Don't ignore these two important requirements.
Certain provisions in the HIPAA Privacy Rule do not apply to all covered entities or business associates. Specifically, 45 CFR § 164.530 has eleven standards that apply to persons operating in the healthcare sector. Between December 2000 and August 2009, several changes to this section occurred. They are found at [65 FR 82802, Dec. 28, 2000, as amended at 67 FR 53272, Aug. 14, 2002; 71 FR 8433, Feb. 16, 2006; 74 FR 42769, Aug. 24, 2009].
What is notable is that this particular section contains technical, administrative, and technical safeguards, which differ from those in the HIPAA Security Rule because they apply to all forms of protected health information (PHI) and not just electronic protected health information (ePHI). (emphasis added). What is also notable is that of the three “buckets” of entities (providers, health plans, and health care clearinghouses) that fall under the term covered entity (45 CFR §160.103), The first six (6) items on the list of eleven (11) do not apply to Group Health Plans.
45 CFR § 164.530 requires the following of covered entities and business associates, with the exception of the first six (6) items. Having said that, designating an HIPAA Compliance Officer, who has responsibility of privacy and security is a best practice, especially in light of variations, which may be present in individual state regulations. To be clear, just because Section 164.530 may not apply, the Security Rule must be considered and complied with.
The first six items are as follows:
(1) A group health plan is not subject to the standards or implementation specifications in paragraphs (a) through (f) and (i) of this section, to the extent that:
(i) The group health plan provides health benefits solely through an insurance contract with a health insurance issuer or an HMO; and
(ii) The group health plan does not create or receive protected health information, except for:
(A) Summary health information as defined in § 164.504(a); or
(B) Information on whether the individual is participating in the group health plan, or is enrolled in or has disenrolled from a health insurance issuer or HMO offered by the plan.
Like most regulations in healthcare, Section 164.530 does not stand on its own and must be read in conjunction with other regulations. This is where 45 CFR §164.316 comes in because it also relates to policies and procedures – requiring both covered entities and business associates to meet this standard and update. This section should be considered when assessing verbiage in business associate agreements (BAAs). First, the policies and procedures must be in writing. Second, like Section 164.530, a retention period of “six (6) years from the date of its creation or the date when it was last in effect, whichever is later.” (emphasis added).
Why is this material to BAAs? Because, in the event a covered entity takes the position that they want all PHI destroyed or returned immediately, the business associate (or the subcontractor if the BAA is between the business associate and a subcontractor) should state that because of their own obligations, which are set forth in their policies and procedures, they are required to keep the PHI for a period of at least six years. There may also be other circumstances such as a legal hold, state law requirements, and/ or PHI involving minors.
In sum, these are two provisions of HIPAA, which are not often written about but can be very important in retaliation claims, False Claims Act cases, and HIPAA compliance alike.
Rachel V. Rose, JD, MBA, advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases.