Headaches and Pitfalls in Business Associate Contract Management
© 2013 Christiansen IT Law
American Bar Association Health Law Section
eHealth, Privacy & Security Committee Webinar, August 30, 2013
© 2013 Christiansen IT Law Privacy/Security/Complianc
e
2
Presenter CV
John R. Christiansen, J.D. - Christiansen IT Law• Chair, ABA HITECH Megarule/Business Associates Task Force (2009 – pres.); Committees on Healthcare
Privacy, Security and Information Technology (2004 – 06); on Healthcare Informatics (2000 – 04); and PKI Assessment Guidelines Health Information Protection and Security Task Group (2000 – 2003)
• Author, The HITECH Business Associate Contracts Bible (ABA 2013); State and Federal Consent Laws Affecting Health Information Exchange (NGA 2011); Policy Solutions for Advancing Interstate Health Information Exchange (NGA 2009); An Integrated Standard of Care for Healthcare Information Security (AHLA 2005); Electronic Health Information: Security and Privacy Compliance under HIPAA (AHLA 2000)
• Special Assistant Attorney General to Washington State Health Care Authority, health care information issues related to HIPAA, HITECH, and related issues
• Privacy and Security Expert, ONC/OCR Comprehensive Campaign for Communication and Education About the HITECH Act (2010 – 2012); Consultant, ONC State Health Policy Consortium (2010 – pres.); Technical Advisor, ONC Health Information Security and Privacy Collaboration (2005 – 2009)
• Executive Committee/Secretary, Washington State Bar Association Health Law Section (2012 – pres.)
• Adjunct Faculty, University of Washington Information School (2008 – 2012); Oregon Health and Sciences University Division of Medical Informatics and Outcomes Research (2000 – 2003)
© 2013 Christiansen IT Law Privacy/Security/Complianc
e
3
Our Agenda
• We Assume You Know at Least the Fundamentals of the Omnibus Rule– September 23 is Less than Four Weeks Away
• Quick Basics of Terminology– See HITECH Business Associates Task Force
Publications for More Details• Business Associate Contract Pass-Along Problems• A Few Sample Problems
You Think Organic Chemistry is Complicated?
© 2013 Christiansen IT Law Privacy/Security/Complianc
e
4
A Few HITECH BA Chain Variations
© 2013 Christiansen IT Law Privacy/Security/Complianc
e
5
Business Associate:QIO
Covered Entity:Physician Practice
Covered Entity:Hospital
Covered Entity:Physician Practice
Covered Entity:Hospital
Covered Entity:Physician Practice
Covered Entity:Physician Practice
Covered Entity:Hospital
Covered Entity:Hospital
Covered Entity:Physician Practice
Covered Entity:Hospital
Covered Entity:Physician Practice
SubK:Analytics
SubK:Hosting
SubK:Consult1
Svcs:Security
Svcs:Legal1
Svcs:ParaLx
Svcs:Legal2
SubK:Consult2
Business Associate:IT Services Provider
SubK:e-Rx
SubK:EHR
SubK:Hosting
SubK:Admin
SubK:Billing
Covered Entity:Physician Practice
SubK:Coding
Svcs:Audit
Svcs:Legal
Covered Entity:Physician Practice
Business Associate:IT Services Provider
SubK:Admin
SubK:Billing
SubK:Coding
Svcs:ParaLx
Svcs:Security
Svcs:Legal
Svcs:Hosting
Covered Entity:Physician Practice
Business Associate:IT Services Provider
SubK:Admin
SubK:Billing
SubK:Coding
Covered Entities:Physician Practices, Hospitals, Labs, Plans
Business Associates:IT Svces, Billing, Admin, etc.
SubK:Hosting
SubK:RLS
SubK:HIE
SubK:MPI
Svcs:Security
Svcs:Audit
SubK:Hosting
SubK:Analytics
HIO:Business Associate/Subcontractor
Business Associate Terminology
• “Long Chain” Subcontracting• “Upstream:” CE, or BA delegating
function• “Downstream:” BA to which
function is delegated• “First tier” BA: BA with direct
delegation from CE• “Second tier” BA: BA with direct
delegation from first tier BA (and third, fourth tier, etc.)
