The Honorable Tommy Thompson
Secretary
U.S. Department of Health and Human Services
200 Independence Avenue, SW
Washington, DC 20201

RE: Business Associates Provisions of the "Standards for Privacy of Individually Identifiable Health Information" (65 Fed. Reg. 82472)

Dear Secretary Thompson:

The undersigned national organizations representing physicians are writing to express serious concerns regarding the Business Associates provisions in the final privacy rule promulgated by the Department of Health and Human Services (HHS) pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Unless substantially amended, these provisions will unnecessarily add to the significant administrative burdens already facing physicians and other health care providers across the country. We strongly support safeguards for patient privacy and confidentiality. However, we believe the Business Associate provisions in the final privacy rule fail to successfully extend privacy protections to entities that are not subject to HIPAA, and impose an unfair and unwieldy burden on physicians and other covered entities.

The Business Associate provisions are unfair as a matter of principle and will create additional and unreasonable burdens, costs, liabilities, and hassles on the medical community. We strongly believe that these provisions should be eliminated from the rule. The Business Associates provisions unreasonably hold physicians and other covered entities responsible for actions of their business associates and impose upon them an affirmative obligation to mitigate any harmful effects of unauthorized uses or disclosures of patient information by business associates. We appreciate efforts by HHS to broaden application of federal privacy requirements by attempting to bring these business associates under the construct of the final privacy rule. Yet, out of basic fairness, any extension of privacy rules to entities not covered by HIPAA must be achieved through new legislation. Only then will it be possible to ensure that entities that actually misuse confidential patient information can be held accountable and can be subject to sanctions instead of holding responsible other entities that did not misuse the information.

In the event HHS will not eliminate the Business Associate provisions from the rule, at an absolute minimum, the Business Associate provisions must be substantially amended. In order to make the Business Associates provisions more acceptable, we recommend that HHS make the following changes to the final privacy rule: (1) provide that an entity is either a covered entity or a business associate, but not both; (2) allow contracts that covered entities currently have with business associates to be "grand-fathered" so that they need not be renegotiated until they expire; (3) provide covered entities with the option to require their business associates to provide assurances by certification, in lieu of a contract, that they understand their obligations with respect to privacy of health information and will comply with the Business Associates provisions of the rule; (4) clarify the knowledge requirement under the rule and limit the responsibility of a covered entity to act upon information that a business associate may have materially breached or violated its obligations under the contract or certification; (5) eliminate the duty of covered entities to mitigate harmful effects caused by a use or disclosure of protected health information made by their business associates; and (6) clarify the provisions that would require business associates to "make available" protected health information in accordance with certain patient rights provisions so that the administrative burdens and responsibilities on physicians and other covered entities are limited.

Patient privacy is fundamental to the physician-patient relationship. Physicians have ethical and legal duties to maintain patient privacy and have traditionally been the guardians standing between patients and any unrestricted use and access to patients' private medical records. As such, physicians currently take measures to ensure the privacy of patient information in the normal course of business. We therefore support the concept in the final privacy rule that covered entities must obtain satisfactory assurances from those to whom protected health information is disclosed so that such protected health information will remain confidential. We believe that the changes and clarifications to the final privacy rule that we suggest support this concept and reduce associated unnecessary administrative burdens and costs on physicians and other covered entities.

The rule should be amended to provide that an entity is either a covered entity or a business associate, but not both, effectively eliminating the requirement for a business associate agreement between covered entities. Many covered entities serve a wide variety of functions in various relationships that qualify as a business associate under the rule. As currently written, the rule does not sufficiently clarify when these relationships require a business associates agreement. In addition, such a business associate would already have responsibilities as a covered entity; thus it imposes an unnecessary burden on covered entities to enter into contractual relationships that serve no identifiable purpose. This change would make clear that a covered entity is never a business associate and must therefore comply with the final privacy rule with respect to any protected health information in its possession regardless of whether or not a business associate agreement is in place.

Covered entities should be provided the option to require their business associates to provide satisfactory assurances under section 164.502(e)(1) of the rule by certification in lieu of a contract. Some covered entities have so many business associates that they will be required to rewrite hundreds of contracts under the rule. Some providers would even have to establish multiple contracts where none are currently in place in order to meet the requirements of the rule. For example, some cleaning companies may actually contract with the company that owns or manages a building with which a physician office may have a lease. In this instance, there may not be any formal arrangement between the cleaning company and the physician office; however under the current rule a contract would be required. The certification option would require the business associates to certify to the covered entity before protected health information may be disclosed to them that they understand their obligations to maintain as confidential and private any health information and will comply with the Business Associates provisions of the rule. The certification could be performed internally or by an external agency.

Making the contract requirement between covered entities and business associates optional will reduce much of the burden under the rule and will provide covered entities with the flexibility they need to determine which relationships should be governed by a contract and which relationships may only need a certification. For example, the physician practice may determine that its cleaning company or its medical society that helps with patient care issues, both of whom would be considered business associates under the rule, may not pose the same risk for potential abuse of protected health information as other entities. Therefore, it may be reasonable for the physician to require these business associates to certify that they will meet the Business Associate requirements of the rule and will maintain as private and confidential any protected health information they may observe or obtain. Where frequent and direct contact with a significant amount of protected health information is necessary to carry out business associate functions, such as a billing company or consultant, a formal contract should be in place.

In addition, where covered entities choose to contract with their business associates, they should not be forced to renegotiate current contracts with business associates until they expire. Some covered entities that have many business associates may want to renegotiate some contracts, yet others may have another year or so left before there is an obligation to renegotiate the relationship. It is too burdensome to require multiple contracts to be renegotiated at once. This will require an unnecessary expenditure of resources and the administrative burden on covered entities will be substantial. Instead of mandating covered entities to re-negotiate their current contracts with business associates before they expire or to create new ones, we believe the certification option would provide the same protections for patients at a much more reasonable cost.

