How the Health Insurance Portability and Accountability Act (HIPAA) and Other Privacy Laws Affect Public Transportation Operations (2014)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

8 [E]mployers often house large amounts of health informa- tion, but generally employers are not covered entities. Others parties such as advertising companies, life insur- ance companies, data-mining companies, financial insti- tutions, home health agencies, hospices, intermediate care facilities, and social networking sites do not seem to be covered by the privacy rule.42 The courts in several cases have reenforced the position that the scope of covered entities subject to HIPAA is limited to health plans, health care clearinghouses, and health care providers; thus, governments and their agencies (such as law en- forcement agencies) that do not come within the meaning of covered entities are not subject to HIPAA regardless of whether they obtain PHI from a covered entity such as a hospital.43 IV. HIPAA’S APPLICATION TO BUSINESS ASSOCIATES OF COVERED ENTITIES A. Definition of a Business Associate A business associate is one who performs ac- tivities, functions, or services on behalf of a cov- ered entity that involve the use or disclosure of PHI discussed in Section IV.B of this digest.44 Previously, if a covered entity’s business associate failed to meet its obligations, the business associ- or enrollment, for the government program, where the joint ac- tivities are authorized by law. Id. (citing 45 C.F.R. § 164.502(e)). See also MASSLEGAL SERVICES, HIPAA AND THE SOCIAL SECURITY ADMINISTRATION, available at http://www.masslegal services.org/content/hipaa-and-social-security- administration: Once health information protected by the HIPAA Pri- vacy Rule is released to a non-covered entity such as [the Social Security Administration], the HIPAA Privacy Rule ceases to apply to the released information. The bottom line is that the release forms currently being used by advocates in dealing with SSA and DDS do not need to be modified because of HIPAA. 42 Martha Tucker Ayres, Confidentiality and Disclo- sure of Health Information in Arkansas, 64 ARK. L. REV. 969, 978 (2011) (footnotes omitted), hereinafter referred to as “Ayres.” 43 United States v. Prentice, 683 F. Supp. 2d 991, 1001 (D. Minn. 2010) (law enforcement agency not a covered entity subject to HIPAA restraints on the use or receipt of PHI); United States v. Elliott, 676 F. Supp.2d 431, 440 (D. Md. 2009) (law enforcement agencies not covered entities under HIPAA); United States v. Mathis, 377 F. Supp. 2d 640, 645 (M.D. Tenn. 2005) (FBI not within the meaning of covered entities under HIPAA); Beard v. City of Chicago, 2005 U.S. DIST. LEXIS 374, at *2 (N.D. Ill. 2005) (city fire department not a covered entity under HIPAA). 44 78 Fed. Reg. 5598. ate’s liability was limited to a breach of contract claim by the covered entity pursuant to the busi- ness associate agreement between them.45 How- ever, since HITECH’s enactment, business associ- ates are now directly liable under HIPAA’s enforcement provisions.46 As defined in § 160.103, a business associate of a covered entity is a person (a term that includes a partnership, corporation, professional associa- tion or corporation, or other public or private)47 who: (i) On behalf of such covered entity…creates, receives, maintains, or transmits protected health information for a function or activity regulated by this subchapter, in- cluding claims processing or administration, data analy- sis, processing or administration, utilization review, qual- ity assurance, patient safety activities listed at 42 CFR 3.20, billing, benefit management, practice management, and repricing; or (ii) Provides…legal, actuarial, accounting, consulting, data aggregation…, management, administrative, ac- creditation, or financial services to or for such covered en- tity…where the provision of the service involves the dis- closure of protected health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.48 HHS has provided examples of persons or enti- ties that may be business associates of covered entities: • A third-party administrator that assists a health plan with claims processing. • A CPA firm whose accounting services to a health care provider involves access to protected health information. • An attorney whose legal services to a health plan involve access to protected health informa- tion. • A consultant that performs utilization re- views for a hospital. • A health care clearinghouse that translates a claim from a nonstandard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer. • An independent medical transcriptionist that provides transcription services to a physician. 45 Jolley & Chewning, supra note 28, at 22-23. 46 See 42 U.S.C. § 17931(a) (2013) (application of se- curity provisions and penalties to business associates of covered entities) and 42 U.S.C. § 17934 (application of privacy provisions and penalties to business associates of covered entities) (2013). See also Spencer, supra note 22, at *2 47 45 C.F.R. § 160.103 (2013) (definition of person). 48 42 C.F.R. § 160.103 (2013).

