[Please label comments about this section with the subject: “Business partners”]
In § 164.506(e), we propose to require covered entities to take specific steps to ensure that protected health information disclosed to a business partner remains protected. We intend these provisions to allow customary business relationships in the health care industry to continue while providing privacy protections to the information shared in these relationships. Business partners would not be permitted to use or disclose protected health information in ways that would not be permitted of the covered entity itself under these rules.
Other than for purposes of consultation or referral for treatment, we would allow covered entities to disclose protected health information to business partners only pursuant to a written contract that would, among other specified provisions, limit the business partner’s uses and disclosures of protected health information to those permitted by the contract, and would impose certain security, inspection and reporting requirements on the business partner. We would hold the covered entity responsible for certain violations of this proposed rule made by their business partners, and require assignment of responsibilities when a covered entity acts as a business partner of another covered entity.
Under this proposed rule, a business partner would be a person to whom the covered entity discloses protected health information so that the person can carry out, assist with the performance of, or perform on behalf of, a function or activity for the covered entity. This would include contractors or other persons who receive protected health information from the covered entity (or from another business partner of the covered entity) for the purposes described in the previous sentence, including lawyers, auditors, consultants, third-party administrators, health care clearinghouses, data processing firms, billing firms, and other covered entities. This would not include persons who would be members of the covered entity’s workforce. The key features of the relationship would be that the business partner is performing an activity or function for or on behalf of the covered entity and that the business partner receives protected health information from the covered entity as part of providing such activity or function.
Many critical functions are performed every day by individuals and organizations that we would define as business partners. Under the proposal, billing agents, auditors, third-party administrators, attorneys, private accreditation organizations, clearinghouses, accountants, data warehouses, consultants and many other actors would be considered business partners of a covered entity. Most covered entities will use one or more business partners, to assist with functions such as claims filing, claims administration, utilization review, data storage, or analysis. For example, if a covered entity seeks accreditation from a private accreditation organization and provides such organization with protected health information as part of the accreditation process, the private accreditation organization would be a business partner of the covered entity. This would be true even if a third party, such as an employer or a public agency, required accreditation as a condition of doing business with it. The accreditation is being performed for the covered entity, not the third party, in such cases.
The covered entity may have business relationships with organizations that would not be considered to be business partners because protected health information is not shared or because services are not provided to the covered entity. For example, a covered entity could contract with another organization for facility management or food services; if these organizations do not receive protected health information for these functions or activities, they would not be considered business partners. In the case where a covered entity provides management services to another organization, the other organization would not be a business partner because it would be receiving, not providing, a service or function.
Under the proposal, a covered entity could become a business partner of another covered entity, such as when a health plan acts as a third-party administrator to an insurance arrangement or a self-funded employee benefit plan. In such cases, we propose that the authority of the covered entity acting as a business partner to use and disclose protected health information be constrained to the authority that any business partner in the same situation would have. Thus, the authority of a covered entity acting as a business partner to use and disclose protected health information obtained as a business partner would be limited by the contract or arrangement that created the business partner relationship.
In most cases, health care clearinghouses would fall under our definition of "business partner” because they receive protected health information in order to provide payment processing and other services to health plans, health care providers and their business partners, a case that would fall under our definition of "business partner." Therefore, although health care clearinghouses would be covered entities, in many instances under this proposed rule they would also be treated as business partners of the health care providers or health plans for whom they are performing a service. We would note that because health care clearinghouses would generally be operating as business partners, we are proposing not to apply several requirements to health care clearinghouses that we otherwise would apply to covered plans and providers, such as requiring a notice of information practices, access for inspection and copying, and accommodation of requests for amendment or correction. See proposed §§ 164.512, 164.514 and 164.516.
Under this proposed rule, a business partner would be acting on behalf of a covered entity, and we propose that its use or disclosure of protected health information be limited to the same extent that the covered entity for whom they are acting would be limited. Thus, a business partner could have no more authority to use or disclose protected health information than that possessed by the covered entity from which the business partner received the information. For example, a business partner could not sell protected health information to a financial services firm without individual authorization because the covered entity would not be permitted to do so under these proposed rules. We would note that a business partner’s authority to use and disclose protected health information could be further restricted by its contract with a covered entity, as described below.
