Second, the Department proposed to modify § 160. We note that the conduit exception is limited to transmission services whether digital or hard copy , including any temporary storage of transmitted data incident to such transmission. Commenters indicated that some State laws require providers to directly share immunization records with schools and provide parents with the opportunity to opt out of this direct sharing. Starting September 23rd, a patient has the right to obtain an electronic copy of her electronic health record. Second, the use of protected health information among legally separate covered entities under common ownership or control that have designated themselves as an affiliated covered entity i.
For example, a telecommunications company may have occasional, random access to protected health information when it reviews whether the data transmitted over its network is arriving Start Printed Page 5572at its intended destination. Response: We decline to completely exempt limited data sets from these provisions as, unlike de-identified data, they are still protected health information. We emphasize that the goal of enforcement is to ensure that violations do not recur without impeding access to care. Subcontractors The Omnibus Rule pulls subcontractors into the definition of business associates. Such incidents must be evaluated like any other security incident.
We refer readers to the above discussion regarding transmission services and conduits. Thus, a business associate would be required by § 164. We emphasized that this proposed exception would not apply if a covered entity received remuneration above the actual cost incurred to prepare, produce, and transmit the protected health information for the permitted purpose, unless such fee is expressly permitted by other law. The proposed rule proposed to revise the structure and list of factors at § 160. We disagree with comments that documentation would be as burdensome on covered entities as written authorization, since an authorization form contains many required statements and elements, including a signature by the appropriate individual, which are not required for the agreement and documentation contemplated here.
Accordingly, covered entities and business associates should review their breach notification policies and procedures prior to the September 23, 2013 compliance date to ensure they are consistent with these changes. Consequently, Business Associates are now directly liable for any non-compliance and any fines associated with the non-compliance. . The Omnibus Rule also clarifies the fees that may be charged. For example, a parent may call and request that a covered entity provide his or her child's immunization records before the child begins elementary school, if required by State school entry laws. A covered entity is not required to purchase new software or systems to accommodate the requested electronic format.
We also proposed a number of modifications to streamline the requirements of § 164. Direct liability As expected, the Omnibus Rule makes business associates directly liable for compliance with many of the same standards and implementation specifications under the security rule and applies the same penalties to business associates that apply to covered entities. This change would permit the Department to proceed with a willful neglect violation determination as appropriate, while also permitting the Department to seek resolution of complaints and compliance reviews that did not indicate willful neglect violations by informal means e. Previously, a covered entity could use or disclose only demographic information and dates of service for fundraising. A few commenters expressed particular concern with what they believed to be the unfair ability of the Secretary to impose the maximum penalty amounts to violations falling within the two lowest categories of culpability i.
In other words, if the entity could demonstrate there is no significant risk of harm, then the incident did not rise to a reportable breach. Response: We decline to delay application of the requirements under the Security Rule to subcontractors beyond the compliance dates provided by this final rule. A few commenters were opposed to the 50-year period of protection because they interpreted this provision to be a proposed record retention requirement. Finally, these disclosures are permitted and not required, and thus, a covered entity that questions the relationship of the person to the decedent or otherwise believes, based on the circumstances, that disclosure of the decedent's protected health information would not be appropriate, is not required to make the disclosure. Thus, costs may include the direct and indirect costs to prepare and transmit the data, including labor, materials, and supplies, but not a profit margin.
Note also that in many breach cases, there will be both an impermissible use or disclosure, as well as a safeguards violation, for each of which the Department may calculate a separate civil money penalty. In short, the term now applies to both Covered Eentities and Business Associates. We also clarify that the same interpretations that apply to determining whether a first tier contractor is a business associate also apply to determining whether a subcontractor is a business associate. However, other sources of information exist that could establish knowledge, including internal indications of a potential noncompliance such as unusual access or audit log activity. A similar provision is not necessary or appropriate for disclosures of limited data sets for research or public health purposes since such disclosures would Start Printed Page 5602not otherwise require business associate agreements.
We also proposed a conforming change to revise the titles of § 164. As discussed above, § 164. Overview of Public Comments We received one comment requesting that the Department limit the number of mitigating factors it will consider when determining penalty amounts and apply Start Printed Page 5585civil money penalties in every case of noncompliance, including where resolution and compliance have been achieved by informal means. Overview of Public Comments The Department received comments in support of the revised definition and the flexibility created to account for later technological developments. Both the contractor and all of the subcontractors are business associates under the final rule to the extent they create, receive, maintain, or transmit protected health information.
We do not agree with the commenter that any deviation from the terms in a business associate contract would be by definition outside the scope of agency. Finally, we clarify that the 50-year period of protection is not a record retention requirement. Final Rule The final rule is effective on March 26, 2013. Finally, we also provide at new § 164. Comment: Two commenters suggested providing subcontractors with additional time to comply with the provisions of the Security Rule. Finally, an entity will have the opportunity to submit evidence establishing its knowledge or lack of knowledge, during the Department's investigation.