• “Lower tier” BAs: BAs below first tier
© 2013 Christiansen IT Law 6
Covered Entity:Physician Practice
Business Associate:IT Services Provider
SubK:Admin
SubK:Billing
SubK:Coding
Business Associate Terminology
• “Side Chain” Services Providers• BA retains organization to provide
services to BA– Not a BA/Subcontractor*
• “BA Services Provider” may use, disclose PHI for BA purposes
• BA Services Provider may use other parties to provide support/related services for BA purposes– These parties are also not
BAs
* Note: Same kind of services provider to CE is a BA
© 2013 Christiansen IT Law 7
Covered Entity:Physician Practice
Business Associate:IT Services Provider
SubK:Admin
SubK:Billing
SubK:Coding
Svcs:ParaLx
Svcs:Security
Svcs:Legal
Svcs:Hosting
Business Associate:Legal
Svcs:ParaLx
© 2013 Christiansen IT Law Privacy/Security/Complianc
e
8
Pass-Along Problems
1. PHI Use/Disclosure Limitations for CE Functions, Activities, Services• CE must pass-along to First Tier BA:
– General Privacy Rule limitations – required part of BAC– NOPP limitations (if any) – implied, not required in BAC– Additional restrictions (if any) – implied, not required in BAC– Minimum necessary policies (see below) – implied, not required in BAC
• First Tier BA must pass-along BAC limitations to Second Tier BA– First Tier BA may add “more stringent” limitations to Downstream BAC
• Each Lower Tier BA must pass-along limitations from Upstream BAC– Each BA may add “more stringent” limitations to Downstream BAC
© 2013 Christiansen IT Law Privacy/Security/Complianc
e
9
Pass-Along Problems
2. Individual Access/Accounting Timing and Format• Long-chain relationships must ensure CE can comply with:
– 30 day access response (permitted 60 day extension if PHI not maintained on-site by CE)
• CE review for denial may be necessary– Requests for copies in specified electronic formats– 60 day response for accounting of disclosure (permitted 30 day
extension if CE gives statement of reasons)• BAC response requirements shorten with each link in the chain – permitted
as “More Stringent” requirement
© 2013 Christiansen IT Law Privacy/Security/Complianc
e
10
Pass-Along Problems
3. PHI Use/Disclosure Permissions for BA/Subcontractor Purposes• Optional BAC provisions permitting Business Associates to use/disclose PHI
for Business Associate management, administration, legal responsibilities, if required by law– CE not required to include in BAC– First and Lower Tier BAs not required to include in BAC even if CE
permits (“more stringent”)– If not included, BAs below “cutoff” (BAC not including optional
provisions) may not use/disclose PHI for e.g. legal services, audit, consultants, breach investigation, personnel matters (e.g. Security Rule sanctions enforcement), etc., etc.
Pass-Along Problems
3. PHI Use/Disclosure Permissions for BA/Subcontractor Purposes• First Tier BAC does not permit
use/disclosure for BA purposes• First Tier BA cannot disclose PHI
to law firm• Second Tier BA cannot disclose
PHI to security services provider• Third Tier BA cannot use third
party hosting services• Etc.
© 2013 Christiansen IT Law 11
Business Associate:IT Services Provider
SubK:Admin
SubK:Billing
SubK:Coding
Svcs:ParaLx
Svcs:Security
Svcs:Legal
Svcs:Hosting
Business Associate:Legal
Svcs:ParaLx
Covered Entity:Physician Practice
NO BA USE OR DISCLOSURE
X
X
X
© 2013 Christiansen IT Law Privacy/Security/Complianc
e
12
Pass-Along Problems
4. Minimum Necessary• “A covered entity’s contract with a business associate may not authorize the
business associate to use or further disclose the information in a manner that would violate the HIPAA Privacy Rule if done by the covered entity. See 45 CFR 164.504(e)(2)(i). Thus, a business associate contract must limit the business associate’s uses and disclosures of, as well as requests for, protected health information to be consistent with the covered entity’s minimum necessary policies and procedures. . .”– OCR Health Information Privacy FAQ,
http://www.hhs.gov/ocr/privacy/hipaa/faq/business_associates/252.html
• All BAs have to comply with CE minimum necessary policies • BAs (mostly) don’t have the authority to adopt their own minimum necessary
policies
© 2013 Christiansen IT Law Privacy/Security/Complianc
e
13
Pass-Along Problems
4. Minimum Necessary• Not a specifically required BAC provision• Strongly implied: BA can’t use/disclose PHI in a manner CE can’t, and CE
mostly can’t use/disclose except under minimum necessary policy– OCR BAC Sample “optional” provisions
• Does the CE have minimum necessary policies and procedures?• Are the CE’s minimum necessary policies complete and intelligible?• Do the CE’s minimum necessary policies include purposes, positions, PHI
scope consistent with BA services, functions, activities?– Both for CE purposes, and for BA administrative etc. purposes
– E.g. physician practice outsources all EHR functions, has no need or policy for network administrator
• Note that professional services provider (e.g. law firm) can define minimum necessary in request to CE – but can’t in request to BA
© 2013 Christiansen IT Law Privacy/Security/Complianc
e
14
Pass-Along Problems
5. BAC Termination Problems• How to coordinate termination of lower tiers?• How does CE obtain “return” of PHI from lower tiers?