We are not proposing to require the business partners of covered entities to develop and distribute a notice of information practices, as provided in proposed § 164.512. A business partner would, however, be bound by the terms of the notice of the covered entity from which it obtains protected health information. For example, if a covered entity provided notice to its subscribers that it would not engage in certain permissible disclosures of protected health information, we are proposing that such a limitation would apply to all of the business partners of the covered entity that made the commitment. See proposed § 164.506(e). We are proposing this approach so that individuals could rely on the notices that they receive from the covered entities to which they disclose protected health information. If the business partners of a covered entity were able to make wider use or make more disclosures than the covered entity, the patients or enrollees of the covered entity would have difficulty knowing how their information was being used and to whom it was being disclosed.
We are also proposing that a business partner’s use and disclosure of protected health information be limited by the terms of the business partner’s contractual agreement with the covered entity. We propose that a contract between a covered entity and a business partner could not grant the business partner authority to make uses or disclosures of protected health information that the covered entity itself would not have the authority to make. The contract between a covered entity and a business partner could further limit the business partner’s authority to use or disclose protected health information as agreed to by the parties. Further, the business partner would have to apply the same limitations to its subcontractors (or persons with similar arrangements) who assist with or carry out the business partner’s activities.
To help ensure that the uses and disclosures of business partners would be limited to those recognized as appropriate by the covered entities from whom they receive protected health information, subject to the exception discussed below, we are proposing that covered entities be prohibited from disclosing protected health information to a business partner unless the covered entity has entered into a written contract with the business partner that meets the requirements of this subsection. See proposed § 164.506(e)(2)(i). The written contract between a covered entity and a business partner would be required to:
Each specified contract term above would be considered a separate implementation specification under this proposal for situations in which a contract is required, and, as discussed below, a covered entity would be responsible for assuring that each such implementation standard is met by the business partner. See proposed § 164.506(e)(2). The contract could include any additional arrangements that do not violate the provisions of this regulation.
The contract requirement that we are proposing would permit covered entities to exercise control over their business partners’ activities and provide documentation of the relationship between the parties, particularly the scope of the uses and disclosures of protected health information that business partners could make. The presence of a contract also would formalize the relationship, better ensuring that key questions such as security, scope of use and disclosure, and access by individuals are adequately addressed and that the roles of the respective parties are clarified. Finally, a contract can bind the business partner to return any protected health information from the covered entity when the relationship is terminated.
In lieu of a contracting requirement, we considered imposing only affirmative duties on covered entities to ensure that their relationships with business partners conformed to the standards discussed in the previous paragraph. Such an approach could be considered less burdensome and restrictive, because we would be leaving it to the parties to determine how to make the standards effective. We rejected this approach primarily because we believe that in the vast majority of cases, the only way that the parties could establish a relationship with these terms would be through contract. We also determined that the value of making the terms explicit through a written contract would better enable the parties to know their roles and responsibilities, as well as better enable the Secretary to exercise her oversight role. In addition, we understand that most covered entities already enter into contracts in these situations and therefore this proposal would not disturb general business practice. We invite comment on whether there are other contractual or non-contractual approaches that would afford an adequate level of protection to individuals’ protected health information. We also invite comment on the specific provisions and terms of the proposed approach.
We are proposing one exception to the contracting requirement: when a covered entity consults with or makes a referral to another covered entity for the treatment of an individual, we would propose that the sharing of protected health information pursuant to that consultation or referral not be subject to the contracting requirement described above. See proposed § 164.506(e)(1)(i). Unlike most business partner relationships, which involve the systematic sharing of protected health information under a business relationship, consultation and referrals for treatment occur on a more informal basis among peers, and are specific to a particular individual. Such exchanges of information for treatment also appear to be less likely to raise concerns about further impermissible use or disclosure, because health care providers receiving such information are unlikely to have a commercial or other interest in using or disclosing the information. We invite comment on the appropriateness of this exception, and whether there are additional exceptions that should be included in the final regulation.
We note that covered health care providers receiving protected health information for consultation or referral purposes would still be subject to this rule, and could not use or disclose such protected health information for a purpose other than the purpose for which it was received (i.e., the consultation or referral). Further, we note that providers making disclosures for consultations or referrals should be careful to inform the receiving provider of any special limitations or conditions to which the disclosing provider has agreed to impose (e.g., the disclosing provider has provided notice to its patients that it will not make disclosures for research).
