Upload
jenette-miller
View
26
Download
3
Embed Size (px)
DESCRIPTION
HIPAA Privacy. Business Associates 101. Jennifer Wolfe Jerram, B.S.N., J.D. email: [email protected] www.stinson.com (402) 342-1700. Where to look in the regulations:. Business Associate - Defined. § 160.103: Federal Register, p. 82798 Preamble – pp. 82475-76 Comments – p. 82567. - PowerPoint PPT Presentation
Citation preview
A Professional Corporation
Stinson, Mag & Fizzell (402) 342-1700
Business Associates 101
Jennifer Wolfe Jerram, B.S.N., J.D.
email: [email protected]
(402) 342-1700
HIPAA Privacy
A Professional Corporation
Stinson, Mag & Fizzell (402) 342-1700
Business Associate - Defined
• § 160.103: Federal Register, p. 82798
• Preamble – pp. 82475-76
• Comments – p. 82567
Where to look in the regulations:
A Professional Corporation
Stinson, Mag & Fizzell (402) 342-1700
Business Associate - Disclosure Standard
• § 164.502(e); Federal Register, p. 82806
• Preamble – p. 82499
• Comments – pp. 82640-45
Where to look in the regulations:
A Professional Corporation
Stinson, Mag & Fizzell (402) 342-1700
Business Associate - Contract Requirements
• § 164.504(e): Federal Register, pp. 82808-09
• Preamble – pp. 82503-07
• Comments – pp. 82640-45
Where to look in the regulations:
A Professional Corporation
Stinson, Mag & Fizzell (402) 342-1700
• A party who will be governed indirectly by portions of the HIPAA privacy regulations by virtue of his/her/its contractual obligations to covered entities.
Who is a Business Associate?
A Professional Corporation
Stinson, Mag & Fizzell (402) 342-1700
• 2 separate groups under the regulations
Who are your Business Associates?
A Professional Corporation
Stinson, Mag & Fizzell (402) 342-1700
1st Group: Relationship withCovered Entity
A person or entity who performs or assists in the performance of a function or activity involving the use or disclosure of PHI on behalf of the Covered Entity.
Who are your Business Associates?
A Professional Corporation
Stinson, Mag & Fizzell (402) 342-1700
Examples include:
• Claims processing
• Data analysis
• UR
• QA
• Billing
• Others
Who are your Business Associates?
A Professional Corporation
Stinson, Mag & Fizzell (402) 342-1700
2nd Group: Listed Functions
A person or entity who provides certain identified services to the Covered Entity, where the provision of services involves disclosure of PHI.
Who are your Business Associates?
A Professional Corporation
Stinson, Mag & Fizzell (402) 342-1700
Services Identified in Privacy Regulations
• legal• actuarial• accounting• consulting• data aggregation
• management• administrative• accreditation• financial services• end of list - no others
Who are your Business Associates?
A Professional Corporation
Stinson, Mag & Fizzell (402) 342-1700
• Members of your workforce are not your Business Associates
• Covered Entities can be Business Associates of other Covered Entities
Business Associates
A Professional Corporation
Stinson, Mag & Fizzell (402) 342-1700
What’s in a Name?
• Business Partner –proposed privacy regulations
• Trading Partner – code sets and transactions
• Chain of Trust Agreements – proposed security standards
Business Associates
A Professional Corporation
Stinson, Mag & Fizzell (402) 342-1700
• Education
• Survey tools
• Inventory existing contracts
How to Identify your Business Associates:
A Professional Corporation
Stinson, Mag & Fizzell (402) 342-1700
• Who has authority to execute contracts? (don’t forget satellite locations, affiliated entities)
• Where are existing contracts kept?
• How many oral contracts are “out there?”
• Are you the Covered Entity or the Business Associate?
How to Identify your Business Associates (cont’d):
A Professional Corporation
Stinson, Mag & Fizzell (402) 342-1700
Is the use/disclosure of PHI really necessary?
Always ask this question:
A Professional Corporation
Stinson, Mag & Fizzell (402) 342-1700
Is the use/disclosure of PHI necessary for B/A to carry out its own function or is B/A carrying out function on behalf of the C/E?
Now, let’s complicate things:
A Professional Corporation
Stinson, Mag & Fizzell (402) 342-1700
• Disclosures to B/A is an exception to the general rule under HIPAA: No use/disclosure unless there’s an exception in the regulations.
Disclosures to Business Associates
A Professional Corporation
Stinson, Mag & Fizzell (402) 342-1700
A C/E may disclose PHI to a B/A and may allow a B/A to create or receive PHI on its behalf, if the C/E obtains satisfactory assurance that the B/A will appropriately safeguard the PHI.
