Business Associates 101

1
Business Associates 101
HIPAA Privacy

• Jennifer Wolfe Jerram, B.S.N., J.D. email
  jjerram_at_stinson.comwww.stinson.com(402) 342-1700

2
Business Associate - Defined
Where to look in the regulations

•  160.103 Federal Register, p. 82798
• Preamble pp. 82475-76
• Comments p. 82567

3
Business Associate - Disclosure Standard
Where to look in the regulations

•  164.502(e) Federal Register, p. 82806
• Preamble p. 82499
• Comments pp. 82640-45

4
Business Associate - Contract Requirements
Where to look in the regulations

•  164.504(e) Federal Register, pp. 82808-09
• Preamble pp. 82503-07
• Comments pp. 82640-45

5
Who is a Business Associate?

• A party who will be governed indirectly by
  portions of the HIPAA privacy regulations by
  virtue of his/her/its contractual obligations to
  covered entities.

6
Who are your Business Associates?

• 2 separate groups under the regulations

7
1st Group Relationship withCovered Entity
Who are your Business Associates?

• A person or entity who performs or assists in the
  performance of a function or activity involving
  the use or disclosure of PHI on behalf of the
  Covered Entity.

8
Examples include
Who are your Business Associates?

• Claims processing
• Data analysis
• UR
• QA
• Billing
• Others

9
2nd Group Listed Functions
Who are your Business Associates?

• A person or entity who provides certain
  identified services to the Covered Entity, where
  the provision of services involves disclosure of
  PHI.

10
Services Identified in Privacy Regulations
Who are your Business Associates?

• legal
• actuarial
• accounting
• consulting
• data aggregation

• management
• administrative
• accreditation
• financial services
• end of list - no others

11
Business Associates

• Members of your workforce are not your Business
  Associates
• Covered Entities can be Business Associates of
  other Covered Entities

12
Whats in a Name?
Business Associates

• Business Partner proposed privacy regulations
• Trading Partner code sets and transactions
• Chain of Trust Agreements proposed security
  standards

13
How to Identify your Business Associates

• Education
• Survey tools
• Inventory existing contracts

14
How to Identify your Business Associates (contd)

• Who has authority to execute contracts? (dont
  forget satellite locations, affiliated entities)
• Where are existing contracts kept?
• How many oral contracts are out there?
• Are you the Covered Entity or the Business
  Associate?

15
Always ask this question

• Is the use/disclosure of PHI really necessary?

16
Now, lets complicate things

• Is the use/disclosure of PHI necessary for B/A to
  carry out its own function or is B/A carrying out
  function on behalf of the C/E?

17
Disclosures to Business Associates

• Disclosures to B/A is an exception to the general
  rule under HIPAA No use/disclosure unless
  theres an exception in the regulations.

18
Disclosures to Business Associates

• A C/E may disclose PHI to a B/A and may allow a
  B/A to create or receive PHI on its behalf, if
  the C/E obtains satisfactory assurance that the
  B/A will appropriately safeguard the PHI.

19
SATISFACTORY ASSURANCE
20
Disclosures to Business Associates

• Satisfactory Assurance requires a written
  contract or other written agreement or
  arrangement with the B/A that meets the
  requirements of  164.504(e)

21
Requirements under  164.504(e)

• Establish the B/As permitted/required uses and
  disclosures of PHI
• Contract may not authorize the B/A to use/further
  disclose PHI in a manner that would violate the
  regulations if done by the C/E
• Has the C/E agreed to any restrictions on its own
  uses/disclosures?

22
B/A Contract must provide that the B/A will
 164.504(e)

• Not use/further disclose PHI other than as
  permitted/required by the contract or as required
  by law
• Use appropriate safeguards to prevent
  use/disclosure of PHI other than as provided for
  by its contract.

23
B/A Contract must provide that the B/A will
(contd)
 164.504(e)

• Report to the C/E any use/disclosure of PHI not
  provided for by its contract
• Ensure that any agents, including subcontractors,
  agree to same restrictions

24
B/A Contract must provide that the B/A will
(contd)
 164.504(e)

• Make PHI available in accordance with  164.524
  (access to individuals)
• Make PHI available for amendment and incorporate
  any amendments in accordance with  164.526

25
B/A Contract must provide that the B/A will
(contd)
 164.504(e)

• Make available the information required for the
  C/E to provide an accounting of disclosure
  pursuant to  164.528
• Make its internal practices, books and records
  relating to use/disclosure of PHI available to
  HHS Secretary

26
B/A Contract must provide that the B/A will
(contd)
 164.504(e)

• Return or destroy all PHI upon termination of the
  contract if not feasible to return/destroy,
  then the contractual protections must be extended
  to limit any further uses/disclosures

27
B/A Contract must provide that the B/A will
(contd)
 164.504(e)

• Authorize termination of the contract by C/E if
  C/E entity determines that the B/A has violated a
  material term of the contract and

28
B/A Contract should also provide that the B/A
will (contd)

• Retain records for 6 years (enables the C/E to
  comply with its own duties under Individual
  Rights)

29
A Welcome Change from theProposed Regulations

• Intended Third Party Beneficiary clause is NOT
  required under final privacy regulations

30
Business Associate contracts MAY permit

• The B/A to use/disclose PHI for the proper
  management and administration of the B/A or to
  carry out the legal responsibilities of the B/A.

31
Business Associate contracts

• If you are the B/A, you might want to include
  this permissible provision.

32
C/E is NOT in compliance with  164.502(e)
Covered Entitys Compliance

• C/E knew of a pattern of activity or practice of
  the B/A that constituted a breach unless C/E
  took reasonable steps to cure the breach.

33
If C/Es reasonable steps were unsuccessful,
C/E must
Covered Entitys Compliance

• Terminate the contract or
• If termination is not feasible, report the
  problem to the HHS Secretary.

34
What does this mean?
Covered Entitys Compliance

• C/E must have knowledge of the breach
• C/E liable if it fails to respond (cure,
  terminate and/or report)

35
Steps to Compliance

• Identify potential B/A situations.
• Are you the C/E?
• Are you the B/A?
• Is PHI really necessary?

36
Steps to Compliance

• Is a B/A contract required?
• Is there already a contract in place?
• When/how does it terminate?
• What is required to amend it?

37
Steps to Compliance

• Privacy Addendum
• Whole new agreement
• Placeholder language
• Individualize B/A requirements as needed

38
Coordinate with Security/Code Sets Compliance
Efforts
Steps to Compliance
39
JOIN THE NE-SNIP PRIVACY WORK GROUP!
Steps to Compliance