Today, it seems like we can never get through a news day when we don't hear at least one story about data breaches. Many of the reports center on financial data and specifically on credit cards. Other important data items include what's collectively known as protected health information (PHI). For financial data in the United States, there's a patchwork of legislation at both the state and federal levels, as well as industry standards, specifically the Payment Card Industry (PCI). Security Standard. For health information at the federal level, there is, for all practical purposes, one law: the Health Insurance Portability and Accountability Act (HIPAA). There's also state legislation that addresses health data privacy, and which is beyond the scope of this article. Although HIPAA has been around for nearly 20 years, it's only within the last few years where we've seen the most activity that has a direct impact on information service providers that previously were not directly subject to HIPAA requirements and it's that recent activity that's the subject of this article and how it has a practical impact on information technology service providers, whether they be consultants, cloud providers, data centers, etc.

DISCLAIMER: This and future columns should not be construed as specific legal advice. Although I'm a lawyer, I'm not your lawyer. The column presented here is for informational purposes only. Whenever you're seeking legal advice, your best course of action is to always seek advice from an experienced attorney licensed in your jurisdiction.

HIPAA 101

Most likely, you have heard of HIPAA and you may know in general terms what it covers. Setting the generalities aside, let's delve into some specifics. When enacted in 1996, HIPAA consisted of five sections (Titles) of which Title II - Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform is the subject of this article. Title II of HIPAA defines the policies and procedures, as well as guidelines for securing protected health information (PHI), which is also known as individually identifiable health information. It's the privacy around PHI held by covered entities that HIPAA Title II is primarily concerned with. Covered entities are emphasized because the definition of what makes an entity covered under HIPAA has been greatly expanded. The specifics on that will be covered in the next section.

Protected Health Information

I've mentioned PHI a few times. In general, PHI is information, including demographic information, which relates to:

  • The individual's past, present, or future physical or mental health or condition
  • The provision of health care to the individual
  • The past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual. Protected health information includes many common identifiers (e.g., name, address, birth date, Social Security Number) when they can be associated with the health information listed above.

Specifically, there are 18 identifiers that HIPAA covers (defined under C.F.R. � 164.514(b)(2) ):

  1. Names
  2. All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
  3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older.
  4. Phone numbers
  5. Fax numbers
  6. Electronic mail addresses
  7. Social Security Numbers
  8. Medical record numbers
  9. Health plan beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers and serial numbers, including license plate numbers
  13. Device identifiers and serial numbers
  14. Web Universal Resource Locators (URLs)
  15. Internet Protocol (IP) address numbers
  16. Biometric identifiers, including finger and voice prints
  17. Full-face photographic images and any comparable images
  18. Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data)

There are two important points about the preceding list. First, the items are not exclusive to medical use. Many of the items could just as easily apply to the financial realm. Second, although there are 18 identifiers, number 18 is itself a catch-all that could encompass anything else that could identify the individual that is itself not specifically enumerated in the list.

The Security Rule and De-Identification

In order to protect the individual's privacy, HIPAA codifies a security rule that establishes standards to protect an individual's personal health information (PHI) that is created, received, used, or maintained by a covered entity. Again, we confront the phrase “Covered Entity;” the importance of this will become apparent shortly.

The Security Rule can be found in 45 C.F.R. Part 160 as well as Part 164, subparts A and C. The combined text can be found in the following PDF Document: http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf.

The Security Rule requires: appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. In addition to techniques like encryption, other ways to implement an appropriate administrative, physical and technical safeguards is to de-identify any PHI that is held by a covered entity. There are two approaches to de-identifying PHI:

  • Expert Determination (C.F.R. � 164.514(b)(1)): A covered entity may determine that a given set of information is not PHI if an expert with appropriate knowledge documents and applies scientific principles and methods and determines that there is a very small risk that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information.

  • Safe Harbor (C.F.R. � 164.514(b)(2)): Physical removal of the 18 identifiers such that the information will no longer fall within the definition of PHI. With this method, a token is used so that eventually the information can be re-linked. The key is that such a token cannot be derived from any of the 18 items. A GUID would be an acceptable token.

Specific guidance on how to implement a de-identification method can be found here: http://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html.

At this point, you've now had a practical primer on HIPAA and PHI, and you've learned some specifics methods to safeguard that data. The next question to be resolved is who is covered by these regulations and more specifically, what is a covered entity and a business associate.

Covered Entities and Business Associates

HIPAA defines a covered entity subject to privacy rules as:

  • A health care provider that conducts certain standard administrative and financial transactions in electronic form
  • A health care clearinghouse
  • A health plan

Chances are likely that in your individual capacity, although you may work for a covered entity, you yourself are not a covered entity. The road to HIPAA compliance does not end there, however. There is another important concept known as the business associate. A business associate under HIPAA is a person or entity (other than a member of the covered entity's workforce) that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involves the use or disclosure of PHI. In other words, a contractor can be and is often considered a business associate under HIPAA. In your individual capacity, you or your entity may very well be a business associate. A covered entity may and often will use a business associate to de-identify PHI on its behalf. However, the limits of this can only be done to the extent that such work is authorized under the business associate agreement.

HIPAA Omnibus Rule of 2013

Prior to the HIPAA Omnibus Rule of 2013, only covered entities were directly liable for HIPAA violations. In many cases, a covered entity, via a private contract with a business associate would require that the business associate indemnify the covered entity for any violations attributable to the business associate's negligence. The HIPAA Omnibus Rule of 2013 was enacted in January, 2013 and closed what many perceived as a loophole in the law that failed to hold business associates directly liable for HIPAA violations.