Disclosures to Business Associates
A Professional Corporation
Stinson, Mag & Fizzell (402) 342-1700
“SATISFACTORY ASSURANCE”
A Professional Corporation
Stinson, Mag & Fizzell (402) 342-1700
“Satisfactory Assurance” requires a written contract or other written agreement or arrangement with the B/A that meets the requirements of § 164.504(e)
Disclosures to Business Associates
A Professional Corporation
Stinson, Mag & Fizzell (402) 342-1700
Requirements under § 164.504(e)
• Establish the B/A’s permitted/required uses and disclosures of PHI
• Contract may not authorize the B/A to use/further disclose PHI in a manner that would violate the regulations if done by the C/E
• Has the C/E agreed to any restrictions on its own uses/disclosures?
A Professional Corporation
Stinson, Mag & Fizzell (402) 342-1700
B/A Contract must provide that the B/A will:
• Not use/further disclose PHI other than as permitted/required by the contract or as required by law;
• Use “appropriate safeguards” to prevent use/disclosure of PHI other than as provided for by its contract.
§ 164.504(e)
A Professional Corporation
Stinson, Mag & Fizzell (402) 342-1700
B/A Contract must provide that the B/A will: (cont’d)
• Report to the C/E any use/disclosure of PHI not provided for by its contract;
• Ensure that any agents, including subcontractors, agree to same restrictions;
§ 164.504(e)
A Professional Corporation
Stinson, Mag & Fizzell (402) 342-1700
B/A Contract must provide that the B/A will: (cont’d)
• Make PHI available in accordance with § 164.524 (access to individuals);
• Make PHI available for amendment and incorporate any amendments in accordance with § 164.526;
§ 164.504(e)
A Professional Corporation
Stinson, Mag & Fizzell (402) 342-1700
B/A Contract must provide that the B/A will: (cont’d)
• Make available the information required for the C/E to provide an accounting of disclosure pursuant to § 164.528;
• Make its internal practices, books and records relating to use/disclosure of PHI available to HHS Secretary;
§ 164.504(e)
A Professional Corporation
Stinson, Mag & Fizzell (402) 342-1700
B/A Contract must provide that the B/A will: (cont’d)
• Return or destroy all PHI upon termination of the contract – if not feasible to return/destroy, then the contractual protections must be extended to limit any further uses/disclosures;
§ 164.504(e)
A Professional Corporation
Stinson, Mag & Fizzell (402) 342-1700
B/A Contract must provide that the B/A will: (cont’d)
• Authorize termination of the contract by C/E if C/E entity determines that the B/A has violated a material term of the contract; and
§ 164.504(e)
A Professional Corporation
Stinson, Mag & Fizzell (402) 342-1700
B/A Contract should also provide that the B/A will: (cont’d)
• Retain records for 6 years (enables the C/E to comply with its own duties under Individual Rights)
A Professional Corporation
Stinson, Mag & Fizzell (402) 342-1700
• Intended Third Party Beneficiary clause is NOT required under final privacy regulations
A Welcome Change from theProposed Regulations
A Professional Corporation
Stinson, Mag & Fizzell (402) 342-1700
Business Associate contracts MAY permit:
• The B/A to use/disclose PHI for the proper management and administration of the B/A or to carry out the legal responsibilities of the B/A.
A Professional Corporation
Stinson, Mag & Fizzell (402) 342-1700
• If you are the B/A, you might want to include this permissible provision.
Business Associate contracts
A Professional Corporation
Stinson, Mag & Fizzell (402) 342-1700
C/E is NOT in compliance with § 164.502(e):
• C/E knew of a pattern of activity or practice of the B/A that constituted a breach – unless C/E took “reasonable steps” to cure the breach.
Covered Entity’s Compliance
A Professional Corporation
Stinson, Mag & Fizzell (402) 342-1700
If C/E’s “reasonable steps” were unsuccessful, C/E must:
• Terminate the contract; or
• If termination is not feasible, report the problem to the HHS Secretary.
Covered Entity’s Compliance
A Professional Corporation
Stinson, Mag & Fizzell (402) 342-1700
What does this mean?
• C/E must have knowledge of the breach
• C/E liable if it fails to respond (cure, terminate and/or report)
Covered Entity’s Compliance
A Professional Corporation
Stinson, Mag & Fizzell (402) 342-1700
• Identify potential B/A situations.– Are you the C/E?– Are you the B/A?– Is PHI really necessary?
Steps to Compliance
A Professional Corporation
Stinson, Mag & Fizzell (402) 342-1700
• Is a B/A contract required?– Is there already a contract in place?– When/how does it terminate?– What is required to amend it?
Steps to Compliance
A Professional Corporation
Stinson, Mag & Fizzell (402) 342-1700
• Privacy Addendum
• Whole new agreement
• Placeholder language
• Individualize B/A requirements as needed
Steps to Compliance
A Professional Corporation
Stinson, Mag & Fizzell (402) 342-1700
Coordinate with Security/Code Sets Compliance Efforts
Steps to Compliance
A Professional Corporation
Stinson, Mag & Fizzell (402) 342-1700
JOIN THE NE-SNIP PRIVACY WORK GROUP!
Steps to Compliance