hipaa collaborative of wisconsin business associates extending the reach of the privacy rule

HIPAA Collaborative of Wisconsin

Business Associates

Extending the Reach of the Privacy Rule

© Copyright 2002 HIPAA Cow

This Training Module is Copyright © 2002 by the HIPAA Collaborative of Wisconsin (“HIPAA COW”). It may be freely redistributed in its entirety provided that this copyright notice is not removed. It may not be sold for profit or used in commercial documents without the written permission of the copyright holder.

This Training Module is provided “as is” without any express or implied warranty. This Training Module is for educational purposes only and does not constitute legal advice. If you require legal advice, you should consult with an attorney. HIPAA COW has not yet addressed all state pre-emption issues related to this Training Module. Therefore, this form may need to be modified in order to comply with Wisconsin law.

Press for Glossary


Contents

1. Review of Key Definitions

• Covered Entity• Protected Health Information (PHI)• Business Associate

2. Required Contract Provisions

3. Examples / Discussion

Press for Glossary


HIPAA History

• HIPAA stands for Health Insurance Portability & Accountability Act of 1996.

• HIPAA was passed in 1996 as part of a broad congressional attempt at healthcare reform.

Press for Glossary


HIPAA Applies to Covered Entities:

• Health Plans

• Providers

• Clearinghouses

Press for Glossary


Privacy Rule: What Does It Do?

HIPAA regulates the use or disclosure of Protected Health Information (PHI).

Press for Glossary


What is Protected Health Information (PHI)?

Individually Identifiable Heath Information that is transmitted or maintained in any form relating to the past, present, or future:

• Physical or mental health condition of an individual; or

• Provision of health care to an individual; or • Payment for the provision of health care to

an individual

Press for Glossary


Business Associates:Extending The Reach of the Rule

• Privacy Rule applies only to Covered Entities.

• Covered Entities are required to obtain satisfactory assurances that Business Associates will adhere to their privacy practices.

Press for Glossary


Who Are Your Business Associates?

• A person or entity who either provides services on behalf of a Covered Entity, or to a Covered Entity which involves the use or disclosure of PHI.

• NOT a member of your workforce.

Press for Glossary


Business Associates

• Perform a function on behalf of the Covered Entity that involves the use or disclosure of PHI.

• Workforce is exempted:• Includes students, residents, volunteers• Excludes independent contractors (no direct

control)

• Exempts entities that are part of a OHCA or are affiliated entities.

Press for Glossary


Identifying Your Business Associates

• There are many differences in opinion among Covered Entities about WHO is a Business Associate.

• A Business Associate for one may or may not be a Business Associate for another.

• The Rule’s Definition leaves room for interpretation by the Covered Entity.

Press for Glossary


Examples of Business Associate services

• Claims processing or administration• Data analysis processing or administration• Utilization review• Quality assurance• Benefits administration• Disease management • Case management

Press for Glossary


Examples of Possible Business Associate Services

– Medical record copying services– Collection agencies– Transcription services– Third party billing services– Computer consultants with access to PHI– Clearinghouses– Other entities which perform standard

transactions

Press for Glossary


Examples of Possible Business Associate Services (continued)

• Legal services• Accounting and auditing services• Actuarial services• Consulting services• Data Aggregation• Management and administration• Accreditation• Financial services

Press for Glossary


Covered Entities should view vendors that have access to, use or disclose PHI, as Business Associates and act

accordingly.

Press for Glossary


Who are NOT Business Associates?

• Banks

• Post Office

• CMS - oversight agencies

• Providers with staff privileges

Press for Glossary


Business Associate or NOT?That is the question!

– Do they need access to PHI to perform their job?

– Are they exposed to PHI just by being there?

Your organization’s security policies and procedures should protect from incidental exposure to PHI.

Press for Glossary


Model Contract Language

• Final rules include model Business Associate Contract Provisions.

• Use of model is not required.

• Not alone sufficient to result in a binding contract under State law.

• Also available on HIPAA COW web site: www.hipaacow.org

Press for Glossary


Contract RequirementsBusiness Associate Contracts Must:

1. Establish the permitted and required uses and disclosures of PHI by the Business Associate.

2. Authorize contract termination for cause if the Covered Entity determines that the BA has violated a material term of the contract.

Press for Glossary


Contract Requirements

3. Provide that the Business Associate will:

• Not use or further disclose PHI other than as permitted or required by the contract or by law.

• Use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by contract.

Press for Glossary



• Report to the Covered Entity any use or disclosure of PHI not provided for by contract of which it becomes aware.

• Ensure that any agents, including a subcontractor, to whom it provides PHI, agrees to the same restrictions and conditions that apply to the Business Associate with respect to such information.

Press for Glossary



• Make PHI available in accordance with HIPAA.

• Make available PHI for amendment and incorporate any amendments to PHI.

• Make available the information required to provide an accounting of disclosures.

Press for Glossary


Contract Requirements• Make its internal practices, books, and

records relating to the use and disclosure of PHI available to the Secretary of DHHS for compliance purposes.

• At termination of the contract, if feasible, return or destroy (and retain no copies) all PHI that the Business Associate still maintains in any form.

Press for Glossary

Complying with the Business Associate

Requirement

What else should be done?


Review Existing Agreements

Contracts may exist as:

A formal Contract,

A Letter of Agreement, or

A Memorandum of Understanding

Press for Glossary


Begin Negotiation Process

• Will any Business Associates resist?

• Allow enough time

• Begin as soon as possible

Press for Glossary


How easy will it be?

• The less important your business is to a supplier/vendor/contractor, the less inclined that supplier is going to take on additional contractual obligations with you.

• Non-cost and administrative requirement reasons for Business Associate resistance.

Press for Glossary


HHS Proposes Transition Period

Certain existing vendor contracts would be deemed in compliance for up to one additional year beyond April 14, 2003, if:

– In existence prior to effective date.

– Do not expire or are not modified or amended prior to compliance date.

– Includes “evergreen” contracts.

Press for Glossary


Steps in HIPAA Compliance• Education and Awareness• Establish Project Team• Develop Business Strategy• Allocate Appropriate Resources• Risk Assessment and Gap Analysis• Preparation• Implementation• Auditing and Monitoring

Press for Glossary


If you have a Business Associate Contract

• No obligation to monitor Business Associates for compliance.

• Must address any known privacy violations.

Press for Glossary


Summary for Business Associates

• Locate all of your contracts.

• Identify which contracts are with Business Associates.

• Draft amendment language and begin negotiations.

Press for Glossary


Training of Business Associates

Covered Entities have no obligation to train their Business Associates. However, if they feel issues may arise, the Covered Entity may provide training to their Business Associates to minimize the risk of privacy breaches.

Press for Glossary


ReferencesThis presentation was created by:• Renee Hinkel, RN, MSN• Karen Bauer• Joan Benson, MBA• Anthony Cooper• William Jensen, MBA• Jennifer Laughlin, RHIA• Richard Reynolds, FHIMSS• Beth Zellar, MS, RHIA

hipaa collaborative of wisconsin business associates extending the reach of the privacy rule

Documents