1 / 39

Business Associates 101

HIPAA Privacy. Business Associates 101. Jennifer Wolfe Jerram, B.S.N., J.D. email: jjerram@stinson.com www.stinson.com (402) 342-1700. Where to look in the regulations:. Business Associate - Defined. § 160.103: Federal Register, p. 82798 Preamble – pp. 82475-76 Comments – p. 82567.

jenette-miller
Download Presentation

Business Associates 101

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HIPAA Privacy Business Associates 101 Jennifer Wolfe Jerram, B.S.N., J.D.email: jjerram@stinson.comwww.stinson.com(402) 342-1700

  2. Where to look in the regulations: Business Associate - Defined • § 160.103: Federal Register, p. 82798 • Preamble – pp. 82475-76 • Comments – p. 82567

  3. Where to look in the regulations: Business Associate - Disclosure Standard • § 164.502(e); Federal Register, p. 82806 • Preamble – p. 82499 • Comments – pp. 82640-45

  4. Where to look in the regulations: Business Associate - Contract Requirements • § 164.504(e): Federal Register, pp. 82808-09 • Preamble – pp. 82503-07 • Comments – pp. 82640-45

  5. Who is a Business Associate? • A party who will be governed indirectly by portions of the HIPAA privacy regulations by virtue of his/her/its contractual obligations to covered entities.

  6. Who are your Business Associates? • 2 separate groups under the regulations

  7. Who are your Business Associates? 1st Group: Relationship withCovered Entity A person or entity who performs or assists in the performance of a function or activity involving the use or disclosure of PHI on behalf of the Covered Entity.

  8. Who are your Business Associates? Examples include: • Claims processing • Data analysis • UR • QA • Billing • Others

  9. Who are your Business Associates? 2nd Group: Listed Functions A person or entity who provides certain identified services to the Covered Entity, where the provision of services involves disclosure of PHI.

  10. legal actuarial accounting consulting data aggregation management administrative accreditation financial services end of list - no others Who are your Business Associates? Services Identified in Privacy Regulations

  11. Business Associates • Members of your workforce are not your Business Associates • Covered Entities can be Business Associates of other Covered Entities

  12. Business Associates What’s in a Name? • Business Partner –proposed privacy regulations • Trading Partner – code sets and transactions • Chain of Trust Agreements – proposed security standards

  13. How to Identify your Business Associates: • Education • Survey tools • Inventory existing contracts

  14. How to Identify your Business Associates (cont’d): • Who has authority to execute contracts? (don’t forget satellite locations, affiliated entities) • Where are existing contracts kept? • How many oral contracts are “out there?” • Are you the Covered Entity or the Business Associate?

  15. Always ask this question: Is the use/disclosure of PHI really necessary?

  16. Now, let’s complicate things: Is the use/disclosure of PHI necessary for B/A to carry out its own function or is B/A carrying out function on behalf of the C/E?

  17. Disclosures to Business Associates • Disclosures to B/A is an exception to the general rule under HIPAA: No use/disclosure unless there’s an exception in the regulations.

  18. Disclosures to Business Associates A C/E may disclose PHI to a B/A and may allow a B/A to create or receive PHI on its behalf, if the C/E obtains satisfactory assurance that the B/A will appropriately safeguard the PHI.

  19. “SATISFACTORY ASSURANCE”

  20. Disclosures to Business Associates “Satisfactory Assurance” requires a written contract or other written agreement or arrangement with the B/A that meets the requirements of § 164.504(e)

  21. Requirements under § 164.504(e) • Establish the B/A’s permitted/required uses and disclosures of PHI • Contract may not authorize the B/A to use/further disclose PHI in a manner that would violate the regulations if done by the C/E • Has the C/E agreed to any restrictions on its own uses/disclosures?

  22. § 164.504(e) B/A Contract must provide that the B/A will: • Not use/further disclose PHI other than as permitted/required by the contract or as required by law; • Use “appropriate safeguards” to prevent use/disclosure of PHI other than as provided for by its contract.

  23. § 164.504(e) B/A Contract must provide that the B/A will: (cont’d) • Report to the C/E any use/disclosure of PHI not provided for by its contract; • Ensure that any agents, including subcontractors, agree to same restrictions;

  24. § 164.504(e) B/A Contract must provide that the B/A will: (cont’d) • Make PHI available in accordance with § 164.524 (access to individuals); • Make PHI available for amendment and incorporate any amendments in accordance with § 164.526;

  25. § 164.504(e) B/A Contract must provide that the B/A will: (cont’d) • Make available the information required for the C/E to provide an accounting of disclosure pursuant to § 164.528; • Make its internal practices, books and records relating to use/disclosure of PHI available to HHS Secretary;

  26. § 164.504(e) B/A Contract must provide that the B/A will: (cont’d) • Return or destroy all PHI upon termination of the contract – if not feasible to return/destroy, then the contractual protections must be extended to limit any further uses/disclosures;

  27. § 164.504(e) B/A Contract must provide that the B/A will: (cont’d) • Authorize termination of the contract by C/E if C/E entity determines that the B/A has violated a material term of the contract; and

  28. B/A Contract should also provide that the B/A will: (cont’d) • Retain records for 6 years (enables the C/E to comply with its own duties under Individual Rights)

  29. A Welcome Change from theProposed Regulations • Intended Third Party Beneficiary clause is NOT required under final privacy regulations

  30. Business Associate contracts MAY permit: • The B/A to use/disclose PHI for the proper management and administration of the B/A or to carry out the legal responsibilities of the B/A.

  31. Business Associate contracts • If you are the B/A, you might want to include this permissible provision.

  32. Covered Entity’s Compliance C/E is NOT in compliance with § 164.502(e): • C/E knew of a pattern of activity or practice of the B/A that constituted a breach – unless C/E took “reasonable steps” to cure the breach.

  33. Covered Entity’s Compliance If C/E’s “reasonable steps” were unsuccessful, C/E must: • Terminate the contract; or • If termination is not feasible, report the problem to the HHS Secretary.

  34. Covered Entity’s Compliance What does this mean? • C/E must have knowledge of the breach • C/E liable if it fails to respond (cure, terminate and/or report)

  35. Steps to Compliance • Identify potential B/A situations. • Are you the C/E? • Are you the B/A? • Is PHI really necessary?

  36. Steps to Compliance • Is a B/A contract required? • Is there already a contract in place? • When/how does it terminate? • What is required to amend it?

  37. Steps to Compliance • Privacy Addendum • Whole new agreement • Placeholder language • Individualize B/A requirements as needed

  38. Steps to Compliance Coordinate with Security/Code Sets Compliance Efforts

  39. Steps to Compliance JOIN THE NE-SNIP PRIVACY WORK GROUP!

More Related