Under the system that we are proposing, business partners (including business partners that are covered entities) that have contracts with more than one covered entity would have no authority to combine, aggregate or otherwise use for a single purpose protected health information obtained from more than one covered entity unless doing so would have been a lawful use or disclosure for each of the covered entities that supplied the protected health information that is being combined, aggregated or used. In addition, the business partner must be authorized through the contract or arrangement with each covered entity that supplied the protected health information to combine or aggregate the information. For example, a business partner of a health plan would be permitted to disclose information to another health plan for coordination of benefits purposes, if such a disclosure were authorized by the business partner’s contract with the covered entity that provided the protected health information. However, a business partner that is performing an audit of a group medical practice on behalf of several health plans could not combine protected health information that it had received from each of the plans, even if the business partner’s contracts with the plans attempted to allow such activity, because the plans themselves would not be permitted to exchange protected health information for such a purpose. A covered entity would not be permitted to obtain protected health information through a business partner that it could not otherwise obtain itself.
We further note that, as discussed above in section II.C.4, under our proposal a business partner generally could create a database of de-identified health information drawn from the protected health information of more than one covered entity with which it does business, and could use and disclose information and analyses from the database as they see fit, as long as there was no attempt to re-identify the data to create protected health information. In the example from the preceding paragraph, the business partner could review the utilization patterns of a group medical practice on behalf of several groups of plans by establishing a data base of de-identified health information drawn from all of its contracts with covered entities and review the use patterns of all of the individuals in the data base who had been treated by the medical group. The results of the analyses could be used by or distributed to any person, subject to the limitation that the data could not be identified. We would caution that business partners releasing such information and analyses would need to ensure that they do not inadvertently disclose protected health information by releasing examples or discussing specific cases in such a way that the information could be identified by people receiving the analysis or report.
We are proposing that covered entities be accountable for the uses and disclosures of protected health information by their business partners. A covered entity would be in violation of this rule if the covered entity knew or reasonably should have known of a material breach of the contract by a business partner and it failed to take reasonable steps to cure the breach or terminate the contract. See proposed § 164.506(e)(2)(iii). A covered entity that is aware of impermissible uses and disclosures by a business partner would be responsible for taking such steps as are necessary to prevent further improper use or disclosures and, to the extent practicable, for mitigating any harm caused by such violations. This could include, for example, requiring the business partner to retrieve inappropriately disclosed information (even if the business partner must pay for it) as a condition of continuing to do business with the covered entity. A covered entity that knows or should know of impermissible use of protected health information by its business partner and fails to take reasonable steps to end the breach would be in violation of this rule.
Where a covered entity acts as a business partner to another covered entity, the covered entity that is acting as business partner would also be responsible for any violations of the regulation.
We considered requiring covered entities to terminate relationships with business partners if the business partner committed a serious breach of contact terms required by this subsection or if the business partner exhibited a pattern or practice of behavior that resulted in repeated breaches of such terms. We rejected that approach because of the substantial disruptions in business relationships and customer service when terminations occur. We instead require the covered entity to take reasonable steps to end the breach and mitigate its effects. We would expect covered entities to terminate the arrangement if it becomes clear that a business partner cannot be relied upon to maintain the privacy of protected health information provided to it. We invite comments on our approach here and whether requiring automatic termination of business partner contracts would be warranted in any circumstances.
We also considered imposing more strict liability on covered entities for the actions of their business partners, just as principals are strictly liable for the actions of their agents under common law. We decided, however, that this could impose too great a burden on covered entities, particularly small providers. We are aware that, in some cases, the business partner will be larger and more sophisticated with respect to information handling than the covered entity. Therefore we instead opted to propose that covered entities monitor use of protected health information by business partners, and be held responsible only when they knew or reasonably should have known of improper use of protected health information.
Our intention in this subsection is to recognize the myriad business relationships that currently exist and to ensure that when they involve the exchange of protected health information, the roles and responsibilities of the different parties with respect to the protected health information are clear. We do not propose to fundamentally alter the types of business relationships that exist in the health care industry or the manner in which they function. We request comments on the extent to which our proposal would disturb existing contractual or other arrangements among covered entities and business partners.