General Administrative Requirements
These requirements are captured in 45 CFR Part 160. It in turn is broken down into Subparts as follows:
- 45 CFR Part 160 Subpart A – General Provisions
- 45 CFR Part 160 Subpart B – Preemption of State Law
- 45 CFR Part 160 Subpart C – Compliance and Enforcement
- 45 CFR Part 160 Subpart D – Imposition of Civil Money Penalties
There is no attempt here to be exhaustive. The coverage provided in this section may be broader than what directly pertains to the HIPAA Privacy Rule and the HIPAA Security Rule. We felt that it was important to at least highlight other key topics.
45 CFR Part 160 Subpart A – General Provisions
The most important part of this section is §160.103 (Definitions). The key definitions are paraphrased below, except for those instances where the language is succinct and critically important to our objective. Otherwise, the definitions often go on for several paragraphs and duplicating these would not prove useful. The goal here is to provide an understanding of key concepts and discuss their relative importance in general. Finally, this coverage contains only a subset of the defined terms—that is, those that are particularly relevant to providers.
The HIPAA definition of Business Associate has broad applicability and includes, other than a health care provider's employees, "partners" that may provide legal, actuarial, accounting, consulting, data aggregation, management, administration or financial services wherein the services require the disclosure of individually identifiable health information.
HIPAA Survival Guide Note: HIPAA Business Associate Agreements
The critical aspect of the Business Associate concept is that the HIPAA Privacy Rule mandates that providers have written contracts with them (aka Business Associate Agreements). The HITECH Act provides even more stringent requirement on Business Associate relationships. We suspect that in many cases these Business Associate Agreements do not exist as required for all designated parties. A key concern, among many, is that some software vendors almost certainly will be categorized as Business Associates (and don't forget: no Business Associate Agreement means non-compliance). This is a concept that providers, especially small providers, need to pay close attention to.
Certain third parties that manage electronic health records (e.g. Google Health and Microsoft HealthVault) do NOT fit this definition and therefore are not covered entities. The HIPAA rules do not (currently) apply to them and therefore their own proprietary privacy policies control. This is an area that is in flux and we expect to see HHS (and perhaps other agencies) address this issue soon.
If you are still scratching your head, wondering just who is and who isn't a Business Associate, this article may prove helpful: HIPAA Business Associates: That was then, this is now.
Watch this video highlighting the HIPAA Survival Guide's
HITECH/Omnibus Rule Ready Business Associate Agreement.
The HIPAA definition of covered entity means:
- A health plan,
- A health care clearinghouse, or
- A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.
HIPAA Survival Guide Note: Covered Entity
The rules as promulgated by HHS apply to covered entities. The bolded section is somewhat confusing in that it appears to constrain the definition of a provider to only those who "transmit." Of course, today all (or nearly all) providers likely transmit this kind of information and so as a practical matter it appears to be all inclusive.
If a provider chooses to enable the sharing of protected health information with third parties then clearly a Business Associate relationship likely exists and a written Business Associate Agreement would be required. The HITECH Act puts more stringent requirements on Business Associate Agreements. This may be due in part to a wider anticipated use of third party services.
HSG offers a HITECH Compliant Business Associate Agreement Template.
The HIPAA definition of disclosure means the release, transfer, provision of, access to, or divulging in any other manner, of information outside the entity holding the information.
HIPAA Survival Guide Note: Disclosure
The HIPAA definition of electronic media is broadly defined and includes both (1) electronic storage and (2) electronic transmission media. That said, the following language within this definition excludes certain transmission:
Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media, because the information being exchanged did not exist in electronic form before the transmission.
HIPAA Survival Guide Note: Electronic Media
So, in order to have an electronic transmission, the data transmitted must have first been captured in electronic form. However, this definition leaves much unanswered such as "what if the paper was scanned and then transmitted via email?"
Except for the caveat explicitly inserted into the definition regarding "certain transmissions," almost any electronic storage and transmission media you can think of fits the definition (e.g. thumb drives, hard disks, internet connections, etc.). The relevance of this will become more evident when we examine the Security Rule.
The HIPAA definition of Health care means care, services, or supplies related to the health of an individual. Health care includes, but is not limited to, the following:
- Preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body; and
- Sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.
HIPAA Survival Guide Note: Health Care
This definition is broad and mostly speaks for itself, except that (2) leaves the door wide open for a much broader scope, with the inclusion of entities that the public may not generally consider to be part of "health care."
The HIPAA definition of health care provider means, in general, services performed by physicians, and services performed by a host of other health care professionals, as defined in 42 U.S.C. 1395x(s) and 1395x(u), and any other person or organization "who furnishes, bills, or is paid for health care in the normal course of business."
HIPAA Survival Guide Note: Health Care Provider
Given the broad definition of "health care" this definition is likewise sweeping in scope.
The HIPAA definition of Health Information means: any information, whether oral or recorded in any form or medium, that:
- Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
- Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
HIPAA Survival Guide Note: Health Information
This definition appears broad enough to include all patient information that a provider manages and in whatever form, and has similar implications for the other enumerated entities.
The HIPAA definition of individual means the person who is the subject of protected health information.
HIPAA Survival Guide Note: Individual
It seems that it would be difficult to find an instance where this means anything else other than the patient. If you can think of such an example by all means let us know.
The HIPAA definition of Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and:
- Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
- Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
- That identifies the individual; or
- With respect to which there is a reasonable basis to believe the information can be used to identify the individual.
HIPAA Survival Guide Note: Individually Identifiable Health Information
Clearly this is a core concept with respect to maintaining privacy. It applies wherever health information and identification information are linked. This concept represents the "heart" of what must be protected.
The HIPAA definition of protected health information means individually identifiable health information:
- Transmitted by electronic media; or
- Maintained in electronic media; or
- Transmitted or maintained in any other form or medium.
HIPAA Survival Guide Note: Protected Health Information (PHI)
If health care information is linked to an individual, then it appears to be universally protected (e.g. paper, fax, electronic, etc.).
The HIPAA definition of transaction means the transmission of information between two parties to carry out financial or administrative activities related to health care. It includes the following types of information transmissions:
- Health care claims or equivalent encounter information.
- Health care payment and remittance advice.
- Coordination of benefits.
- Health care claim status.
- Enrollment and disenrollment in a health plan.
- Eligibility for a health plan.
- Health plan premium payments.
- Referral certification and authorization.
- First report of injury.
- Health claims attachments.
- Other transactions that the Secretary may prescribe by regulation.
HIPAA Survival Guide Note: Transaction
These refer to the transactions as defined in §162. With the current push to share other kinds of information these transactions may be expanded as provided for in item 11 above.
The HIPAA definition of Use means, with respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information.
HIPAA Survival Guide Note: Use
If the health care information is linked to an individual then almost any interaction with such information is "use."
The HIPAA definition of Workforce means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity.
HIPAA Survival Guide Note: Workforce
Essentially if a provider directly supervises the person then they are likely part of the workforce. However, be careful, because independent contractors (e.g. consultants) generally would not be considered part of the workforce and should be treated as Business Associates.
Make sure you are Omnibus Rule Compliant: HIPAA Privacy Checklist.