How the Health Insurance Portability and Accountability Act (HIPAA) and Other Privacy Laws Affect Public Transportation Operations (2014)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

6 Rules;20 and modify the rules for giving notice of a breach of unsecured PHI.21 The final rule gener- ally prohibits the sale of PHI without an individ- ual’s authorization and includes more stringent limitations on the use and disclosure of PHI for marketing and fundraising purposes.22 In addi- tion, the final rule expands individuals’ rights to receive electronic copies of their health informa- tion and requires covered entities to modify and redistribute notices of their privacy practices. The final rule makes important changes re- garding compliance with HIPAA by covered enti- ties, business associates, and others that are sub- ject to HIPAA and amends HIPAA’s provisions on enforcement by providing for stiffer civil money penalties (CMP) and criminal penalties, hereinaf- ter the Enforcement Rule.23 For example, under 45 C.F.R. § 160.402(c), a covered entity is liable for a CMP for a violation based on an “act or omission of any agent of the covered entity, in- cluding a workforce member or business associate, acting within the scope of the agency.”24 It should be noted that the term “workforce” means more than an entity’s employees. HIPAA defines the term “workforce” to mean employees, volunteers, trainees, and other persons serving under the di- rect control of a covered entity or business associ- ate regardless of whether the covered entity or 20 See HITECH Act, Pub. L. No. 111-5, 123 Stat. 115, 260 (2009). 21 The term “unsecured protected health informa- tion” means PHI “not secured through the use of a technology or methodology.” HITECH Act, Pub. L. No. 111-5 § 13402(h), 123 Stat. 115 (2009) and 42 U.S.C. § 17932(h). See also 78 Fed. Reg. 5639. 22 The term “marketing” means “to make a communi- cation about a product or service that encourages re- cipients of the communication to purchase or use the product or service.” 42 C.F.R. § 164.501 (2013). See Anna L. Spencer, Responding to Challenging Aspects of HITECH’S Modifications to HIPAA, at 131, INSIDE THE MINDS: RECENT DEVELOPMENTS WITH HIPAA, Thomas Reuters, Aspatore (2010), hereinafter referred to as “Spencer.” 23 HITECH Act, Pub. L. No. 111-5 § 13410(d), 123 Stat. 115 (2009) and 42 U.S.C. § 17939 (2013); U.S. Dep’t of Health and Human Services, Office of the Sec- retary, 45 C.F.R. part 160, HIPAA Administrative Sim- plification: Enforcement, Interim Final Rule, 74 Fed. Reg. 56123 (effective November 30, 2009) (adopted to conform the enforcement of HIPAA regulations to statutory revisions made by HITECH); see 45 C.F.R. §§ 160.400, 160.402, 160.404, 160.406, 160.408, 160.410 (2013). See also Phillips, supra note 13, at 134. 24 45 C.F.R. § 160.402(c)(1) (2013). See also Phillips, supra note 13, at 134. business associate is paying them (emphasis added).25 HITECH subjects business associates to the same civil and criminal penalties that apply to covered entities.26 As a result of HITECH, state attorneys general are authorized to bring civil actions for damages on behalf of residents in their states for violations of HIPAA.27 Consequently, the federal and state governments have more means to enforce HIPAA and to enforce the law against more entities and persons.28 HITECH’s amendments to HIPAA “en- courage[d] companies, and not just health care companies, to reevaluate how they use and dis- close personal health information.”29 Although HHS’s final rule was effective as of March 26, 2013, covered entities and business as- sociates had 180 days beyond the effective date to become compliant.30 The Enforcement Rule was effective as of the date the final rule became effec- tive.31 III. HIPAA’S APPLICATION TO COVERED ENTITIES HIPAA applies only to covered entities, their business associates, subcontractors of business associates, and hybrid entities having health care components as discussed hereafter. Under 25 45 C.F.R. § 160.103 (definition of “workforce”). 26 42 U.S.C. § 17934(c) (2013) (liability of business associates for privacy violations); 42 U.S.C. § 17931(b) (2013) (liability of business associates for security viola- tions). See 45 C.F.R. § 160.402(c)(2) (2013) (stating that “[a] business associate is liable, in accordance with the Federal common law of agency, for a civil money pen- alty for a violation based on the act or omission of any agent of the business associate, including a workforce member or subcontractor, acting within the scope of the agency”). See also Acevedo & Rathburn, supra note 15, at *3. 27 HITECH Act Pub. L. 111-5 § 13410(d), 123 Stat. 115 (2009) and 42 U.S.C. § 1320d-5(d). See also Acevedo & Rathburn, supra note 15, at *3. 28 Kelly M. Jolley & Kathleen G. Chewning, The New HIPAA Privacy and Security Rules are Here: What do Your Clients Need to Know? 21 S. CAROLINA LAWYER 16, 18 (2010), hereinafter referred to as “Jolley & Chewning.” HHS’s final rule also implements § 105 of title I of the Genetic Information Nondiscrimination Act, Pub. L. No. 110-233, 122 Stat. 881 (2008), by pro- hibiting most health plans from using or disclosing ge- netic information for underwriting purposes. See 42 U.S.C. § 1320-d (9) (2013); 78 Fed. Reg. 5566. 29 Jolley & Chewning, supra note 28, at 17-18. 30 78 Fed. Reg. 5569; 45 C.F.R. § 160.105 (2013). 31 Id.