Another concern with the Business Associates provisions that must be addressed by HHS is the unreasonable burdens and liabilities placed on physicians and other covered entities for the wrongdoing of their business associates. The final rule states that a covered entity is in violation of the rule if it "knew of a pattern of activity or practice of the business associate that constituted a material breach or violation of the business associate's obligation...unless the covered entity took reasonable steps to cure the breach or end the violation." (164.504(e)(1)(ii)) [Emphasis added.] In addition, the final privacy rule states, "[a] covered entity must mitigate.any harmful effect that is known to the covered entity of a use or disclosure of protected health information.by the covered entity or its business associate."(164.530(f)) [Emphasis added.] Again, we appreciate that HHS would like to extend the reach of the privacy rule to entities not covered under HIPAA. However, out of basic fairness, physicians and other covered entities should only be responsible for their own noncompliance with the provisions of the rule.

The responsibility of a covered entity to act upon "knowledge" that a business associate may have breached the Business Associate contract or certification should be explicitly limited. We believe the knowledge standard in 164.504(e)(1)(ii) is ambiguous and ultimately leaves the covered entity open to liability for knowledge that may be imputed to the covered entity even if no responsible person actually knew about the breach. While physicians have an ethical obligation to act if they suspect misuse of protected health information by their business associates, we do not believe they should be exposed to potential penalties for violating the privacy rule if they do not, especially since the "knowledge" standard is ambiguous. Therefore, we recommend the rule be amended to require the covered entity to act only if the business associate or a patient reports to the designated privacy officer of the covered entity that a misuse of protected health information by the business associate has occurred. Only then should a covered entity be obligated to take reasonable steps under the privacy rule. We believe that the covered entity should only be required to obtain adequate assurances from the business associate that the breach has been addressed and corrected. Further, if such assurances cannot be obtained, the covered entity should be required to terminate the contract (if feasible), or report the violation to HHS.

In that same vein, we recommend that HHS eliminate the duty of a covered entity to mitigate harmful effects of a use or disclosure of protected health information by a business associate under 164.530(f). Otherwise, the physician becomes responsible for actions of the business associate that are truly beyond the control of the physician. In reality, it will be difficult for a physician to undo the harm caused by a business associate; this is rightfully the burden of the breaching party - the business associate. Again, this provision places unreasonable burdens and liabilities on the physician for actions that result in breaches of privacy made by other entities.

Finally, we are concerned that certain Business Associates provisions may create ambiguous, open-ended responsibility for physicians in connection with their obligations under the patient rights provisions of the final privacy rule. Section 164.504(e)(2)(E)-(G) provides that a business associate contract must require business associates to "make available" protected health information "in accordance with 164.524," "for amendment.," and as "required to provide an accounting of disclosures." These requirements refer to the patients' rights to access their designated record set, to amend their records and to receive an accounting of disclosures made by a covered entity. The rule does not say if the business associates are required to make the information available to the patient or to the covered entity that would in turn make the information available to the patient. Therefore these provisions are ambiguous and should be clarified to ensure that covered entities are not required to provide to patients any information that is not already in the possession of the covered entity. Covered entities should not be obligated to go on fishing expeditions with all of their business associates to provide patients access to records in the possession of their business associates or to provide an accounting of disclosures made by their business associates. It should be sufficient for the covered entity to provide to the patient only the information in their possession and an accounting of disclosures made by the covered entity.

In conclusion, we applaud HHS for its commitment to protecting the privacy of personal health information. We do believe, however, that the Business Associates provisions in the final rule must be eliminated, or at a minimum modified, in order to ensure that the rule is fair and workable for covered entities. To adequately protect the privacy of personal health information and strengthen safeguards for confidentiality of patient information, Congress must enact privacy legislation that applies to all entities that maintain protected health information. We also believe HHS should provide the medical community with model Business Associate agreements that will help our members to comply with the rule. We are eager to assist HHS in its efforts to reform the Business Associates provisions and hope that our comments are helpful.

Sincerely,

American Academy of Child and Adolescent Psychiatry
American Academy of Dermatology Association
American Academy of Facial Plastic and Reconstructive Surgery
American Academy of Family Physicians
American Academy of Neurology
American Academy of Ophthalmology
American Academy of Otolaryngology-Head and Neck Surgery
American Academy of Physical Medicine and Rehabilitation
American Academy of Sleep Medicine
American Association of Clinical Endocrinologists
American Association of Clinical Urologists
American Association of Neurological Surgeons
American Association of Orthopaedic Surgeons
American College of Cardiology
American College of Nuclear Physicians
American College of Obstetricians and Gynecologists
American College of Osteopathic Family Physicians
American College of Osteopathic Pediatricians
American College of Osteopathic Surgeons
American College of Physicians-American Society of Internal Medicine
American College of Radiology
American College of Surgeons
American Gastroenterological Association
American Medical Association
American Medical Group Association
American Osteopathic Association
American Psychiatric Association
American Society for Gastrointestinal Endoscopy
American Society for Reproductive Medicine
American Society for Therapeutic Radiology and Oncology
American Society of Anesthesiologists
American Society of Cataract and Refractive Surgery
American Society of Clinical Oncology
American Society of General Surgeons
American Society of Hematology
American Thoracic Society
American Urogynecologic Society
American Urological Association
College of American Pathologists
Congress of Neurological Surgeons
Medical Group Management Association Ohio Osteopathic Association
Society for Cardiac Angiography and Interventions
Society of Critical Care Medicine
Society of Gynecologic Oncologists
Society of Nuclear Medicine