Areas of Practice - Healthcare
Healthcare Practice Group Publications
Who are you calling a “Business Associate”?
Maybe you. The Business Associate rules are part of the final privacy regulations issued by the United States Department of Health and Human Services ("HHS") on December 28, 2000. These complicated privacy rules are the result of a much larger mandate ironically aimed at "administration simplification" created by the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). The HIPAA privacy standards as they have come to be known, require, among many other things, that all "Covered Entities" require their "Business Associates" to ensure that they will safeguard protected health information ("PHI"). PHI is generally defined as health information which is individually identifiable. In other words, it is possible to tell to whom it pertains. Most Covered Entities have until April 14, 2003 to comply and they will need to act quickly in order to successfully do so.
Covered entities include health plans (e.g., HMOs, employee welfare benefit plans, health insurance companies), healthcare clearing houses (e.g., repricing companies, billing companies, value-added networks), and healthcare providers (e.g., doctors, hospitals, home health agencies).
There are two categories of Business Associates. The first category defines a Business Associate as a person who performs or assists in the performance of a function or activity on behalf of the covered entity and which involves the use or disclosure of PHI. Business Associates in this category typically include companies that perform claims processing or administration, data analysis, utilization review, quality assurance, billing, benefit management, practice management, and/or repricing for Covered Entities.
The second category defines a Business Associate as a person who provides legal, actuarial, accounting, consulting, data aggregation, management, administrative services, accreditation, and/or financial services to a Covered Entity, if the service involves the disclosure of PHI.
A Business Associate does not include members of the Covered Entity's workforce, or entities that are mere conduits (e.g., the postal service), and the like.
So, I'm a Business Associate of a Covered Entity. Now what?
A Covered Entity may disclose PHI to a Business Associate only
if the Covered Entity first obtains "satisfactory assurance" that the Business Associate will appropriately safeguard the PHI.
Yeah, so?
Under the HIPAA privacy regulations, "satisfactory assurance"
requires a written contract.
Ah, now I understand where the lawyer comes in.
The HIPAA privacy regulations are very specific with respect to
certain requirements which must be in the written contract to provide "satisfactory assurance". Business Associates should familiarize themselves with what is specifically required by the HIPAA privacy regulations and what is not. In many instances, in order to remain legally compliant, Covered Entities must enter into these agreements with their Business Associates.
This may mean you!
The Business Associate must be able to discern where the Covered Entity is attempting to pass along too much risk (in the form of contractual or statutory liability) to the Business Associate. Necessarily, therefore, there exists a certain level of competing interests between the Covered Entity and the Business Associate.
For example, the HIPAA privacy rules require that the written contract provide that the Business Associate not use or further disclose the PHI other than as permitted or required by the contract or as required by law. In other words, the Business Associate must specifically agree to only use the PHI for the purposes established by the relationship between the Business Associate and the Covered Entity. The HIPAA privacy rules do not require that the written agreement provide that the Covered Entity will be indemnified and held harmless by the Business Associate for any breach by the Business Associate of its obligations in connection with the security, privacy or confidentiality of PHI. However, you may be assured that these issues will be hotly negotiated between the Covered Entity and the Business Associate.
Similarly, the HIPAA privacy regulations do not require the Business Associate to purchase insurance to secure such indemnification for the benefit of the Covered Entity. The Covered Entity, however, will certainly want to impose these requirements upon the Business Associate in order to pass along certain risks. Certainly, moreover, a Covered Entity is not going to be amenable to paying more to the Business Associate to cover the cost of it purchasing insurance, particularly since the Covered Entity is going to be expending a great deal of its own resources in order to comply with the privacy rules.
Notably, in this context, HHS recently posted its first guidance on the HIPAA privacy regulations on July 6, 2001. Among other things, the guidance indicated that the privacy rules do not "pass through" its requirements to Business Associates. Thus, for example, Covered Entities cannot mandate that Business Associates appoint privacy officers or develop policies and procedures similar to that of the Covered Entity. In addition, the July 6 guidance clarifies that a Covered Entity is not generally liable for privacy violations of a Business Associate, and that a Covered Entity is not required to actively monitor or oversee the means by which the Business Associate abides by the requirements of the written contract. However, the written contract must provide that the Business Associate will notify the Covered Entity when a privacy violation occurs. If the Covered Entity fails to take "reasonable steps" to cure the breach or end the violation, or failing that, to terminate the contract, then the Covered Entity itself may be out of compliance with the privacy rules subjecting itself to liability. Here, again, is where indemnification negotiations come into play. These issues must be addressed at the inception of the relationship.
Other considerations of Business Associates with respect to written contracts required by HIPAA include:
- Damages –- caps on damages amounts; availability of punitive damages; limitations to statutory damages; disclaimers and exclusions with respect to consequential damages
- Right to Cure –- the Business Associate should ensure they secure a right to cure a breach, if possible, prior to liability attaching.
- Data Ownership – the agreement should make clear which party owns what part of any data collected by a Business Associate. Certainly, the Covered Entity should own the PHI itself.
- Subpoenas – the agreement should specify how legal process seeking PHI is going to be handled between the parties. The issues surrounding Business Associates and Covered Entities and their relationships will certainly develop more as the privacy rules take effect.
For more information about the HIPAA privacy rules and requirements of Business Associates, visit the Administrative Simplification website of HHS at http://aspe.os.dhhs.gov/admnsimp/.
Marc S. Beckman, Esq.
Scolaro, Shulman, Cohen, Fetter & Burstein, P.C.
315-471-8111
