How the Health Insurance Portability and Accountability Act (HIPAA) and Other Privacy Laws Affect Public Transportation Operations (2014)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

11 use or disclose protected health information in a manner that would violate the requirements of this subpart, if done by the covered entity, except for the purposes specified under § 164.504(e)(2)(i) (A) or (B) if such uses or disclosures are permitted by its contract or other arrangement.68 If an entity satisfies the definition for a busi- ness associate but is performing services for a cov- ered entity without a business associate agree- ment, HIPAA of course applies to their relationship.69 Some transit agencies responding to the survey provided copies of their business associate and subcontractor agreements that in- clude provisions that require compliance with HIPAA.70 However, Sections IX.C and IX.D of this digest discuss whether transit agencies meet the definition of a business associate and thus are subject to HIPAA’s requirements in the absence of an agreement to be bound by HIPAA. V. APPLICABILITY OF HIPAA TO SUBCONTRACTORS HIPAA applies to business associates that meet HIPAA’s definition of a business associate and that have an agreement with a covered entity that permits the business associate to create, receive, maintain, or transmit PHI so that covered entities may perform their health care functions.71 Be- cause HIPAA’s privacy and security requirements apply to subcontractors of business associates, business associates may disclose PHI to a subcon- tractor.72 The reason that subcontractors are bound by HIPAA is to avoid a lapse of protection in privacy and security for PHI when a function is performed by an entity that does not have a direct relationship with the covered entity.73 Under 68 45 C.F.R. § 164.502(a)(3) (2013). Section 164.504(e)(2)(i)(A) and (B) referenced in the section are not applicable to transit agencies, but nevertheless state that the business associate “(A) …contract may permit the business associate to use and disclose pro- tected health information for the proper management and administration of the business associate, as pro- vided in paragraph (e)(4) of this section; and (B) …con- tract may permit the business associate to provide data aggregation services relating to the health care opera- tions of the covered entity.” 69 78 Fed. Reg. 5598. 70 See App. C of this digest. 71 78 Fed. Reg. 5573. 72 Id. at 5573, 5689; 45 C.F.R. § 160.103 (2013) (ex- cluding one serving as a member of the workforce of the business associate). 73 78 Fed. Reg. 5572-5573. HIPAA, a subcontractor is one “to whom a busi- ness associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such business associate.”74 Sub- contractors may have access to and use PHI on behalf of business associates as long as business associates obtain satisfactory assurances from subcontractors that they “will appropriately safe- guard the information.”75 One transit agency responding to the survey reported that it is a subcontractor because it has a contract with the state to provide rides for the Oregon Health Plan and Medicaid-eligible par- ticipants.76 The agreements provided by transit agencies for this digest stipulate that the agencies will comply with HIPAA. Assuming that transit agencies are subject to HIPAA as a business asso- ciate, transit agencies that are subcontractors of a business associate also would be subject to HIPAA and may receive and maintain health information on patrons. VI. APPLICATION OF HIPAA TO HYBRID ENTITIES HIPAA applies to entities that perform in the capacity of a covered entity as well as provide ser- vices or exercise functions that do not involve health care. A hybrid entity is a single legal entity that is a covered entity whose business activities include both covered and non-covered functions.77 An entity that is a hybrid entity may designate health care components in accordance with 45 C.F.R. § 164.105(a)(2)(iii)(D).78 As explained in HHS’s final rule, [M]any covered entities perform both covered and non- covered functions as part of their business operations. For such covered entities, the entire entity is generally re- quired to comply with the Privacy Rule. However, the hy- brid entity provisions of the HIPAA Rules permit the en- tity to limit the application of the Rules to the entity’s components that perform functions that would make the component a ‘‘covered entity’’ if the component were a separate legal entity.79 The final rule further explains: [T]his provision allows an entity to designate a health care component by documenting the components of its or- ganization that perform covered entity functions. The ef- fect of such a designation is that most of the requirements of the HIPAA Rules apply only to the designated health 74 Id. at 5689; 45 C.F.R. § 160.103 (2013). 75 45 C.F.R. § 164.502(e)(1)(ii) (2013). 76 See App. C of this digest. 77 45 C.F.R. § 164.103 (2013). 78 45 C.F.R. § 164.105 (2013). 79 78 Fed. Reg. 5588.