9 • A pharmacy benefits manager that manages a health plan’s pharmacist network.49 The question of whether an entity is a business associate of a covered entity is always “fact spe- cific.”50 HHS is clear that a business associate is one that requires access to PHI to perform certain activities or functions on behalf of a covered en- tity.51 Any person or entity “public or private[] who performs these functions or activities or ser- vices is a business associate for purposes of the HIPAA Rules, regardless of whether such person has other professional or privilege-based duties or responsibilities.”52 HHS explains that a business associate generally is an agent of a covered entity if a business associate agreement grants the “cov- ered entity the authority to direct the perform- ance of the service provided by its business asso- ciate….”53 As explained by HHS in its final rule issued in January 2013: • A person becomes a business associate by definition, not by the act of contracting with a covered entity or otherwise (emphasis added).54 • Liability for impermissible uses and disclo- sures attaches immediately when a person cre- ates, receives, maintains, or transmits PHI on behalf of a covered entity or business associate and otherwise meets the definition of a business associate (emphasis added). • Liability also does not depend on the type of PHI as it “may not necessarily include diagnosis- specific information.…”55 Even though the definition of a business asso- ciate and the above examples do not include tran- sit agencies, some transit agencies have contracts with covered entities to provide individuals with transportation to covered entities. It appears that transit agencies receive health information from patrons, but also may receive health information from covered entities or business associates of covered entities. For example, as discussed in Sec- 49 U.S. DEP’T OF HEALTH AND HUMAN SERVICES, BUSINESS ASSOCIATES, available at http://www.hhs.gov/ocr/privacy/hipaa/understanding/ coveredentities/businessassociates.html. 50 78 Fed. Reg. 5571. 51 Id. at 5571 and 5598. 52 Id. at 5598. 53 Id. at 5581; 45 C.F.R. § 160.402 (2013). 54 78 Fed. Reg. 5598. 55 Id. tion IX.C, a transit agency may act as a broker for a coordinated transportation services program. Sections IX.C and IX.D of this digest consider the issue of whether transit agencies meet the definition of a business associate so as to be sub- ject to HIPAA. Although it does not appear that transit agencies satisfy HIPAA’s definition of a business associate, some transit agencies have entered into contracts that provide that they will comply with HIPAA. Regardless of whether HIPAA applies to transit agencies because of a stipulation in their agreements, a covered entity (or its business associate) may share PHI with a transit agency only when a patient or client au- thorizes the disclosure of his or her health infor- mation or when a disclosure is required by law.56 As discussed in subpart B below, a covered en- tity’s (or a business associate’s) permitted uses and disclosures of PHI do not include disclosures to a transit agency or for transportation. B. Uses and Disclosures of PHI by Business Associates Although the HIPAA rules authorize a business associate to create, receive, maintain, or transmit PHI on behalf of a covered entity, the HIPAA regulations in 45 C.F.R. § 160.103 are quite clear that a function performed by a business associate must be one that is regulated “by this subchap- ter,” such as for processing or billing on behalf of a covered entity. The definition of a business asso- ciate is somewhat narrower when a business asso- ciate performs other functions, such as accounting or consulting. With respect to the latter functions, HIPAA permits a disclosure of PHI but does not go as far as to provide that a business associate may create, receive, maintain, or transmit PHI on behalf of a covered entity. When a covered entity engages a business associate, the covered entity must obtain satisfactory assurances that the busi- ness associate will safeguard the privacy of the information (emphasis added).57 The assurances must be documented in an agreement or other “arrangement” in writing between a covered en- tity and a business associate.58 A covered entity does not need to have such assurances from a sub- contractor of a business associate.59 56 45 C.F.R. § 164.103 (definition of required by law). 57 45 C.F.R. § 164.502(e)(1)(i) (2013). 58 45 C.F.R. § 164.502(e)(2) (2013). The agreement or arrangement must meet the requirements set forth in § 164.504(e) (2013). 59 45 C.F.R. § 164.502(e)(1)(i) (2013).

