Authors
INTRODUCTION
RPC asked Matt Baumgartner, a partner with Graves Dougherty Hearon & Moody (“GDHM”), to research requirements and best practices regarding Business Associate Agreements (BAAs) under two laws: the federal Health Insurance Portability and Accountability Act and related statutes and regulations (HIPAA), and Texas HB 300, codified in the Texas Health and Safety Code, Chapters 181 and 182.
Both laws place requirements on the access and use of private patient medical information (protected health information or PHI). While most litigation matters involving the use of PHI should have a court-ordered HIPAA-compliant protective order, courts sometimes do not address HB 300 in such orders. In fact, HB 300 places stricter requirements on users of PHI and covers a wider range of entities than HIPAA.
This blog post explains the broader definition of “covered entity” in Texas law, the need for a court-protective order in cases involving PHI, and the terms a BAA should include to comply with HIPAA and HB 300. At RPC’s request, GDHM prepared a protective order template and BAA templates that comply with HIPAA and HB 300 requirements. The reader may access these templates through the hyperlinks in the preceding sentence.
DEFINITIONS OF COVERED ENTITIES
HB 300 and HIPAA differ significantly in their definitions of “covered entities.” Chapter 181 of the Texas Health and Safety Code defines the term “Covered Entity” more broadly than HIPAA in 45 CFR §160.103. RPC’s BAA templates use the HIPAA definition, rather than the Texas definition, because not all “covered entities” as defined by Texas law are required (by federal law) to comply with HIPAA and HITECH. All covered entities as defined by Chapter 181 must comply with the applicable provisions of Chapters 181 and 182, however.
According to the US Department of Health and Human Services (HHS), a covered entity under HIPAA is: “(1) A health plan; (2) A health care clearinghouse, [or] (3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.”[1]
Law firms, attorneys, and experts are covered entities under HB 300. According to HB 300, a “covered entity” is any person who:
(A) for commercial, financial, or professional gain, monetary fees, or dues, or on a cooperative, nonprofit, or pro bono basis, engages, in whole or in part, and with real or constructive knowledge, in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting protected health information. The term includes a business associate, health care payer, governmental unit, information or computer management entity, school, health researcher, health care facility, clinic, health care provider, or person who maintains an Internet site;
(B) comes into possession of protected health information;
(C) obtains or stores protected health information; or
(D) is an employee, agent, or contractor of a person described by Paragraph (A), (B), or (C) insofar as the employee, agent, or contractor creates, receives, obtains, maintains, uses, or transmits protected health information.[2]
This definition subjects just about anyone (except perhaps, e.g., janitorial staff who work at a covered entity and may come across PHI incidentally) to HB 300’s requirements. HB 300 also requires all staff who may encounter PHI be trained within 90 days of employment and “at least once every two years.”[3]
COURT PROTECTIVE ORDERS
In litigation involving PHI, there should be a HIPAA-compliant protective order signed by all counsel, experts, and others who may possess or use PHI. The court order is necessary to authorize the use and disclosure of PHI in pleadings, expert reports, and testimony. It is in the interest of all parties for the court to issue an order. In general, a court protective order should include these elements:
- It should reference and comply with 45 CFR 164.512(e), which covers disclosure of individually identifiable health information in judicial proceedings.
- It should state, pursuant to 45 CFR 164.512(e)(1)(v)(A)–(B), that anyone obtaining PHI in the case in which the HIPAA qualified protective order applies:
- is prohibited from using or disclosing the PHI for any purpose other than the litigation or proceeding for which such information was requested;
- must return to the covered entity or destroy the PHI (including all copies made) at the end of this litigation or proceeding, except as otherwise ordered by the Court.
- It should require the person or an authorized representative of the entity receiving the PHI to sign a HIPAA PHI Disclosure Agreement (a sample form is attached to the HIPAA Protective Order template) before receiving the PHI.
BUSINESS ASSOCIATE AGREEMENTS
Whether or not a HIPAA-compliant protective order is in place, RPC and the counsel or client retaining RPC should sign a BAA.
HIPAA regulation 45 CFR §164.308 requires “Covered Entities”[4] to take “Administrative Safeguards” with respect to “Protected Health Information.” Section 164.308 (b)(1) addresses “business associate contracts and other agreements,” and states: “A covered entity may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity’s behalf only if the covered entity obtains satisfactory assurances, in accordance with §164.314(a), that the business associate will appropriately safeguard the information. A covered entity is not required to obtain such satisfactory assurances from a business associate that is a subcontractor.” Subsection (b)(3) requires “a written contract or other arrangement with the business associate that meets the applicable requirements of §164.314(a).”
RPC may not always qualify as a “business associate” when it receives a small amount of PHI from a medical facility or doctor’s office for litigation.[5] Rather than trying to discern when it is or is not a business associate, however, RPC will request a BAA on all cases involving PHI on which it is retained.