12 care component of the entity and not to the functions the entity performs that are not included in the health care component. While most of the HIPAA Rules’ requirements apply only to the health care component, the hybrid en- tity retains certain oversight, compliance, and enforce- ment obligations (emphasis added).80 HHS’s Web site explains that: [I]f a State, county, or local health department performs functions that make it a covered entity, or otherwise meets the definition of a covered entity they must comply with the HIPAA Privacy Rule. For example, a state Medi- caid program is a covered entity (i.e., a health plan) as de- fined in the Privacy Rule. Some health departments oper- ate health care clinics and thus are health care providers. If these health care providers transmit health informa- tion electronically in connection with a transaction cov- ered in the HIPAA Transactions Rule, they are covered entities. Most of the requirements of the Privacy Rule apply only to the hybrid entity’s health care com- ponent(s).81 An example of a hybrid entity is the Office of Management Enterprises and Services (OMES), an agency of the state of Oklahoma.82 The OMES is comprised of separate departments, “some of which provide ‘covered functions’ as ‘health care components’ of OMES” as those terms are defined in HIPAA.83 Pursuant to HIPAA, OMES desig- nated its HealthChoice Insurance Program, flexi- ble spending accounts unit, and state wellness program as covered components.84 In doing so, OMES excluded its non-covered components from the application of the HIPAA Privacy Rule. As explained in a policy memorandum, OMES opera- tionally segregates its non-covered functions from its covered functions to ensure “that each health care component…[d]oes not disclose PHI to an- other (non-health care) component of the covered entity in circumstances in which HIPAA would prohibit such disclosure if the health care compo- nent and the other component were separate and distinct legal entities.”85 80 Id. See 45 C.F.R. § 164/1-5 (2013). 81 U.S. DEP’T OF HEALTH AND HUMAN SERVICES, HEALTH INFORMATION PRIVACY, available at http://www.hhs.gov/ocr/privacy/hipaa/faq/covered_ entities/358.html. 82 62 OK. STAT. § 34.3 (2012). 83 Memorandum, Office of Management Enterprises Services (OMES), Designation of OMES as a Hybrid Entity under HIPAA, (effective July 19, 2012), available at http://www.ok.gov/OSF/documents/HybridEntity HIPAA.pdf, hereinafter referred to as “OMES Memo- randum.” 84 45 C.F.R. § 164.1 05(a)(2)(iii)(C). 85 OMES Memorandum, supra note 83, at 2. Some counties have identified themselves as hybrid entities under HIPAA.86 Fairfax County in Virginia states that the county government provides care and services related to the physical or men- tal health of our residents. Fairfax County also provides numerous non-health care related services to our resi- dents. Fairfax County has chosen to restrict the applica- tion of the HIPAA Privacy Rule to those parts of the County enterprise that are performing covered health care transactions. Fairfax County advises that “as agencies seek to automate business processes related to health care billing and electronic transactions, then they will be designated within the Fairfax County Gov- ernment’s HIPAA hybrid entity.”87 Fairfax County also reports that the county’s hybrid entity currently consists of the Fire and Rescue Department (FRD), the Health Department (HD) and the Fairfax-Falls Church Community Services Board (CSB). Agencies providing human services support to clients of the HD and the CSB will be designated within the hybrid entity as appropriate policies and procedures are adopted (emphasis added). 88 The above italicized language suggests that an agency providing human services transportation (“human services support”) could be “designated within [a] hybrid entity.” HIPAA’s final rule states that the health care component of a hybrid entity includes all business associate functions within the entity.89 Nevertheless, it is not clear whether a county health department could desig- nate a county agency that provides transportation as part of the hybrid entity’s health care functions and services to permit sharing of PHI between the two county agencies. In the case of a covered en- tity and a completely separate entity, however, it appears that a covered entity would have to enter into a business associate agreement with the separate entity to permit the sharing of PHI. Two transit agencies responding to the survey stated that they are hybrid entities.90 On the 86 See resolution of Clark County, Nevada (dated De- cember 7, 2010), available at http://www.clarkcountynv. gov/Depts/internal_audit/Services/Documents/ DesignationofHIPAAHybridEntity-4thAmend- signed.pdf. 87 Fairfax County, Virginia (re: HIPAA), http://www.fairfaxcounty.gov/hipaa/covered_entity.asp. 88 Id. 89 78 Fed. Reg. 5588. 90 One transit agency responding to the survey stated that it is a hybrid entity because it transported “some passengers to health care covered entities.” An- other transit agency also identified itself as a hybrid entity because as much as 25 percent of the ADA para-