Business Associate Issues and Business Associate Agreement Terms
One of the most unique aspects of the HIPAA privacy regulations is the impact it has on the interaction between covered entities and the third parties that they contract with for the provision of their services. The HIPAA regulations identify these third parties as Business Associates (“BA”). A BA is defined as a person or entity that, on behalf of a covered entity, performs or assists in the performance of a function or activity involving the use or disclosure of protected health information. The privacy rule permits disclosures to BAs after obtaining satisfactory assurances that the BA will use the information only for the contracted purpose and will safeguard the information from misuse. The HIPAA regulations require that, in order to obtain satisfactory assurances, a written contract between the covered entity and the BA must exist. Further, the regulations specify a list of provisions that must appear in the agreements.
How to Identify Business Associates
Business Associates may include a covered entity’s attorney, accountant, business consultant, billing service, answering service, computer support staff, debt collection entities, and others who have access to use or the disclosure of protected health information as part of their responsibilities. Business Associates do not include a member of the covered entity’s staff, the U.S. Postal Service, janitorial services or most service companies.
The disclosures to the BA are only for purposes of assisting the covered entity, not for the independent use by the BA. As long as the covered entity complies with the privacy rule, it is not liable for privacy violations of the BA. In order to assure compliance, a BA must make its internal practices, and books and records related to the use or disclosure of PHI available to the Department of Health and Human Services.
As part of the HIPAA compliance, a covered entity should evaluate all of its business relationships. This evaluation must not be limited to only entities with which a written contractual agreement is in existence. Once the complete list of vendors with a business relationship is identified, the list should be re-evaluated to determine which ones gain access to protected health information for the purposes of carrying out their activities. It is this subset of entities or individuals that require Business Associate agreements. By way of example, if the covered entity has a relationship with a debt collection service, records are made available to the debt collection service for purposes of carrying out its function. This activity would quality the debt collection service as a Business Associate, requiring the existence of a written Business Associate agreement. On the other hand, janitorial services may have free access to the office and, as a result, be in a position to obtain PHI. However, obtaining PHI is not part of a janitorial service’s normal functions. As a result, there is no need for a Business Associate agreement. If, however, the covered entity determines that its janitorial service is impermissibly gaining access to PHI, the covered entity may need to take action to correct this abuse.
Once the subset of third parties that require Business Associate agreements is identified, the covered entity should then evaluate the current relationship with these entities to determine whether there are existing written contracts in place. For those with which a written agreement is in place, the covered entity should begin the preparation of an addendum to the contract to cover the HIPAA issues. For those with which there is no written contract, a stand-alone agreement can be established. There are numerous forms available. The difference between a stand-alone agreement and an addendum is typically only the term “Addendum” in the title.
Model Provisions for Business Associate Contracts
The agreement will typically begin with the identification of the parties. It is also advisable for the contract to contain a recital indicating that the parties will mutually agree to modify the agreement to incorporate amendments necessary to comply with the requirements of the HIPAA Act and its implementing regulations as they may change over time.
The first appropriate section of the contract would be an identification of the requirement to keep protected health information private. After the general rule, it is advisable for the contract to enumerate the permitted uses and disclosures. This indication is to identify that the listed uses or disclosures are the only method that the BA can use the information. Additionally, a recitation is common to enable the BA to use the information for its proper management and administration, and to carry out its legal responsibilities. But, only, if the disclosure is; required by law; the BA obtains reasonable assurance that the person or organization to which the BA will disclose the protected health information will hold such protected health information in confidence and notify the BA of any instance in which the person or organization becomes aware that the confidentiality of the protected health information was breeched.
After listing the permitted uses and disclosures, the contract typically identifies a prohibition on unauthorized use or disclosure. Generally, this provision prohibits the Business Associate from using the protected health information for any other purpose except as permitted or required by the addendum or as required by law.
Next, this section informs the BA of its obligation to develop, implement, maintain and use appropriate administrative, technical and physical safeguards to preserve the integrity and confidentiality of the protected health information. Further, the BA is informed of its requirement to document these safeguards. Finally, this section should indicate that any subcontractors or agents of the BA will agree in writing to comply with the privacy obligations placed on the BA. This compliance should include a recitation that, if the BA conducts in whole or in part standard transactions on behalf of the covered entity, the BA will comply with, and will require any subcontractor or agent involved with the conduct of such standard transactions to comply with, the applicable requirements.
An additional section of the contract should be devoted to protected health information access, amendment and disclosure accounting as representing rights of the patient. The agreement should recite that the BA will promptly, upon the covered entity’s request, make available to the covered entity, or at the covered entity’s direction make available to the patient (or the patient’s personal representative), for inspection or obtaining copies, any PHI about the patient which the BA created or received from the covered entity.
In addition, the contract should alert the BA of its obligation to promptly amend or permit the covered entity access to amend any portion of the PHI upon receipt of notice for such action from the covered entity.
Further, to comply with the patient’s rights, the BA should be informed of its obligation to track any disclosures, except those done for treatment, payment, or health care operations or to the patient; to persons involved in the patient’s health care or payment for health care; for notification for disaster relief purposes; for national security or intelligence purposes or to law enforcement officials or correctional institutions regarding inmates. The disclosure requirements should also inform the BA that it must track the disclosure date; the name and address, if known, of the person or entity to whom the disclosure is made; a brief description of the PHI disclosed; and a brief statement of the purpose of the disclosure. This reference should include the requirement that the BA keep track of the disclosures for a six (6) year period.
Finally, this section of the contract should require the BA to make its internal practices, and books and records relating to its use and disclosure of protected health information available to the covered entity or the U.S. Department of Health and Human Services.
An additional section of the contract should be included covering the potential breech of the privacy obligations and the consequences of any such breach. This section should begin with the requirement of the BA to report to the covered entity any use or disclosure of the PHI not permitted by the contract. The report should be made within 24 hours after the BA learns of the non-permitted or violating disclosure. The report should include, at a minimum, the nature of the non-permitted or violating use or disclosure; the PHI used or disclosed; who made the non-permitted or violating use or disclosure; or received the non-permitted or violating disclosures; identify what corrective action was taken by the BA; identify what the BA did or will do to mitigate any adverse effect of the disclosure; and provide such other information, including a written report, as the covered entity may reasonably request.
Under this section, the covered entity should also retain a right to terminate the agreement in its sole discretion if it is found that the BA has breeched any provision of the agreement. Also listed should be the obligations upon termination, whether by purposeful termination, cancellation or expiration of the agreement. The BA should be required, if feasible, to return to the covered entity or destroy all protected health information. Such return or destruction should occur no later than 30 days after the effective date of the cancellation, termination or expiration. In the event return or destruction is not feasible, the BA will identify any protected health information which cannot be properly disposed of and will limit its further use or disclosure.
The BA should be informed of its obligation to protect the privacy of the PHI created or received from the covered entity and that this requirement will be continuous and survive the termination, cancellation or expiration of the agreement.
General provisions are typically included, as well. These would include pointing out that any definitions contained in the agreement refer back to the applicable federal regulations. It is also appropriate to indicate that the contract will automatically amend in the event of any amendment to the final regulations governing the privacy issues so that the contract may stay within compliance. Further, it is appropriate for the agreement to indicate that, as it relates to privacy issues, the addendum is to override any conflicts found in any existing underlying agreement.
It is also appropriate in counseling covered entities to explore the possibility of any business-related terms that can be inserted into the contract. These could include, but need to be limited to, indemnification provisions providing the covered entity with protection in the event that the BA breeches its obligations.