OCR's new FAQ addresses business associates' use of PHI

The U.S. Department of Health and Human Services’ Office of Civil Rights has released a new FAQ on business associates’ obligations under the HIPAA Privacy Rule.

CDA has in the past fielded questions and concerns from HIPAA-covered dentists who, in the process of a software transition, were prevented by the previously contracted vendor from accessing their patients’ information. In line with guidance CDA has issued, guidance via the OCR’s new FAQ clarifies that a business associate cannot prevent a HIPAA-covered entity’s access to protected health information maintained by the business associate (for or on behalf of the covered entity) unless provided for within a contract.  

“A business associate may not use PHI in a manner or to accomplish a purpose or result that would violate the HIPAA Privacy Rule,” states the FAQ, which further clarifies that if a business associate blocks or terminates a covered entity’s access privileges, “the business associate has engaged in an act that is an impermissible use under the Privacy Rule.”

The HIPAA Security Rule requires the business associate to ensure the confidentiality, integrity and availability of all electronic PHI it creates, receives, maintains or transmits on behalf of a covered entity. The FAQ clarifies that “maintaining availability” means ensuring the PHI is “accessible and usable upon demand by the covered entity,” whether the PHI is maintained in a database, cloud or other system.

A HIPAA business associate is an entity, individual or organization that creates, receives, maintains or transmits patient health information to perform nonclinical functions, such as claims processing or information systems management, on behalf of a covered entity. Examples of dental practice business associates include:

  • Claims clearinghouses.
  • Practice management software vendors.
  • Electronic file-sharing services.
  • Cloud service providers.
  • Online data backup and storage services.
  • Practice management consultants and malpractice insurers/attorneys/accountants — upon sharing patient information.
  • Subcontractors of business associates.

The HIPAA-covered dental practice must have a business associate agreement with each entity that uses its patients’ information for nonclinical functions. Business associates may use and disclose the patient information provided by the HIPAA-covered entity only as provided for in the agreement and as allowed by law. Within the business associate agreement, a covered entity may further clarify and limit the permissible uses and disclosures by the business associate and may set additional requirements for the business associate.

Certain arrangements may authorize the business associate to destroy or dispose of PHI due to the nature of the services the business associate is to perform. The OCR does not consider these cases, if and as specified in the business associate agreement or contractual arrangements, to be “impermissible data blocking.” 

Guidance on cloud computing

The OCR also released a separate guidance on HIPAA and cloud computing in response to HIPAA-covered entities’ growing use of cloud computing solutions. The guidance aims to assist cloud services providers in understanding their responsibilities, under the HIPAA Rules, when creating, receiving, maintaining or transmitting PHI.

As described above, when a HIPAA-covered dental practice engages the services of a cloud services provider to create, receive, maintain, or transmit ePHI on its behalf, the CSP is a business associate under HIPAA. In addition, when a business associate subcontracts with a CSP to create, receive, maintain or transmit PHI on its behalf, the CSP subcontractor itself is a business associate. The new guidance stresses that “this is true even if the CSP processes or stores only encrypted ePHI and lacks an encryption key for the data.” 

Plainly stated, a CSP that lacks an encryption key is not exempt from business associate status and obligations under the HIPAA Rules. 

View the OCR’s FAQ and guidance. Also, visit cda.org/resources for the CDA Practice Support resource, HIPAA and California Health Information Privacy and Protection Laws — Q&A.

Related Items

Dentists participating as providers in the Denti-Cal program, along with provider entities who have received “meaningful use” funding from HHS and those dentists who participate as Medicare Part C plan providers, should be fully complying with the U.S. Department of Health and Human Services’ Office for Civil Rights’ final rule concerning Section 1557 of the Affordable Care Act.

As the dental marketplace continues to change, hiring associates and having a multidentist practice is increasingly more common. CDA Practice Support frequently receives inquiries from members regarding how to correctly bill for associate dentists providing treatment in their practice.

In May, several thousand HIPAA-covered entities received emails from the U.S. Department of Health and Human Services Office of Civil Rights (OCR) as the agency rolled out Phase 2 of its HIPAA Audit Program. One email asked covered entities to confirm contact information, then, if information was confirmed, covered entities received a questionnaire and were given 30 days to complete it.