Final Rule for Standards for Privacy of Individually Identifiable Health Information. What the Rule Covers

Analysis by the AHIMA Policy and Government Relations Team

Application to Specific Entities

Essentially, the Rule (§160.102) covers the three entity groups mentioned specifically in HIPAA and in the previously published Transactions and Code Sets (TCS) rule. The "covered entities" are:

  • Health plans
  • Clearinghouses
  • Providers

The Rule further states (§164.500) that "except as otherwise provided herein, the standards, requirements, and implementation specifications of this..[Rule]..apply to covered entities with respect to protected health information [PHI]."

It must be noted however that §164.104 on applicability states: "Except as otherwise provided, the provisions of this part apply to covered entities: health plans, healthcare clearinghouses, and healthcare providers who transmit health information in electronic form in connection with any transaction referred to in section 1173(a)(1) of the Act [HIPAA].

{This section is causing some debate, but the common interpretation, at this point in time, is that the Rule’s requirements with respect to privacy, depend on whether a covered entity is performing any of the electronic transactions identified in HIPAA, directly or indirectly. It is possible that there are some entities not involved in any of the HIPAA electronic transactions, and are therefore not covered by this rule. The number of such entities (most likely healthcare providers) is considered very low and could change at any time if one or more plans require electronic transactions.}

The Privacy Rule depends greatly on the definitions and functions of these covered entities (§160.103) and entities that are indirectly covered by the Rule. Therefore it is important to review the applicable definitions contained in the Rule.

Covered Entities

Healthcare Provider
The covered entity definition remains fundamentally the same (65FR82799 & 82476) . For healthcare provider(s) it is noted that such a provider "transmits any health information in electronic form in connection with a transaction covered by" HIPAA. Note that while this definition qualifies which providers are covered, later in the Rule it is clarified that all individually identifiable health information, no matter its media, is covered under the Rule. Furthermore, it is important to remember that entities cannot become uncovered by shifting electronic transactions to a business associate. To assist providers in clarifying their status, the preamble of the rule also details the definition of a healthcare provider (65FR82478), while the final rule language only provides statutory reference.

Healthcare providers are also defined in this Rule by their treatment relationship. Direct treatment relationship (§164.501) is defined to mean "a treatment relationship between an individual and a health care provider that is not an indirect treatment relationship." Indirect treatment relationship (§164.501) is defined as "a relationship between an individual and a health care provider in which:

  • The health care provider delivers health care to the individual based on the orders of another health care provider; and

  • The health care provider typically provides services or products, or reports the diagnosis or results associated with the health care, directly to another health care provider, who provides the services or products or reports to the individual."

Several examples of these definitions are included in the preamble to the Rule (65FR82492).

Healthcare Clearinghouse

The Rule (§160.103) provides a new definition for health care clearinghouse: "a public or private entity, including a billing service, repricing company, community health management information system or community health information system, and ‘value-added’ networks and switches, that does either of the following functions:"

  • "processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction"

  • "receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity."

The Rule (§164.500) also clarifies the role or roles of healthcare clearinghouse and when they become covered entities. The Rule notes that "health care clearinghouses must comply with the standards, requirements, and implementation specification as follows:

  • When a health care clearinghouse creates or receives protected health information (PHI) as a business associate of another entity" it must comply with the Rule "except that a clearinghouse is prohibited from using or disclosing PHI other than as permitted in the business associate contract under which it created or received the PHI."

  • When the healthcare clearinghouse is acting as a covered entity "including the designation of [a] health care component of a covered entity."

  • "When relating to uses and disclosures for which consent, individual authorization, or an opportunity to agree or object is not required, except that a clearinghouse is prohibited from using or disclosing PHI other than as permitted in the business associate contract under which it created or received the PHI."

Note that in this instance, information is exchanged with another entity. Some of these functions could be done in-house and therefore would not constitute a clearinghouse function. In the Rule’s preamble (65FR82477), the Secretary details that some entities that are often considered clearinghouses will not be considered covered entities. "Telecommunication entities that provide connectivity or mechanisms to convey information such as telephone companies and Internet Service Providers, are not health care clearinghouses as defined in the rule, unless they actually carry out the functions outlined" above. Value-added networks and switch services likewise fall into entities that probably are not covered.

{The clearinghouse issue is important. Clearinghouses could, based on the applicability references above, define if a health plan or provider is covered under this Rule. Page 65FR82488 also provides some additional information.}

Health Plan

The definition of health plan remains essentially the same as in HIPAA and the NPRM5. There are, however, a few categories added due to the Balanced Budget Act (BBA) or failure to include them in the past, such as high-risk health insurance pools. The Rule has significant impact on health plans and their sponsors or customers, so it is important to note some of the exclusions from the definition such as:

  • Group health plans with less than 50 participants that are not administered externally from the employer as defined by ERISA;
  • Workers compensation plans; and
  • Certain liability plans and government agencies.

Business Associate

Business Associate is defined (§160,103—65FR82798) by its relationship to one of the covered entities and the functions that it performs in that relationship (or independently). An entity that is a business associate in one case could also be one of the three covered entities in another.

With respect to a covered entity or an "organized health care arrangement," a business associate is a person:

  • Who is not a member of the workforce of the covered entity.
  • Performs a function or activity involving the use or disclosure of individually identifiable health information, including (but not limited to) one or more of the following
    • Claims processing or administration,
    • Utilization review,
    • Quality assurance,
    • Billing,
    • Benefit management,
    • Practice management,
    • Repricing,
    • Legal,
    • Actuarial,
    • Accounting,
    • Consulting,
    • Data aggregation,
    • Management,
    • Administrative,
    • Accreditation,
    • Financial services, or
    • Any other function or activity covered by the Rule.

This should not be considered an exhaustive list. Clearly, for HIM professionals, we can add functions such as transcription, coding, and release of information to the business associate list.

All entities will have to examine their relationships and functions to determine when they might become a business associate. In the NPRM this entity was called a "business partner." The Rule changes "clarify that the business association occurs when the right to use or disclose the PHI belongs to the covered entity, and another person is using or disclosing the PHI (or creating, obtaining, and using the PHI) to perform a function or activity on behalf of the covered entity." The Rule also clarifies that "providing specified services to a covered entity creates a business associate relationship if the provision of the service involves the disclosure of PHI to the services provider."

It will be important for all suspected covered entities and business associates to closely review their current and future relationships and functions. Such a review, in questionable situations, may need a legal review as well. For instance, the Secretary points out that "the mere fact that two covered entities participate in an organized health care arrangement does not make either of the covered entities a business associate of the other covered entity."

The preamble, or section-by-section review, discusses the business associate relationship in detail (65FR82475-82476). Included in this discussion are situations where two covered entities are working together, though their relationship may not be as business associates. Key to this discussion is that of a physician or other provider that has staff privileges at an institution. The Secretary notes, "neither party to the relationship is a business associate based solely on the staff privileges because neither party is providing functions or activities on behalf of the other." The discussion goes on to note that parties often have a variety of functions, some of which could be as business associates, such as when or if the institution becomes the billing agent for the physician. (See Disclosures to Business Associates and Business Associate Contracts)

Go to next section, Definitions.

Go to document index.