10 As stated, business associates include persons and entities that perform functions for or provide services to covered entities and need PHI to do so.60 A business associate may use or disclose PHI only in the same manner that a covered entity may use or disclose PHI.61 There is no provision in the HIPAA regulations that expressly or impliedly permit a disclosure of PHI by a covered entity to an entity such as a transit agency. Unless a dis- closure of PHI is required by law (see Sections VIII.B.1 and VIII.B.2), a covered entity (or its business associate) must have an authorization signed by the subject of the PHI before using or disclosing the information, a point emphasized by this report, quoted below. PHI may be shared when: 1. The required Business Associate Agreements are in place between the covered entity and the organizations that receive the protected health information; 2. Only the minimum necessary information is shared among the providers and/or brokers; 3. Protected health information is safeguarded according to the provider’s and/or broker’s Privacy Plan and Business Associate Agreements; and 4. Clients have been properly educated about the provider’s and/or broker’s HIPAA policies and practices and have signed authorizations to release information as directed by the client (emphasis added).62 C. Requirements for a Business Associate Agreement HIPAA requires that before a covered entity provides PHI to a business associate, the two enti- 60 See 78 Fed. Reg. 5598. See 42 U.S.C. § 17931 (2013) (requiring business associates to comply with certain provisions of the Security Rule); 42 U.S.C. § 17934 (2013) (requiring business associates to comply with certain provisions of the Privacy Rule)). See also Briar A. Andresen, The Changing World of HIPAA: Adapting Strategies and Preparing Clients, INSIDE THE MINDS: RECENT DEVELOPMENTS WITH HIPAA, at *2 (cit- ing 45 C.F.R.§ 160.103 (2006)), hereinafter referred to as “Andresen,” and Spencer, supra note 22, at *1. 61 78 Fed. Reg. 5597; see also, 45 C.F.R. §§ 164.502(a)(3)(4) and (5) (2013). 62 Federal Opportunities Workshop, Agency Council on Coordinated Transportation, Final Report, at 59 (Olympia, WA 2011), available at http://www.wsdot.wa.gov/acct/documents/FOW/JTC_FO WFinalReport.pdf, hereinafter referred to as “ACCT Final Report.” ties must enter into a contract that complies with the HIPAA regulations. The contract must state when a business associate is permitted to create, receive, maintain, or transmit PHI.63 A business associate agreement must provide, inter alia, that the business associate will not use or further disclose the information other than as permitted or required by the contract or as re- quired by law; use appropriate safeguards and comply with HIPAA requirements concerning electronic PHI to prevent its unauthorized use or disclosure; report to the covered entity any unau- thorized uses or disclosures of the information including any breaches of unsecured PHI; and ensure that any of the business associate’s sub- contractors agree to the same restrictions and conditions that apply to the business associate with respect to the PHI.64 (References therein to other parts of the C.F.R. omitted.) Under the regulations certain “implementation specifica- tions” apply to a business associate contract.65 Section 164.504(e)(3) sets forth the implementa- tion specifications that apply when a covered en- tity and a business associate are both government entities. A business associate is not authorized (except in two situations not pertinent here66) to use or disclose PHI unless the covered entity is permit- ted by HIPAA to make the same uses and disclo- sures.67 As the regulations clearly state: A business associate may use or disclose pro- tected health information only as permitted or required by its business associate contract or other arrangement pursuant to § 164.504(e) or as required by law. The business associate may not 63 45 C.F.R. § 164.504(e)(2)(i) (2013). 64 45 C.F.R. § 164.504(e)(2)(ii) (2013). 65 45 C.F.R. § 164.504(e)(2)(i) (2013). 66 45 C.F.R. § 164.524 (2013) is entitled “Access of Individuals to Protected Health Information” but in- cludes numerous exceptions, such as for psychotherapy notes; information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative ac- tion or proceeding; and certain categories of PHI main- tained by a covered entity. See 45 C.F.R. § 164.524 (a)(i)-(iii) (2013). 67 45 C.F.R. § 164.504(e)(2)(i) (2013). The two excep- tions are that “[t]he contract may permit the business associate to use and disclose [PHI] for the proper man- agement and administration of the business associate, as provided in paragraph (e)(4) of this section” and “[t]he contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity.” 45 C.F.R. §§ 164.504(e)(2)(i)(A) and (B) (2013).