Transcript HIPAA and Business Associates

HIPAA Collaborative of Wisconsin
Business Associates
Extending the Reach of the Privacy Rule
This Training Module is Copyright © 2002 by the
HIPAA Collaborative of Wisconsin (“HIPAA COW”).
It may be freely redistributed in its entirety provided
that this copyright notice is not removed. It may not
be sold for profit or used in commercial documents
without the written permission of the copyright
holder.
This Training Module is provided “as is” without any
express or implied warranty. This Training Module
is for educational purposes only and does not
constitute legal advice. If you require legal advice,
you should consult with an attorney. HIPAA COW
has not yet addressed all state pre-emption issues
related to this Training Module. Therefore, this form
may need to be modified in order to comply with
Wisconsin law.
Press for Glossary
© Copyright 2002 HIPAA Cow
Contents
1. Review of Key Definitions
• Covered Entity
• Protected Health Information (PHI)
• Business Associate
2. Required Contract Provisions
3. Examples / Discussion
Press for Glossary
© Copyright 2002 HIPAA Cow
HIPAA History
• HIPAA stands for Health Insurance
Portability & Accountability Act of 1996.
• HIPAA was passed in 1996 as part of a
broad congressional attempt at
healthcare reform.
Press for Glossary
© Copyright 2002 HIPAA Cow
HIPAA Applies
to Covered Entities:
• Health Plans
• Providers
• Clearinghouses
Press for Glossary
© Copyright 2002 HIPAA Cow
Privacy Rule:
What Does It Do?
HIPAA regulates the use or disclosure
of Protected Health Information (PHI).
Press for Glossary
© Copyright 2002 HIPAA Cow
What is Protected Health
Information (PHI)?
Individually Identifiable Heath Information that
is transmitted or maintained in any form
relating to the past, present, or future:
• Physical or mental health condition of an
individual; or
• Provision of health care to an individual; or
• Payment for the provision of health care to
an individual
Press for Glossary
© Copyright 2002 HIPAA Cow
Business Associates:
Extending The Reach of the Rule
• Privacy Rule applies only to Covered
Entities.
• Covered Entities are required to obtain
satisfactory assurances that Business
Associates will adhere to their privacy
practices.
Press for Glossary
© Copyright 2002 HIPAA Cow
Who Are Your Business
Associates?
• A person or entity who either provides
services on behalf of a Covered Entity, or
to a Covered Entity which involves the
use or disclosure of PHI.
• NOT a member of your workforce.
Press for Glossary
© Copyright 2002 HIPAA Cow
Business Associates
• Perform a function on behalf of the Covered
Entity that involves the use or disclosure of
PHI.
• Workforce is exempted:
• Includes students, residents, volunteers
• Excludes independent contractors (no direct
control)
• Exempts entities that are part of a OHCA or
are affiliated entities.
Press for Glossary
© Copyright 2002 HIPAA Cow
Identifying Your Business
Associates
• There are many differences in opinion
among Covered Entities about WHO is
a Business Associate.
• A Business Associate for one may or
may not be a Business Associate for
another.
• The Rule’s Definition leaves room for
interpretation by the Covered Entity.
Press for Glossary
© Copyright 2002 HIPAA Cow
Examples of Business
Associate services
•
•
•
•
•
•
•
Claims processing or administration
Data analysis processing or administration
Utilization review
Quality assurance
Benefits administration
Disease management
Case management
Press for Glossary
© Copyright 2002 HIPAA Cow
Examples of Possible Business
Associate Services
– Medical record copying services
– Collection agencies
– Transcription services
– Third party billing services
– Computer consultants with access to PHI
– Clearinghouses
– Other entities which perform standard
transactions
Press for Glossary
© Copyright 2002 HIPAA Cow
Examples of Possible Business
Associate Services (continued)
•
•
•
•
•
•
•
•
Legal services
Accounting and auditing services
Actuarial services
Consulting services
Data Aggregation
Management and administration
Accreditation
Financial services
Press for Glossary
© Copyright 2002 HIPAA Cow
Covered Entities should view
vendors that have access to,
use or disclose PHI, as
Business Associates and act
accordingly.
Press for Glossary
© Copyright 2002 HIPAA Cow
Who are NOT Business
Associates?
• Banks
• Post Office
• CMS - oversight agencies
• Providers with staff privileges
Press for Glossary
© Copyright 2002 HIPAA Cow
Business Associate or NOT?
That is the question!
– Do they need access to PHI to perform
their job?
