Business Associates 101

A Professional Corporation

Stinson, Mag & Fizzell (402) 342-1700

Business Associates 101

Jennifer Wolfe Jerram, B.S.N., J.D.

email: [email protected]

(402) 342-1700

HIPAA Privacy



Business Associate - Defined

• § 160.103: Federal Register, p. 82798

• Preamble – pp. 82475-76

• Comments – p. 82567

Where to look in the regulations:



Business Associate - Disclosure Standard

• § 164.502(e); Federal Register, p. 82806

• Preamble – p. 82499

• Comments – pp. 82640-45




Business Associate - Contract Requirements

• § 164.504(e): Federal Register, pp. 82808-09

• Preamble – pp. 82503-07

• Comments – pp. 82640-45




• A party who will be governed indirectly by portions of the HIPAA privacy regulations by virtue of his/her/its contractual obligations to covered entities.

Who is a Business Associate?



• 2 separate groups under the regulations

Who are your Business Associates?



1st Group: Relationship withCovered Entity

A person or entity who performs or assists in the performance of a function or activity involving the use or disclosure of PHI on behalf of the Covered Entity.




Examples include:

• Claims processing

• Data analysis

• UR

• QA

• Billing

• Others




2nd Group: Listed Functions

A person or entity who provides certain identified services to the Covered Entity, where the provision of services involves disclosure of PHI.




Services Identified in Privacy Regulations

• legal• actuarial• accounting• consulting• data aggregation

• management• administrative• accreditation• financial services• end of list - no others




• Members of your workforce are not your Business Associates

• Covered Entities can be Business Associates of other Covered Entities

Business Associates



What’s in a Name?

• Business Partner –proposed privacy regulations

• Trading Partner – code sets and transactions

• Chain of Trust Agreements – proposed security standards

Business Associates



• Education

• Survey tools

• Inventory existing contracts

How to Identify your Business Associates:



• Who has authority to execute contracts? (don’t forget satellite locations, affiliated entities)

• Where are existing contracts kept?

• How many oral contracts are “out there?”

• Are you the Covered Entity or the Business Associate?

How to Identify your Business Associates (cont’d):



Is the use/disclosure of PHI really necessary?

Always ask this question:



Is the use/disclosure of PHI necessary for B/A to carry out its own function or is B/A carrying out function on behalf of the C/E?

Now, let’s complicate things:



• Disclosures to B/A is an exception to the general rule under HIPAA: No use/disclosure unless there’s an exception in the regulations.

Disclosures to Business Associates



A C/E may disclose PHI to a B/A and may allow a B/A to create or receive PHI on its behalf, if the C/E obtains satisfactory assurance that the B/A will appropriately safeguard the PHI.




“SATISFACTORY ASSURANCE”



“Satisfactory Assurance” requires a written contract or other written agreement or arrangement with the B/A that meets the requirements of § 164.504(e)




Requirements under § 164.504(e)

• Establish the B/A’s permitted/required uses and disclosures of PHI

• Contract may not authorize the B/A to use/further disclose PHI in a manner that would violate the regulations if done by the C/E

• Has the C/E agreed to any restrictions on its own uses/disclosures?



B/A Contract must provide that the B/A will:

• Not use/further disclose PHI other than as permitted/required by the contract or as required by law;

• Use “appropriate safeguards” to prevent use/disclosure of PHI other than as provided for by its contract.

§ 164.504(e)



B/A Contract must provide that the B/A will: (cont’d)

• Report to the C/E any use/disclosure of PHI not provided for by its contract;

• Ensure that any agents, including subcontractors, agree to same restrictions;

§ 164.504(e)




• Make PHI available in accordance with § 164.524 (access to individuals);

• Make PHI available for amendment and incorporate any amendments in accordance with § 164.526;

§ 164.504(e)




• Make available the information required for the C/E to provide an accounting of disclosure pursuant to § 164.528;

• Make its internal practices, books and records relating to use/disclosure of PHI available to HHS Secretary;

§ 164.504(e)




• Return or destroy all PHI upon termination of the contract – if not feasible to return/destroy, then the contractual protections must be extended to limit any further uses/disclosures;

§ 164.504(e)




• Authorize termination of the contract by C/E if C/E entity determines that the B/A has violated a material term of the contract; and

§ 164.504(e)



B/A Contract should also provide that the B/A will: (cont’d)

• Retain records for 6 years (enables the C/E to comply with its own duties under Individual Rights)



• Intended Third Party Beneficiary clause is NOT required under final privacy regulations

A Welcome Change from theProposed Regulations



Business Associate contracts MAY permit:

• The B/A to use/disclose PHI for the proper management and administration of the B/A or to carry out the legal responsibilities of the B/A.



• If you are the B/A, you might want to include this permissible provision.

Business Associate contracts



C/E is NOT in compliance with § 164.502(e):

• C/E knew of a pattern of activity or practice of the B/A that constituted a breach – unless C/E took “reasonable steps” to cure the breach.

Covered Entity’s Compliance



If C/E’s “reasonable steps” were unsuccessful, C/E must:

• Terminate the contract; or

• If termination is not feasible, report the problem to the HHS Secretary.




What does this mean?

• C/E must have knowledge of the breach

• C/E liable if it fails to respond (cure, terminate and/or report)




• Identify potential B/A situations.– Are you the C/E?– Are you the B/A?– Is PHI really necessary?

Steps to Compliance



• Is a B/A contract required?– Is there already a contract in place?– When/how does it terminate?– What is required to amend it?

Steps to Compliance



• Privacy Addendum

• Whole new agreement

• Placeholder language

• Individualize B/A requirements as needed

Steps to Compliance



Coordinate with Security/Code Sets Compliance Efforts

Steps to Compliance



JOIN THE NE-SNIP PRIVACY WORK GROUP!

Steps to Compliance

Documents

Business Associates 101