The primary purposes of the Omnibus Rule of 2013, implemented as changes to the Health Information Technology for Economic and Clinical Health Act (HITECH Act) was to enhance an individual's privacy protections as to their health information in the following ways:

  • It provides affirmative rights to individuals as to how their PHI can be used.
  • It expanded the requirements of business associates that interact with PHI.
  • It enhanced the federal government's ability to enforce the law.

It's the second item that I will focus on here as it goes directly to the liability that a business associate has under HIPAA. As previously stated, prior to this new rule, a business associate was not directly liable for HIPAA violations. That enforcement was reserved only for covered entities.

Typically, if you are conducting work for a covered entity and that work involves the use, storage or transmission of PHI, such work is covered under some kind of agreement. One of the new aspects to HIPAA is the requirement for certain provisions. The following link provides access to a sample business associate agreement: http://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html. Even if you have a pre-existing agreement in place, you may be asked to sign an addendum that adds the necessary provisions to your agreement. Even if you don't have a written agreement in place, if you or your entity qualifies as a business associate under HIPAA, you or your entity is, nevertheless, subject to direct liability under HIPAA.

Even if you don't have a written agreement in place, if you or your entity qualifies as a business associate under HIPAA, you or your entity is subject to direct liability under HIPAA.

If you are deemed to be a business associate, the direct liability under HIPAA that you have presents a level of business risk that you may or may not have considered. As an initial matter, you should consult with an attorney in your jurisdiction and have him or her evaluate your current situation as to any agreements that are in place, the nature of your work, your policies, procedures, and safeguards. If you enter into an engagement that involves PHI, you need to be aware of your obligations under the law - whether or not you are explicitly made aware of those obligations by the covered entity that has engaged you via a business associate agreement.

Specific Business Associate Agreement Provisions

The following section lists the typical provisions that you'll encounter should a business associate agreement be presented to you. It's worth noting again that even if an explicit agreement is not in place, in the event that you interact with PHI on behalf of a covered entity, these obligations apply to you and your business entity. It's also worth noting that a business associate agreement will cite specific sections of the Code of Federal Regulations (C.F.R.). The CFR is updated annually and represents the permanent rules that are followed to enforce federal law. Therefore, it's essential that if you intend to deal with HIPAA regulated data, you have at least a working knowledge of the relevant sections of the C.F.R. For purposes of HIPAA and specifically data security and privacy, the following apply:

The following are the general obligations of a business associate who:

  1. May not use or disclose protected health information other than as permitted or required by the Agreement or as required by law.
  2. Must use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronically protected health information, to prevent use or disclosure of protected health information other than as provided for by the Agreement.
  3. Will report to a covered entity any use or disclosure of protected health information not provided for by the Agreement of which it becomes aware, including breaches of unsecured protected health information as required at 45 CFR 164.410, and any security incident of which it becomes aware.
  4. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors who create, receive, maintain, or transmit protected health information on behalf of the business associate agree to the same restrictions, conditions, and requirements that apply to the business associate with respect to such information.
  5. Will make available protected health information in a designated record set to the [Choose either “covered entity” or “individual or the individual's designee”] as necessary to satisfy covered entity's obligations under 45 CFR 164.524.
  6. Must make any amendment(s) to protected health information in a designated record set as directed or agreed to by the covered entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy covered entity's obligations under 45 CFR 164.526.
  7. Will maintain and make available the information required to provide an accounting of disclosures to the [Choose either “covered entity” or “individual”] as necessary to satisfy covered entity's obligations under 45 CFR 164.528.
  8. To the extent the business associate is to carry out one or more of the covered entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the covered entity in the performance of such obligation(s).
  9. Must make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules.

Previously, it was stated that permitted uses and disclosures of PHI are enumerated in the business associate agreement. The following are typical provisions, with options as they are enumerated on the hhs.gov site:

Business associate may only use or disclose protected health information

  1. [Option 1 � Provide a specific list of permissible purposes.] [Option 2 � Reference an underlying service agreement, such as "as necessary to perform the services set forth in Service Agreement."] [In addition to other permissible purposes, the parties should specify whether the business associate is authorized to use protected health information to de-identify the information in accordance with 45 CFR 164.514(a)-(c). The parties may also wish to specify the manner in which the business associate will de-identify the information and the permitted uses and disclosures by the business associate of the de-identified information.]
  2. Business associate may use or disclose protected health information as required by law.
  3. Business associate agrees to make uses and disclosures and requests for protected health information [Option 1] consistent with covered entity's minimum necessary policies and procedures. [Option 2] subject to the following minimum necessary requirements: [Include specific minimum necessary provisions that are consistent with the covered entity's minimum necessary policies and procedures.]
  4. Business associate may not use or disclose protected health information in a manner that would violate Subpart E of 45 CFR Part 164 if done by covered entity [if the Agreement permits the business associate to use or disclose protected health information for its own management and administration and legal responsibilities or for data aggregation services as set forth in optional provisions (e), (f), or (g) below [not included here], then add "except for the specific uses and disclosures set forth below."] [Optional] Business associate may use protected health information for the proper management and administration of the business associate or to carry out the legal responsibilities of the business associate. [Optional] Business associate may disclose protected health information for the proper management and administration of business associate or to carry out the legal responsibilities of the business associate, provided the disclosures are required by law, or business associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, and the person notifies business associate of any instances of which it is aware in which the confidentiality of the information has been breached.
  5. [Optional] Business associate may provide data aggregation services relating to the health care operations of the covered entity.

Conclusion

Its name and origin notwithstanding, HIPAA is about identifying information regardless of whether it's in a health context. It is absolutely essential to be aware of the legal obligations and liabilities that are incident to such data.