– Are they exposed to PHI just by being
there?
Your organization’s security policies
and procedures should protect from
incidental exposure to PHI.
Press for Glossary
© Copyright 2002 HIPAA Cow
Model Contract Language
• Final rules include model Business
Associate Contract Provisions.
• Use of model is not required.
• Not alone sufficient to result in a binding
contract under State law.
• Also available on HIPAA COW web site:
www.hipaacow.org
Press for Glossary
© Copyright 2002 HIPAA Cow
Contract Requirements
Business Associate Contracts Must:
1. Establish the permitted and required
uses and disclosures of PHI by the
Business Associate.
2. Authorize contract termination for
cause if the Covered Entity
determines that the BA has violated a
material term of the contract.
Press for Glossary
© Copyright 2002 HIPAA Cow
Contract Requirements
3. Provide that the Business Associate will:
• Not use or further disclose PHI other
than as permitted or required by the
contract or by law.
• Use appropriate safeguards to
prevent use or disclosure of PHI other
than as provided for by contract.
Press for Glossary
© Copyright 2002 HIPAA Cow
Contract Requirements
• Report to the Covered Entity any use or
disclosure of PHI not provided for by
contract of which it becomes aware.
• Ensure that any agents, including a
subcontractor, to whom it provides PHI,
agrees to the same restrictions and
conditions that apply to the Business
Associate with respect to such information.
Press for Glossary
© Copyright 2002 HIPAA Cow
Contract Requirements
• Make PHI available in accordance
with HIPAA.
• Make available PHI for amendment
and incorporate any amendments to
PHI.
• Make available the information
required to provide an accounting of
disclosures.
Press for Glossary
© Copyright 2002 HIPAA Cow
Contract Requirements
• Make its internal practices, books, and
records relating to the use and
disclosure of PHI available to the
Secretary of DHHS for compliance
purposes.
• At termination of the contract, if
feasible, return or destroy (and retain
no copies) all PHI that the Business
Associate still maintains in any form.
Press for Glossary
© Copyright 2002 HIPAA Cow
Complying with the
Business Associate
Requirement
What else should be done?
Review Existing Agreements
Contracts may exist as:
A formal Contract,
A Letter of Agreement, or
A Memorandum of Understanding
Press for Glossary
© Copyright 2002 HIPAA Cow
Begin Negotiation Process
• Will any Business Associates resist?
• Allow enough time
• Begin as soon as possible
Press for Glossary
© Copyright 2002 HIPAA Cow
How easy will it be?
• The less important your business is to a
supplier/vendor/contractor, the less
inclined that supplier is going to take on
additional contractual obligations with you.
• Non-cost and administrative requirement
reasons for Business Associate
resistance.
Press for Glossary
© Copyright 2002 HIPAA Cow
HHS Proposes Transition Period
Certain existing vendor contracts would
be deemed in compliance for up to one
additional year beyond April 14, 2003, if:
– In existence prior to effective date.
– Do not expire or are not modified or
amended prior to compliance date.
– Includes “evergreen” contracts.
Press for Glossary
© Copyright 2002 HIPAA Cow
Steps in
HIPAA Compliance
•
•
•
•
•
•
•
•
Education and Awareness
Establish Project Team
Develop Business Strategy
Allocate Appropriate Resources
Risk Assessment and Gap Analysis
Preparation
Implementation
Auditing and Monitoring
Press for Glossary
© Copyright 2002 HIPAA Cow
If you have a Business
Associate Contract
• No obligation to monitor Business
Associates for compliance.
• Must address any known privacy
violations.
Press for Glossary
© Copyright 2002 HIPAA Cow
Summary for Business
Associates
• Locate all of your contracts.
• Identify which contracts are with
Business Associates.
• Draft amendment language and
begin negotiations.
Press for Glossary
© Copyright 2002 HIPAA Cow
Training of Business Associates
Covered Entities have no obligation to
train their Business Associates.
However, if they feel issues may arise,
the Covered Entity may provide
training to their Business Associates to
minimize the risk of privacy breaches.
Press for Glossary
© Copyright 2002 HIPAA Cow
References
This presentation was created by:
• Renee Hinkel, RN, MSN
• Karen Bauer
• Joan Benson, MBA
• Anthony Cooper
• William Jensen, MBA
• Jennifer Laughlin, RHIA
• Richard Reynolds, FHIMSS
• Beth Zellar, MS, RHIA
© Copyright 2002 HIPAA Cow