Implications for Covered Entity Public Health Agencies under the HIPAA Omnibus Rule

Public Health Agencies and HIPAA

Public health plays an important role in the United States healthcare system. The 10 Essential Public Health Services identified by the Centers for Disease Control and Prevention provide a working definition of public health and a guiding framework for the responsibilities of local public health systems.¹ One of the essential services performed by public health agencies is to link people to needed personal health services and assure the provision of healthcare for those with limited or no access to a coordinated system of clinical care.² In order to fulfill this responsibility, many state and local public health agencies provide healthcare services through operations such as healthcare clinics for poor and underserved populations. If, in connection with their healthcare operations, public health agencies transmit health information electronically, then they are considered covered entities and must comply with the HIPAA.³

The U.S. Department of Health and Human Services (“HHS”) released the HIPAA Omnibus Final Rule (“Omnibus Rule” or “mega rule”) on January 17, 2013.⁴ This mega rule implements the modifications required by the Genetic Information Nondiscrimination Act (“GINA”), as well as most of the privacy, security, and enforcement provisions of the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”). The mega rule took effect on March 26, 2013, and covered entities are required to comply with the applicable requirements of the mega rule by September 23, 2013.⁵ Given the unique position of public health agencies, there are several provisions within the Omnibus Rule that should be of particular interest to covered entity public health agencies.

Public Health Agencies as Hybrid Entities

Public health agencies’ healthcare operations usually make up only a small portion of the agency’s overall functions, so many public health agencies choose to become hybrid entities under HIPAA. Any single legal entity may designate itself a hybrid entity if it performs both covered and non-covered functions as part of its business operations. A covered function is any function that makes an entity a health plan, a healthcare provider, or a healthcare clearinghouse.⁶ The hybrid entity provisions of HIPAA permit an entity to limit the application of HIPAA only to the entity’s healthcare components.⁷ The provision allows public health agencies to carve out a designated a healthcare component by specifying the segments of the organization that perform covered entity functions. The effect of such a designation is that most of the requirements of HIPAA apply only to the designated healthcare component of the entity and not to the other functions a health department performs that are not included in the healthcare component, such as disease outbreak investigation or emergency preparedness coordination. Business associate agreements would only be required for entities that performed HIPAA-covered functions on behalf of the designated healthcare component of the health agency. For a public health agency, the major benefit of hybrid entity status is a reduction in the administrative burden to comply with the HIPAA Rules.

Public health agencies, whether covered entities or hybrid entities, are required to comply with all applicable changes under the Omnibus Rule. There are several important provisions, discussed below, which may require public health agencies to take immediate action in order to be HIPAA compliant by the September 23, 2013 deadline. The Omnibus Rule will also implement a tiered penalty structure for HIPAA violations which could place a large fiscal burden on state and local governments for failure to comply by the deadline.⁸ There are some changes specific to hybrid entities in the Omnibus Rule and therefore important for public health agencies to take into consideration.

Hybrid Entities and Business Associate Divisions

Previously, the HIPAA Privacy Rule provided hybrid entities with discretion as whether to include or not include business associate divisions, otherwise non-covered portions of its operations that provide services to the covered functions, such as parts of the legal or accounting divisions of the entity, within the healthcare component. This was allowed so that protected health information could be shared with such divisions of the larger entity without business associate agreements or individual authorizations from patients.⁹

In another provision of the Omnibus Rule, business associates are now separately and directly liable for violation of applicable provisions of the Security and Privacy Rules, where previously they were only contractually liable to a covered entity pursuant to the terms of a business associate agreement.¹⁰ There was concern that by not including business associate functions within the healthcare component of a hybrid entity, it could allow for avoidance of direct liability and compliance obligations for the business associate components. HHS requested comment on whether HIPAA should require, rather than permit, a covered entity that is a hybrid entity to include business associate divisions within its healthcare component so that such components are directly subject to HIPAA. Several commenters advised that modifying the rule would better facilitate compliance, through better protection of the protected health information held by the business associate divisions and more consistent standards within the healthcare component of the covered entity.¹¹ Under § 164.105(a)(2)(ii)(C)-(E), the Omnibus Rule now requires that the healthcare component of a hybrid entity include all business associate functions within the entity so that such components are directly subject to the Rules.¹²

Covered Entity Responsibility for Healthcare Components

Additionally, under § 164.105(a)(2)(iii)(C), the Omnibus Rule makes clear that the covered entity as a whole, and not just the healthcare component, is responsible for complying with §§ 164.314 and 164.504 regarding business associate arrangements and other organizational requirements under HIPAA.¹³ This means that a covered entity as a whole does not have to comply with HIPAA Rules, but does remains responsible for ensuring that the healthcare component complies with the applicable HIPAA Rules. For example, the covered entity must ensure that the healthcare component does not disclose protected health information (“PHI”) to another component of the covered entity in circumstances that would be prohibited under HIPAA. HHS advises that hybrid entities may need to implement legal contracts and direct organizational matters at the level of the legal entity rather than at the level of the healthcare component in order to safeguard PHI and ensure full compliance.¹⁴

