How the Health Insurance Portability and Accountability Act (HIPAA) and Other Privacy Laws Affect Public Transportation Operations (2014)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

5 noted, some transit agencies serve as direct pro- viders or as brokers and business associates or as their subcontractors to provide transportation pursuant to a contract with a state or local agency that coordinates transportation services for per- sons or entities covered by HIPAA. Follow-up in- terviews were conducted with several agencies that responded to the survey. Some agencies stated that they are a business associate (or a subcontractor of a business associate) of a covered entity and provided a copy of their business asso- ciate or subcontractor agreements that are dis- cussed in this digest and included in Appendix C. II. HIPAA, THE HITECH AMENDMENTS TO HIPAA, AND HHS’S FINAL RULE HIPAA10 authorized the Secretary of HHS to issue regulations to implement the administrative requirements of HIPAA.11 On December 28, 2000, HHS published regulations that included HIPAA’s Privacy Rule.12 HHS’s regulations are used to determine the responsibilities of covered entities, business associates, and others that are subject to HIPAA under the Privacy Rule, as well ville, TN; Manchester Transit Authority (MTA), Man- chester, NH; Memphis Area Transit Authority (MATA), Memphis, TN; Metro Transit (Metro Transit), Madison, WI; North County Transit District (North County Tran- sit), Oceanside, CA; Pierce County Transportation Benefit Area Authority (Pierce Transit), Lakewood, WA; Riverside Transit Agency (Riverside), Riverside, CA; Salem-Keizer Transit (Salem-Keizer), Salem, OR; Space Coast Area Transit (Space Coast), Cocoa, FL; Utah Transit Authority (Utah Transit), Salt Lake, UT; Votran (Volusia County) (Votran), Daytona Beach, FL; and Whatcom Transportation Authority (Whatcom), Bellingham, WA. 10 42 U.S.C. §§ 17921 to 17953. 11 See HIPAA, Pub. L. No. 104-191, §§ 261-264, 110 State 1936, 2024 et. seq., and 42 U.S.C. §§ 1320d-1320d- 8 (2013) (Administrative Simplification); see 45 C.F.R. part 160 (2013) (General Administrative Require- ments); 45 C.F.R. part 162 (2013) (Administrative Re- quirements); and 45 C.F.R. part 164 (2013) (Security and Privacy). 12 U.S. DEP’T OF HEALTH AND HUMAN SERVICES SUMMARY OF THE HIPAA PRIVACY RULE, available at http://www.hhs.gov/ocr/privacy/hipaa/understanding/ summary/index.html. as HIPAA’s Security Rule13 discussed in Sections VIII.B. and VIII.C of this digest.14 In 2009 Congress enacted HITECH to promote the widespread adoption and interoperability of health information technology. HITECH “relate[s] to health information technology (HIT) and incen- tives to adopt electronic health record (EHR) sys- tems.”15 In amending HIPAA, however, HITECH made the requirements of HIPAA’s Privacy Rule and Security Rule directly applicable to business associates of covered entities and to subcontrac- tors of business associates.16 HITECH also modi- fied certain provisions of the Social Security Act pertaining to the HIPAA rules and required other modifications to the rules.17 On January 25, 2013, HHS issued its final rule entitled “Modifications to the HIPAA Privacy, Se- curity, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Ge- netic Information Nondiscrimination Act; [and] Other Modifications to the HIPAA Rules.”18 HITECH and HHS’s final rule strengthens HIPAA’s privacy and security protections for indi- viduals’ PHI maintained in electronic health re- cords and other formats;19 make business associ- ates of covered entities, discussed in Section IV of this digest, directly liable under HIPAA for failure to comply with the HIPAA Privacy and Security 13 Stephen K. Phillips, A Legal Research Guide to HIPAA, 3 J. HEALTH & LIFE SCI. L. 134 (2010), hereinaf- ter referred to as “Phillips.” 14 The privacy regulations appear in 45 C.F.R. §§ 160 and 164, subparts A (§§ 164.102–164.106) and E (§§ 164.500–164.534). The security regulations appear in 45 C.F.R. §§ 160 and 164, subparts A (§§164.102- 164.106) and C (§§ 164.400-164.414). 15 ARRA, Pub. L. 111-5, Section 13001, 123 Stat. 115 (2009), 42 USC 201. See also, Lisa Acevedo & Jennifer L. Rathburn, Medical Privacy Enforcement and Penal- ties: HIPAA Gets Teeth, available at http://www.quarles.com/files/FileControl/c0df14d7-6e02- 44e6-8b71-c6080df99f71/7483b893-e478-44a4-8fed- f49aa917d8cf/Presentation/File/ Medical_Privacy_Enforcement.pdf, available at *2 (Thomson Reuters, Aspatore, Sep. 1, 2011), here- inafter referred to as “Acevedo & Rathburn.” 16 42 U.S.C. § 17934 (2013) (application of privacy provisions and penalties to business associates of cov- ered entities); 42 U.S.C. § 17931 (2013); 78 Fed. Reg. 5566, 5568 (Jan. 25, 2013) (HIPAA final rule). 17 78 Fed. Reg. 5567. 18 Id. at 5566. 19 Id.