2010 HIPAA CAMPAIGN KEY POINTS

This page has been provided to offer resources to members and non-members of PRISM International who are willing to comment on the recently released proposed rule modifying the HIPAA Privacy Rule, Security Rule and other modifications. Here is what you will find on this page.

1. The text of this page explains modifications or clarifications PRISM International is seeking from Health and Human services.
2. Explanation of how to comment on the rule is found at the conclusion of the page
3. Attachments are found at the bottom of this page. The first attechment, HIPAA Fact Scenarios, provides legal arguments as to why some members of the records storage industry should not be considered Business Associates.
4. Business Associate Agreement white paper provides examples of indemnification and other provisions included in Business Associate Agreement that exceed the minimum BAA provisions offered by Health and Human Services.
5. 2010-16718 is the proposed rule issued by Health and Human Services, and which is open for comment until September 10.
6. HIPAA Letter Template is a Microsoft Word file that can be used as an address template for a comment letter. A checklist is included as the body of the letter - this should be replaced with your own comments.

PLEASE NOTE: ALL MEMBERS AND NON-MEMBERS OF PRISM INTERNATIONAL ARE ENCOURAGED TO COPY PRISM INTERNATIONAL ON YOUR RESPONSE TO HEALTH AND HUMAN SERVICES.

Health and Human Services will be issuing a Notice of Proposed Rule Making during the summer (most likely in July). Part of this proposed rule will update conditions addressed in Business Associate Agreements. Because comments regarding the Business Associate/Covered Entity relationship are being requested, our industry will have an opportunity to respond, as both an industry association and individually, to discuss the unfair burdens and increased risks that have been heaped on small businesses as a result of changes in HIPAA. This information is designed to provide you with guidance as to how to respond to comments. Here are key points that you should consider.

1. Health and Human Services is very concerned with how their proposed or existing rules impact small businesses. In your response it is very important that you use specific examples from your own business experience. Here are some things you may want to consider when writing your letter:

• Please explain or describe in as much detail as possible any increases in your operating costs as a direct result of serving Covered Entities.
• Describe how you may have changed operations or any specific business hardship that has been created because of increased risks to Business Associates (fines, litigation, etc.)
• Is Health Care still a viable market for you? If not could you describe the barriers that have made it less desirable to do business with health care clients?
• Are there things that should be changed in the administration of HIPAA that would make the regulations less burdensome on your business?

2. Some covered entities seem to be using changes to HIPAA to insert additional items into contracts that are not required by any rule. One of these items is a requirement that covered entities be completely indemnified by business associates for any act by either the business associate or the covered entity. Here are some things you may want to consider as you write your letter:

• Have you received requests in business associate agreements to completely indemnify a covered entity? If so, could you describe how you responded and whether these requests were burdensome for your small business?
• Have you noticed other demands made in business associate agreements that do not correspond to model business associate provisions, or which seem very unusual when compared to other business associate agreements you have signed?
• Can you share any other experiences you may have had in interacting with covered entities or in negotiating final business associate provisions?

Here is an example of one member’s response on this issue:

“As a small business owner and operator in the storage industry, I am alarmed that the expansion of fines and liabilities in ARRA/HITECH is leading many of my clients (who are covered entities) to insist on passing their own risk off to my business by way of contractual indemnification. Health and Human Services should make it clear that while business associates have their own risks and responsibilities under the HIPAA-related laws, no law or rule requires business associates to absorb any of the risks and responsibilities that properly belong to covered entities. In review of the minimum construction requirements found at 45 C.F.R §164.504(e) we find no mandate for the inclusion of “Indemnification Provisions” in a Business Associates Agreement. More to the point, we find no reason why the Business Associates Agreement should contain any reference to indemnification provisions, as the issue of negotiating liability limitations or shifting duties through the use of indemnification agreements should be reserved to renegotiations of the underlying Business Arrangements between the Covered Entity and the Business Associate, and not to renegotiations of the primary instrument that Covered Entities must utilize by Federal mandate for the sole purpose of ensuring their service providers are compliant with the rules and regulations promulgated by the HIPAA and HITECH Acts.  We feel strongly that the Business Associates Agreement should not be used as a vehicle for Covered Entities to shift contractual duties, but should be used solely for its intended purpose; that being for Covered Entities to notice Business Associates and request their acknowledgement of those obligations imposed directly upon them by statute, and to request the Business Associate to assist the Covered Entity with its own compliance initiatives, as and when required by law.”

3. The Department of Health and Human Services does not consider common carriers such as the United States Postal Service, United Parcel Service, FedEx, or other courier services to be Business Associates under HIPAA rules; this is because Health and Human Services has determined that these businesses do not “use” or “disclose” protected health information and are performing a function that covered entities are not capable of performing themselves. Most breaches that have involved members of our industry occurred during the process of transporting information, not when storing information. We believe that some PRISM International members may be entitled to the same type of exemption, depending on the level of service they offer to covered entities. If you feel as though this could apply to your business, here are some things you may want to describe in your letter:

• Can you describe your internal processes for dealing with protected health information – this would include client-site procedures, transportation procedures, facility safeguards, employee screening and storage procedures?
• Can you talk about what kind of descriptive information clients record on the outside of cartons and/or file folders if you interact with protected health information at the file level?
• Can you identify how your business is similar and different than other common carrier or courier companies and whether you feel that any differences you have noted increase the risk of a data breach?
• Do you think you should be considered a Business Associate under HIPAA? If not, can you explain whether being considered a Business Associate creates a special burden on your business?
• Would you share any additional costs associated with being considered a business associate and how these additional costs have impacted you as a small business owner?

Here is how one member responded to this issue:

“I believe it is grossly unfair that small storage businesses like mine are considered business associates under HIPAA while very large courier companies like United Parcel Service and FedEx are specifically exempted. There is very little difference between what storage companies do and what couriers do – while we both take possession of our customers’ property, neither of us “use” nor “disclose” protected health information as such terms are defined under the legislation.  In fairness to small storage companies like mine, HHS should clarify that storage providers are specifically exempted under HIPAA for the same reasons couriers are.”

HOW TO RESPOND

Please write a letter or e-mail in your own words. A thoughtful letter or e-mail that is addressed to a regulatory agency and your Congressional representatives can cause the government to reconsider the impact of laws, rules and regulations.

IMPORTANT: IN ALL RESPONSES, PLEASE IDENTIFY THE RULE BY THIS NUMBER – RIN 0991-AB57

You can submit attachments via the Federal eRulemaking portal using Microsoft Word attachments. Here are the instructions: “Federal eRulemaking Portal: http://

www.regulations.gov. Follow the instructions for submitting comments. Attachments should be in Microsoft Word, WordPerfect, or Excel; however, we prefer Microsoft Word.”

Letters can also be sent to the following address:

U.S. Department of Health and Human Services

Office for Civil Rights
Attention: HITECH Privacy and Security Rule Modifications
Hubert H. Humphrey Building
Room 509F
200 Independence Avenue, SW.
Washington, DC 20201.

HHS asks that you please submit one original and two copies.

PLEASE MAKE SURE TO SEND PRISM INTERNATIONAL A COPY OF YOUR LETTER!

Send the copy by e-mail to jim@prismintl.org, by fax to 919-771-0457, or by mail to:

PRISM International, 1418 Aversboro Rd. Suite 201, Garner NC 27529

Download HIPAA letter template

Download HIPAA letter template

---

HIPAA Fact Scenarios
Download PDF

HIPAA White Paper
Download PDF

Federal Register / Vol. 75, No. 134 / Wednesday, July 14, 2010 / Proposed Rules
Download PDF