HIPAA 3: Privacy FAQ
HIPAA Privacy FAQ

The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA, Title II) required the Secretary of HHS to publish national standards for the security of electronic protected health information (e-PHI), electronic exchange, and the privacy and security of health information. To fulfill this requirement, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule.

The Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, establishes national standards for the protection of certain health information. The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establish a national set of security standards for protecting certain health information that is held or transferred in electronic form.

The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called “covered entities” must put in place to secure individuals’ “electronic protected health information” (e-PHI).

Within HHS, the Office for Civil Rights (OCR) has responsibility for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties.

Included in this lesson is a description of the three categories of organizations that HIPAA laws and rules apply to, Covered Entities and their Workforce, Business Associates, and Sub-Contractors and Agents. It also includes the support staff of Business Associates.

This lesson is divided into four parts:

The HIPAA Privacy Rule Summary

HIPAA Privacy Standards and The Sample Business Associate Contract

HIPAA Privacy Rule Frequently Asked Questions

The HIPAA Security Rule and Security FAQ

Who do HIPAA rules apply to?

Covered Entities are required to follow HIPAA laws and regulations. An example of a covered entity is an insurance company or hospital. A more detailed description of covered entities is provided later in the lesson.

Attorneys fall into the category of Business Associates for the purposes of HIPAA regulations. A business associate is someone who is required to have a Business Associate Contract with a Covered Entity.

While court reporters are not generally considered to be a Business Associate of a Covered Entity, the attorneys they work for are required to have a Business Associate Contract. This is because the court reporter is an agent or sub-contractor of the Attorney Business Associate.

The Attorney Business Associate is required [to sign] HIPAA’s recommended Business Associate Contract with the Covered Entity to ensure the Court Reporter is in compliance with HIPAA regulations.

If the court reporter has a contract directly with a Covered Entity, they may be considered a Business Associate.

This is the HIPAA Privacy FAQ Lesson.

The following questions and answers in this lesson come from the HIPAA FAQ section of the Health and Human Services website. To see more frequently-asked questions, see the following link:

http://www.hhs.gov/ocr/privacy/hipaa/faq/index.html

FAQ 1: In providing legal services to a covered entity, must a lawyer who is a business associate require that those persons to whom it discloses protected health information agree to abide by the privacy restrictions and conditions that apply to the lawyer?

Answer: It depends on who the recipient is. The business associate agreement between the covered entity and the lawyer-business associate must provide that the lawyer will ensure that any agents, including subcontractors, to whom it provides protected health information agree to the same restrictions and conditions that apply to the business associate with respect to the information.

See 45 CFR 164.504(e)(2)(ii)(D).

Thus, if a lawyer-business associate enlists the services of a person or entity in furtherance of the lawyer’s legal services to a covered entity, and the lawyer must provide protected health information to the person or entity for such purpose, the lawyer’s business associate contract with the covered entity requires that the lawyer ensure that these persons agree to the same restrictions and conditions with respect to the protected health information they receive that apply to the lawyer as a business associate.

For example, pursuant to its business associate contract, a lawyer must ensure that other legal counsel, jury experts, document or file managers, investigators, litigation support personnel, or others hired by the lawyer to assist the lawyer in providing legal services to the covered entity, will also safeguard the privacy of the protected health information the lawyer receives to perform its duties. Conversely, a lawyer-business associate need not ensure that opposing counsel, fact witnesses, or other persons who do not perform functions or services that assist the lawyer in performing its services to the client, agree to the business associate restrictions and conditions, even though the lawyer may have to disclose protected health information to these third parties.

FAQ 2: Is a business associate contract required with organizations or persons where inadvertent contact with protected health information may result - such as in the case of janitorial services?

Answer: A business associate contract is not required with persons or organizations whose functions, activities, or services do not involve the use or disclosure of protected health information, and where any access to protected health information by such persons would be incidental, if at all. Generally, janitorial services that clean the offices or facilities of a covered entity are not business associates because the work they perform for covered entities does not involve the use or disclosure of protected health information, and any disclosure of protected health information to janitorial personnel that occurs in the performance of their duties (such as may occur while emptying trash cans) is limited in nature, occurs as a by-product of their janitorial duties, and could not be reasonably prevented. Such disclosures are incidental and permitted by the HIPAA Privacy Rule.

See 45 CFR 164.502(a)(1).

If a service is hired to do work for a covered entity where disclosure of protected health information is not limited in nature (such as routine handling of records or shredding of documents containing protected health information), it likely would be a business associate. However, when such work is performed under the direct control of the covered entity (e.g., on the covered entity’s premises), the Privacy Rule permits the covered entity to treat the service as part of its workforce, and the covered entity need not enter into a business associate contract with the service.

FAQ 3: Has the Secretary exceeded the HIPAA statute by requiring "business associates" to comply with the Privacy Rule, even if that requirement is through a contract?

Answer: The HIPAA Privacy Rule does not “pass through” its requirements to business associates or otherwise cause business associates to comply with the terms of the Rule. The assurances that covered entities must obtain prior to disclosing protected health information to business associates create a set of contractual obligations far narrower than the provisions of the Rule, to protect information generally and help the covered entity comply with its obligations under the Rule.

Business associates, however, are not subject to the requirements of the Privacy Rule, and the Secretary cannot impose civil monetary penalties on a business associate for breach of its business associate contract with the covered entity, unless the business associate is itself a covered entity. For example, covered entities do not need to ask their business associates to agree to appoint a privacy officer or develop policies and procedures for use and disclosure of protected health information.

FAQ 4: Does the HIPAA Privacy Rule require a business associate to provide individuals with access to their protected health information or an accounting of disclosures, or an opportunity to amend protected health information?

Answer: The Privacy Rule regulates covered entities, not business associates. The Rule requires covered entities to include specific provisions in agreements with business associates to safeguard protected health information, and addresses how covered entities may share this information with business associates. Covered entities are responsible for fulfilling Privacy Rule requirements with respect to individual rights, including the rights of access, amendment, and accounting, as provided for by 45 CFR 164.524, 164.526, and 164.528. With limited exceptions, a covered entity is required to provide an individual access to his or her protected health information in a designated record set. This includes information in a designated record set of a business associate, unless the information held by the business associate merely duplicates the information maintained by the covered entity. Therefore, the Rule requires covered entities to specify in the business associate contract that the business associate must make such protected health information available if and when needed by the covered entity to provide an indi...