7 HIPAA, the term covered entities means only (1) health plans, (2) health care clearinghouses, and (3) health care providers “who transmit[] any health information in electronic form in connec- tion with a transaction covered by this subchap- ter.”32 Transit agencies thus are not covered enti- ties. HIPAA does not apply to transit agencies unless, as discussed in Sections IV.A and IX.C and D of this digest, they meet HIPAA’s criteria for being a business associate of a covered entity. Regardless of whether transit agencies meet HIPAA’s definition of a business associate, some transit agencies have contracts to provide trans- portation to covered entities, which stipulate that HIPAA applies to the agreements. As defined by HIPAA, first, a health plan means an individual or group plan that provides or pays the cost of medical care. Health plans in- clude group health plans; issuers of health insur- ance; health maintenance organizations; part A or part B of the Medicare program; issuers of Medi- care supplemental policies; the Medicaid program; issuers of certain long-term care policies; em- ployee welfare benefit plans; the health care pro- gram for the uniformed services under title 10 of the United States Code; the veteran’s health care program;33 the Federal Employees Health Bene- fits Program; other plans or programs identified in 45 C.F.R. § 160.103; and any other individual or group plans that provide or pay for the cost of medical care.34 Second, the definition of covered entities in- cludes group health plans such as employee wel- fare benefit plans, both insured and self-insured plans, to the extent that they provide “medical 32 45 C.F.R. § 164.104(a) (2013). 33 The Veterans Health Administration’s (VHA) treatment activities meet the definition of a covered health care provider. The VHA also is a designated health plan as to care provided or paid for under chap- ter 17 of title 38 of the United States Code. The Veter- ans Benefits Administration (VBA) is not a covered en- tity. Thus, with one exception, “the Privacy Rule does not apply to protected individually identifiable health information once it is received by VBA.” Department of Veterans Affairs, Memorandum by the General Coun- sel, at 3-4 (March 17, 2003), hereinafter referred to as “Veterans Administration Legal Memorandum,” avail- able at http://www.va.gov/ogc/docs/ADV3-2003.pdf . The VBA does “not need a Privacy Rule authorization to disclose health information received from VHA or an- other covered entity.” Id. at 7. 34 45 C.F.R. § 160.103 (2013). See id. for programs and plans that are excluded from the definition of a health plan. care…including items and services paid for as medical care, to employees or their dependents directly or through insurance, reimbursement, or otherwise” that have 50 or more participants or that are “administered by an entity other than the employer that established and maintains the plan.”35 Third, a covered entity includes a “health care provider who transmits any health information in electronic form or in connection with a transmis- sion covered by this subchapter.”36 A health care provider means a provider of medical or health services and “any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.”37 (citations omit- ted) Doctors, clinics, psychologists, dentists, chi- ropractors, nursing homes, and pharmacies are health care providers.38 As stated, only covered entities, their business associates, subcontractors of business associates, and hybrid entities are subject to HIPAA. As HHS acknowledges, many entities have or receive PHI without being subject to HIPAA.39 HHS does not have the authority to regulate employers, life in- surance companies, or even public agencies that provide social security or welfare benefits.40 Even though the Social Security Administration collects medical and health information, it is not a covered entity and is not subject to HIPAA’s Privacy Rule discussed in Section VIII of this digest.41 As one article states, 35 45 C.F.R. § 164.103 (2103) (definition of group health plan). 36 45 C.F.R. § 160.103 (2013) (definition of health care provider). 37 45 C.F.R. § 160.103 (2013). 38 U.S. DEP’T OF HEALTH AND HUMAN SERVICES, avail- able at http://www.hhs.gov/ocr/privacy/hipaa/ understanding/coveredentities/index.html. 39 U.S. DEP’T OF HEALTH AND HUMAN SERVICES, avail- able at http://www.hhs.gov/ocr/privacy/hipaa/faq/ covered_entities/366.html. 40 U.S. DEP’T OF HEALTH AND HUMAN SERVICES, avail- able at http://www.hhs.gov/ocr/privacy/hipaa/ understanding/consumers/index.html. 41 See U.S. DEP’T OF HEALTH AND HUMAN SERVICES, HEALTH INFORMATION PRIVACY, available at http://www.hhs.gov/ocr/privacy/hipaa/understanding/ coveredentities/businessassociates.html. The Privacy Rule includes the following exceptions to the business associate standard…The collection and sharing of pro- tected health information by a health plan that is a public bene- fits program, such as Medicare, and an agency other than the agency administering the health plan, such as the Social Secu- rity Administration, that collects protected health information to determine eligibility or enrollment, or determines eligibility