– Lower tier BAC probably specifies that PHI will be returned to upstream BA upon termination
• Can lower tier BAC include permission to retain PHI if upstream BAC does not?
• Should CE have notice of lower tier BA retention?
© 2013 Christiansen IT Law Privacy/Security/Complianc
e
15
Pass-Along Problems
6. Breach Notification• BAC required to specify reporting of security incidents, unauthorized
use/disclosure of PHI, breaches– Lower tier BACs probably specify that Downstream BA will notify
Upstream BA – Agreements with Services Providers must include requirement to report
“breach of confidentiality” – not the same as a Breach Notification Rule “breach?”
• Breach Notification Rule independently requires any BA to notify CE of breaches
Pass-Along Problems
6. Breach Notification• First Tier BA has regulatory and
contract requirement to notify CE• Second Tier BA has regulatory
requirement to notify CE, and contract requirement to notify First Tier BA
• Third Tier BA has regulatory requirement to notify CE, and contract requirement to notify Second Tier BA
• Etc.
© 2013 Christiansen IT Law 16
Covered Entity:Physician Practice
Business Associate:IT Services Provider
SubK:Admin
SubK:Billing
SubK:Coding
© 2013 Christiansen IT Law Privacy/Security/Complianc
e
17
Pass-Along Problems
6. Breach Notification• Breach Notification Rule specifies that the CE (or its “designee”) has the
authority to determine if an unauthorized use/disclosure is a “breach”– Even though BAs must report “breaches?”
• Under some conditions both CE and BA may have state law breach notification obligations
• BA must notify CE with no “unreasonable delay,” maximum 60 days from when it knew/should have known of breach
• CE must notify individuals, OCR (if more than 500 affected individuals) with no “unreasonable delay,” maximum 60 days from when it knew/should have known of breach– CE imputed BA knowledge if BA is CE agent under “federal common
law”• State laws typically require maximum 60 days notice• BAC response requirements shorten with each link in the chain
Business Associate:IT Services Provider
SubK:e-Rx
SubK:EHR
SubK:Hosting
SubK:Admin
SubK:Billing
Covered Entity:Physician Practice
SubK:Coding
Svcs:Audit
Svcs:Legal
Now Contract to Pass Along in These Variations
Bundled IT Service Provider BA with multiple Subcontractor Chains and Side Chains
© 2013 Christiansen IT Law Privacy/Security/Complianc
e
18
Now Contract to Pass Along in These Variations
Multi-Services QIO with Multiple CEs Using Various Services Provided through multiple Subcontractor Chains, with Side Chains
© 2013 Christiansen IT Law Privacy/Security/Complianc
e
19
Business Associate:QIO
Covered Entity:Physician Practice
Covered Entity:Hospital
Covered Entity:Physician Practice
Covered Entity:Hospital
Covered Entity:Physician Practice
Covered Entity:Physician Practice
Covered Entity:Hospital
Covered Entity:Hospital
Covered Entity:Physician Practice
Covered Entity:Hospital
Covered Entity:Physician Practice
SubK:Analytics
SubK:Hosting
SubK:Consult1
Svcs:Security
Svcs:Legal1
Svcs:ParaLx
Svcs:Legal2
SubK:Consult2
Now Contract to Pass Along in These Variations
HIO Providing Multiple Services to Open Community of CEs and BAs Using Various Services Provided through multiple Subcontractor Chains, with Side Chains
© 2013 Christiansen IT Law Privacy/Security/Complianc
e
20
Covered Entities:Physician Practices, Hospitals, Labs, Plans
Business Associates:IT Svces, Billing, Admin, etc.
SubK:Hosting
SubK:RLS
SubK:HIE
SubK:MPI
Svcs:Security
Svcs:Audit
SubK:Hosting
SubK:Analytics
HIO:Business Associate/Subcontractor
How to Solve These Problems
© 2013 Christiansen IT Law Privacy/Security/Complianc
e
21
If That Doesn’t Work . . .
© 2013 Christiansen IT Law Privacy/Security/Complianc
e
22
Questions? Answers? Thanks!
© 2013 Christiansen IT Law Privacy/Security/Complianc
e
23
• SciTech Listeners – Claim Your Complimentary Membership in ABA’s Health Law Section: http://ow.ly/o3VnI.– Then, join the eHealth, Privacy & Security interest group (also
complimentary, after joining the Health Law Section):
http://ow.ly/ncV3R.
• HL Section Listeners – Claim Your Complimentary Membership in ABA’s Science and Technology Section: http://ow.ly/ooTgn
• Remaining Agenda– Discuss upcoming eHealth IG initiatives.– Call for volunteers to work on eHealth IG committees and
initiatives. – Other Hot Topics/open microphone. Collaborate with your peers!
• The HITECH Business Associate Contracts Bible