The HIPAA Security Rule
April 11, 2017 | Healthcare Risk, Quality, & Safety Guidance
HIPAA-covered entities and their business associates must satisfy the HIPAA security rule's administrative, technical, and physical safeguards for protecting ePHI they create, maintain, or transmit.
Covered entities include health plans, healthcare clearinghouses, and healthcare providers, including individuals that transmit health information in electronic form in connection with a transaction for which HHS has adopted standards under HIPAA (45 CFR § 160.103).
A HIPAA "business associate" is a person or entity, other than a member of the covered entity's workforce, that performs or assists in performing a function or activity involving the use or disclosure of individually identifiable health information for such covered entity or for an organized healthcare arrangement in which the covered entity participates. Provision of the service must involve the disclosure of individually identifiable health information from such covered entity or arrangement. (45 CFR § 160.103) Business associates are individuals and entities that provide services for or on behalf of the covered entity, such as claims management, legal services, and accounting, consulting services. Entities providing e-prescribing gateways, data transmission companies that access ePHI, and data storage companies (e.g., cloud computing, and off-site storage facilities) are HIPAA business associates of the covered entities they serve even if they do not actually access ePHI. OCR provides detailed information about HIPAA security rule requirements regarding cloud service providers on its website. (OCR "May")
Covered entities must have contracts in place with their business associates, ensuring under the agreement that their business associates will appropriately safeguard PHI and ePHI. Failure to do so can result in regulatory sanctions. In one case, a healthcare facility that failed to identify another entity as its business associate paid $1.55 million in settlement after an OCR investigation found that the business associate, without being subject to the terms of a business associate agreement, accessed the covered entities' databases, containing PHI. (OCR "$1.55")
The contract should clarify and limit the permissible uses and disclosures of PHI by the business associate, based on the relationship between the parties and the activities or services to be performed by the business associate. The HIPAA omnibus final rule of 2013 makes business associates directly liable to HHS for certain security rule requirements, including obtaining a business associate agreement from their subcontractors requiring that their subcontractors safeguard PHI and ePHI.
Covered entities and their business associates...