Changes to Business Associate Agreements

Though not specific to hybrid entities, probably the most demanding provision of the Omnibus Rule for state and local public health agencies to comply with is the result of the change in business associate responsibilities under HIPAA. Covered entities, including hybrid entities, will be required to amend business associate agreements to contain additional provisions, including:

• a provision that requires the business associate to comply with the Security Rule with respect to electronic PHI;¹⁵
• a provision that requires the business associate to disclose any breaches of unsecured PHI as required by 164.410; ¹⁶
• a provision that requires a business associate to ensure that any subcontractors that use PHI on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such information ;¹⁷ and
• a provision that requires the business associate to comply with the requirements of the Privacy Rule that apply to the covered entity, to the extent the business associate is carrying out a covered entity’s obligation.¹⁸

Generally, business associate agreements for public health agencies do not differ greatly from those of other covered entities, unless a covered entity and its business associate are both governmental entities. Then instead of entering into a business associate agreement, the covered entity would enter into a memorandum of understanding that contains terms that accomplish the same objectives listed above.¹⁹

The resources available to public health agencies, especially county and municipal agencies, for redrafting agreements on such a large scale are much more limited than other covered entities. Local public health agencies often have difficulty accessing legal services and local public health leadership may not have a working relationship with their attorney or may not even know who represents their legal interests.²⁰ This amendment of business associate agreements must be completed for every business associate with which a covered entity does business. In recognition of the large burden renegotiating each and every business associate agreement will place on covered entities, any HIPAA compliant business associate agreement  that existed prior to January 25, 2013 will be provided with an additional one-year transition period beyond the compliance date of the revisions to the HIPAA Rules.²¹ Therefore, covered entity public health agencies that meet this criterion will have until September 22, 2014 to amend their business associate agreements and memorandum of understanding. Though even with a one-year extension for compliance, this represents a fiscally and administratively large task which public health agencies should start undertaking immediately.

Conclusion

Public health agencies play an important role in the provision of healthcare to poor and underserved populations and compliance with the provisions of HIPAA helps ensure protection for all patients. Given the fiscal and administrative burdens that the Omnibus Rule presents, it is important for public health agencies to take immediate action and work towards full compliance well ahead of upcoming deadlines. Failure to comply with the Omnibus Rule changes could result in a large fiscal burden on state and local governments through the new tiered penalty structure for HIPAA violations. Such penalties could jeopardize the ongoing efficacy of an already underfunded public health system.

Endnotes

1. 10 Essential Public Health Services, Centers for Disease Control and Prevention. http://www.cdc.gov/nphpsp/essentialservices.html
   
2. Id.
3. The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) P.L. No. 104-191, 110 Stat. 1938 (1996).
4. U.S. Department of Health and Human Services, Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules, 78 Fed. Reg. 5566 (January 25, 2013).
5. See 45 C.F.R. § 160.105.
6. See 45 C.F.R. § 164.103.
7. See 45 C.F.R. § 164.105(a)(2)(iii)(C).
8. See C.F.R. 45 § 160.404.
9. See 67 Fed. Ref. 53182, 53204 (Aug. 14, 2002).
10. See 45 C.F.R. § 164.104(b).
11. See 78 Fed. Reg. 5566, 5588 (Jan. 25, 2013).
12. See 45 C.F.R. § 164.105(a)(2)(ii)(C)-(E).
13. See 45 C.F.R. § 164.105(a)(2)(iii)(C).
14. 78 Fed. Reg. 5566, 5588 (Jan. 25, 2013).
15. See 45 C.F.R. § 164.504(e)(2)(ii)(B) and 45 C.F.R § 164.314(a)(2)(i)(B).
16. See 45 C.F.R. § 164.504(e)(2)(ii)(C) and 45 C.F.R § 164.314(a)(2)(i)(C).
17. See 45 C.F.R. § 164.504(e)(2)(ii)(D) and 45 C.F.R § 164.314(a)(2)(iii).
18. See 45 C.F.R. § 164.504(e)(2)(ii)(H).
19. See 45 C.F.R. § 164.504(e)(3)(i).
20. The Law and Public Health Infrastructure." For the Public's Health: Revitalizing Law and Policy to Meet New Challenges. Washington, DC: The National Academies Press, 2011.
21. See 45 C.F.R. § 164.532(e).