Section 164.314(a)(1) states that a BAA must meet certain specific requirements in “paragraph (a)(2)(i), (a)(2)(ii), or (a)(2)(iii), as applicable.” Subsection (a)(2)(i) addresses business associate contracts that “must provide that the business associate will comply with the applicable requirements of this subpart,” ensure that subcontractors agree to comply with those requirements, and report to the covered entity any breaches of unsecured protected health information.[6]
HHS.gov contains information concerning use of PHI by business associates, and includes sample BAA language.[7] The HHS website states that BAAs “must” contain ten specific requirements:[8]
- establish the permitted and required uses and disclosures of PHI by the business associate;
- provide that the business associate will not use or further disclose the information other than as permitted or required by the contract or as required by law;
- require the business associate to implement appropriate safeguards to prevent unauthorized use or disclosure of the information, including implementing requirements of the HIPAA Security Rule with regard to ePHI;[9]
- require the business associate to report to the covered entity any use or disclosure of the information not provided for by its contract, including incidents that constitute breaches of unsecured PHI;
- require the business associate to disclose PHI as specified in its contract to satisfy a covered entity’s obligation with respect to individuals’ requests for copies of their PHI, as well as make available PHI for amendments (and incorporate any amendments, if required) and accountings;
- to the extent the business associate is to carry out a covered entity’s obligation under the HIPAA Privacy Rule, require the business associate to comply with the requirements applicable to the obligation;
- require the business associate to make available to HHS its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by the business associate on behalf of, the covered entity for purposes of HHS determining the covered entity’s compliance with the HIPAA Privacy Rule;
- at termination of the contract, if feasible, require the business associate to return or destroy all PHI received from, or created or received by the business associate on behalf of, the covered entity;
- require the business associate to ensure that any subcontractors it may engage on its behalf that will have access to PHI agree to the same restrictions and conditions that apply to the business associate with respect to such information; and
- authorize termination of the contract by the covered entity if the business associate violates a material term of the contract.
RPC’s BAA templates meet these 10 requirements.
ADDITIONAL BAA REQUIREMENTS IN TEXAS HB 300[10]
HB 300 imposes stricter requirements on use of PHI for all businesses that handle PHI. To ensure compliance with HB 300, a business associate who expects to come into any more than purely incidental contact with PHI should incorporate these terms (in addition to the federally mandated terms noted above) into its HIPAA BAA. The business associate will:
- notify their contracting covered entity when a breach of the restrictions on PHI is discovered;
- ensure that its employees have received the proper privacy training;
- encrypt PHI on mobile devices, during electronic or online exchanges of PHI, and in other high-risk circumstances.
Including these terms in the BAA, and implementing them in its business practices, protects RPC and its clients if a breach of HIPAA or HB 300 requirements regarding PHI occurs.[11] RPC’s BAA templates include provisions that cover these situations. Note that because neither federal law nor Texas law defines and requires a particular security protocol (i.e., encryption), the BAA templates refer to the federal safety and breach notification regulations on the HHS website.[12] The language about security safeguards is drafted broadly in the attached BAA templates, to document best available practices. RPC has data encryption capability in place. RPC seeks this representation from its clients and subcontractors with whom it shares ePHI.
The same is true for employee training. In its BAA templates, RPC represents that its employees receive training in the timeframes required by HB 300 (within 90 days of employment and every two years), and seeks the same representation from its clients and subcontractors.
CONCLUSION
This blog post explains differences in the definition of “covered entity” in federal and Texas law. It recommends the elements to include in court protective orders and BAAs to comply with HIPAA regulations and guidance, and with Texas HB 300. If you have questions about the memo or the templates, please let us know.
RPC is not a law firm and nothing in this email or blog post is intended as legal advice. The information and attachments are offered as general information. Readers who are not attorneys should consult their legal counsel before taking any action or using the attachments.
[1] See 45 CFR §160.103; see also https://www.cms.gov/Regulations-and-Guidance/Administrative-Simplification/HIPAA-ACA/AreYouaCoveredEntity, accessed September 30, 2020.
[2] Tex. Health and Safety Code §181.001(b)(2)(A)-(D) (emphasis added).
[3] Ibid. at §181.101(a).
[4] HIPAA defines a covered entity as (1) A health plan; (2) A health care clearinghouse; or (3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter (45 CFR §160.103). Texas HB 300 defines the term much more broadly, as discussed below.
[5] “Business Associate” is defined as “(i) A Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires access on a routine basis to such protected health information. (ii) A person that offers a personal health record to one or more individuals on behalf of a covered entity. (iii) A subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.” See https://www.law.cornell.edu/cfr/text/45/164.308.
[6] https://www.law.cornell.edu/cfr/text/45/164.314#a.
[7] https://www.hhs.gov/hipaa/for-professionals/faq/business-associates/index.html, accessed September 30, 2020.
[8] https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html, accessed September 30, 2020.
[9] Electronic protected health information (“ePHI”) is PHI transmitted in any electronic form, such as digital copies of medical reports.
[10] The enrolled version of HB 300 is available at https://capitol.texas.gov/tlodocs/82R/billtext/html/HB00300F.htm. Citations are to the Texas Health and Safety Code, as amended by HB 300.
[11] HB 300 is enforced primarily through financial penalties, the amount of which is determined in part by the covered entity’s history of compliance and the “nature, circumstances, extent, and gravity of the disclosure” (§181.201). Factors including whether ePHI is encrypted will affect the amount of a potential penalty (§181.201(b-1) (1)).
[12] https://www.hhs.gov/hipaa/for-professionals/breach-notification/laws-regulations/index.html, accessed September 30, 2020.