdel-Malek and Jessica Friedman. If you have any questions about this Advisor or our healthcare practice, please contact Jackie Huchenski, partner and Chair of the Healthcare Practice Group, by telephone at (212) 554-7831 or e-mail at jhuchenski@mosessinger.com.
This Bulletin is intended as a general comment on certain recent developments in the law. It does not contain a complete legal analysis or constitute an opinion of Moses & Singer LLP or any member of the Firm on the legal issues herein described. It is recommended that readers not rely on this general guide in structuring or analyzing individual transactions but that professional advice be sought in connection with any such transaction.
1. The proposed Privacy Rule is printed in Volume 64 of the Federal Register and will amend Title 45 of the C.F.R., Parts 160 through 164. It is expected to be final this year. For a broad overview of the proposed Privacy Rule, please see the November 1999 issue of the Healthcare Law Advisor (Volume 1 No.2).
2. The Privacy Rule prohibits the use or disclosure of "Protected Health Information". "Protected Health Information" is defined as "individually identifiable health information that is or has been electronically transmitted or electronically maintained by a covered entity and includes such information in any other form." For purposes of the definition of Protected Health Information, "(i) 'Electronically transmitted' includes information exchanged with a computer using electronic media, such as the movement of information from one location to another by magnetic or optical media, transmissions over the Internet, Extranet, leased lines, dial-up lines, private networks, telephone voice response, and 'faxback' systems. (ii) 'Electronically maintained' means information stored by a computer or on any electronic medium from which information may be retrieved by a computer, such as electronic memory chips, magnetic tape, magnetic disk, or compact disc optical media." Protected Health Information excludes "(i) [i]ndividually identifiable health information in education records covered by the Family Educational Right and Privacy Act, as amended, []; and (ii) [i]ndividually identifiable health information of inmates of correctional facilities and detainees in detention facilities." Privacy Rule 45 CFR §164.504.
3. Privacy Rule 45 CFR § 160.102.
4. Privacy Rule 45 CFR § 164.504.
5. The Privacy Rule preempts state law unless state law is "more stringent" than the Privacy Rule
© 1999 - Moses & Singer LLP all rights reserved.
Health Law Today Home |
Moses & Singer LLP Home
Disclaimer |
Privacy Policy