The Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (NPRM) on December 10, 2020, proposing changes to the HIPAA Privacy Rule. In this post, we focus on how some of the proposed changes would specifically affect business associates (BAs) and other third parties.
Reducing the Identity Verification Associated with the Right to Access
The updated rule would prohibit covered entities (CEs) and BAs from imposing unreasonable identity verification measures on someone exercising their right to access protected health information (PHI). To guard against unauthorized disclosures of PHI, HIPAA requires CEs and BAs to take reasonable steps to verify the identity of an individual requesting such data. The NPRM recognizes that individuals increasingly request access to PHI in electronic format (ePHI) through apps that are not acting on behalf of CEs or BAs (i.e., apps that aren’t BAs, such as health apps). The updated rule would prohibit CEs and BAs from applying onerous or infeasible registration requirements for health apps, like requiring an app that does not qualify as a BA to sign a Business Associate Agreement (BAA) or preventing an app from registering with an API that the CE or BA makes public (unless there is an identified security risk). The NPRM would require CEs and BAs to allow apps to register with their public APIs (without a BAA) to give individuals access to their ePHI. Allowing more apps to register with APIs may require enhanced data protection measures from BAs that provide ePHI in this way in order to prevent hacking and other malicious activity.
Excluding Health Apps and TRS from BAs
The updated rule would exclude “personal health applications” and Telecommunications Relay Services (TRS) providers from the definition of a BA. A health app would be defined as a service offered directly to consumers that individuals use for their own purposes, which does not act on behalf of or at the direction of CEs. This would codify current HHS guidance that when individuals store PHI from a CE in a health app, the app is not acting on behalf of the CE. Further, the NPRM would modify the definition of BAs to exclude TRS providers. TRS providers help facilitate phone calls for people with hearing or speech disabilities. An example is Text-to-Voice TTY-based TRS. When facilitating calls between individuals and CEs or BAs, a TRS provider would not be a BA.
These changes would relieve health apps and TRS providers from signing BAAs and complying with HIPAA’s privacy and security rules. Some health apps and TRS providers may have signed BAAs that, under the new definitions, they will not need. In anticipation of the proposed changes, these entities may want to assess their options for terminating BAAs that would become superfluous.
Required Disclosures of PHI
The updated rule would clarify that BAs are only required to disclose PHI to CEs unless the BAA provides otherwise. Under the Privacy Rule, patients have the right to request access to their PHI from CEs and to direct the disclosure of their PHI. Currently, HIPAA requires BAs to provide copies of PHI to CEs, individuals, or individuals’ designees as necessary to enable the CE to meet a patient’s request. The updated rule would clarify that this is not the default position for BAs. BAs that periodically receive requests directly from patients may want to review their BAAs to ensure that the agreement permits direct disclosure.