Areas of Practice - HIPAA
Healthcare Practice Group Publications
General Guidelines for Business Associate Contracts Under HIPAA
I. Overview
The Health Insurance Portability and Accountability Act of 1996 ("HIPAA") covers a broad range of healthcare issues. Among other things, HIPAA required the government to issue regulations concerning electronic transactions and patient privacy. These HIPAA protections are set out in the "Security Regulations," the "Transactions Standards Regulations" and the "Privacy Regulations" as described below. The Center for Medicare Services ("CMS"), formerly known as the Health Care Financing Administration ("HCFA"), and the Department of Health and Human Services ("DHHS") published proposed rules for Security and Electronic Signature Standards ("Security Regulations") on August 12, 1998. The proposed Security Regulations set forth basic standards for electronic transactions and codes relating to health claims, healthcare payments, remittance advices, etc. The proposed Security Regulations apply to all electronic transmissions of information including the movement of information from one location to another using magnetic tape, disk or compact disk. A final rule issued August 17, 2000 mandates standardization for eight (8) electronic transactions relating to the electronic submission of payment claims to payors <1> ("Transactions Standards Regulations"). A proposed technical amendment to the Transactions Standards Regulations was published on May 31, 2002. Finally, DHHS published the Standards for Privacy of Individually Identifiable Health Information ("Privacy Regulations") on December 28, 2000. A revised final rule for the Privacy Regulations was published on August 14, 2002 (the "Final Rule"). The Privacy Regulations expanded the scope of HIPAA to provide that protected health information ("PHI") includes not only any individually identifiable health information ("IIHI") that is or has been electronically transmitted or maintained by a Covered Entity but also covers any IIHI transmitted in or maintained in any form, not just electronically. Therefore, information transmitted in paper or verbally is also covered.
Covered Entities include health plans (e.g., employee welfare benefit plans, health insurance issuers, HMO's), healthcare clearinghouses (e.g., billing companies), and healthcare providers (if at any time such healthcare provider electronically stores and transmits healthcare information or if they employ a third party to process their billing and that third party stores, transmits and processes those claims electronically). HIPAA sets forth eleven types of information exchanges that are covered by the electronic transaction code. Ten are specific and the eleventh is a "catch all" for any additional transactions that DHHS may prescribe. These are broad categories and there is little doubt that every healthcare provider will fit within them.
Ultimately, every healthcare provider will need to adopt a compliance plan which addresses the regulations adopted under HIPAA. Enforcement of the Privacy Regulations will go into effect April 13, 2003. Under the Final Rule issued in August, 2002, however, you will not need to amend your business associate contracts to comply with the Privacy Regulations until the earlier of: (a) April 14, 2003 (or the later date of renewal, creation or amendment) for contracts that are renewed, created or amended after October 14, 2002; or (b) April 14, 2004 for contracts that are in place prior to October 14, 2002 which are not renewed or amended (except for automatic renewal of an evergreen contract). <2> Enforcement of the Transactions Standards Regulations will go into effect October 15, 2002. (Compliance may be extended for one (1) year if proper forms are filed with DHHS prior to October 15, 2002). HIPAA imposes both civil and criminal penalties for failure to comply.
HIPAA requires Covered Entities to impose certain contractual requirements on Business Associates (e.g., vendors, suppliers) that receive or create PHI from or on behalf of a Covered Entity. This Article does not attempt to exhaustively cover HIPAA compliance, rather, it is intended to set forth key points of the proposed Security Regulations, Transactions Standards Regulations and the final Privacy Regulations promulgated under HIPAA which should be addressed in agreements between Business Associates and Covered Entities.
II. Guidelines for Business Associate Relationships
"Business Associates" include:
A. A person who performs or assists in the performance of a function or activity on behalf of the Covered Entity, which involves the use or disclosure of IIHI (e.g., claims processing or administration; data analysis; processing or administration; utilization review; quality assurance; billing and repricing; practice management); and
B. A person who provides any of the following services to or for a Covered Entity if the service involves the disclosure of IIHI from the Covered Entity or another Business Associate: legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, financial.
HIPAA excludes members of the Covered Entity's workforce (which, in limited circumstances, may even include independent contractors)<3>, entities that perform services as part of an Organized Health Care Arrangement ("OHCA")<4>, entities that are mere conduits for information (i.e., the United States Post Office) and financial institutions that process payments for healthcare (subject to certain qualifications) from the definition of Business Associate.
A Covered Entity will be held in non-compliance with the Privacy Regulations if it knows of a pattern of activity of its Business Associate that breaches the Business Associate's obligations with respect to PHI, unless such Covered Entity took steps to either cure the breach or terminate its contract with the Business Associate. Business Associates must abide by the following guidelines:
A. They may not use or further disclose PHI other than as permitted or required by a contract or as required by law;
B. They must use appropriate safeguards to prevent use or disclosure of PHI other than as provided by the contract;
C. They must report any use or disclosure of PHI not provided for by the contract of which they become aware;
D. They must ensure that their agents and subcontractors agree to the same provisions with respect to protection of PHI;
E. They must make PHI available to the individual who is the subject of the health information if the Business Associate maintains the information as a "designated record set" (although, the Covered Entity may wish to provide that all request for PHI be referred to the Covered Entity);
F. They must make PHI available for, and incorporate, any amendments as required by HIPAA;
G. They must make PHI available for providing an accounting of disclosures upon request; and
H. Finally, they must make their internal practices, books and records relating to the use and disclosure of PHI available to the Secretary of DHHS.
III. Required Provisions
Any contract between an entity that falls within the Privacy Regulations' definition of a "Business Associate" and a healthcare provider for whom they perform services (i.e., the "Covered Entity"), should ensure that the Business Associate will meet its HIPAA obligations and must include provisions addressing:
A. permitted and required uses and disclosures of PHI by the Business Associate. (The agreement may not authorize the Business Associate to use or further disclose PHI in a manner that would violate HIPAA if done by the Covered Entity);
B. the use by Business Associate of safeguards to protect information;
C. the Business Associate making internal practices, books, and records available to the DHHS for determining the Covered Entity's compliance with the Privacy Regulations;
D. the mandatory return or destruction of PHI. The Agreement should specifically provide that at termination of the contract, all PHI received from the Covered Entity will, to the extent feasible, be returned or destroyed. If it is not feasible to return or destroy PHI, the contract must extend the protections provided for in the contract beyond termination and limit further use and disclosure; and
E. termination of the agreement by the Covered Entity if the Covered Entity determines that the Business Associate (including its employees, agents, etc.) has violated its HIPAA obligations.
The Final Rule includes model contract provisions; however, these model provisions include provisions under the heading "Obligations of the Covered Entity" which are not required under the Privacy Regulations. The model language does not create a "safe harbor" nor does it necessarily address all of the concerns that the parties may have.
IV. Additional Recommended Provisions
In addition, we recommend that Covered Entities consider including the following concepts in a Business Associate's contract:
A. provide that the parties agree to comply with the Health Insurance Portability Act Public Law No. 104-191 ("HIPAA") and all rules and regulations adopted under and pursuant thereto, including, without limitation, the "Privacy Regulations," the "Security Regulations" and the "Transaction Standards Regulations," as well as the parties agreement to further modify their obligations under the Agreement as may be necessary in order to comply with HIPAA and the rules and regulations promulgated thereunder;
B. provide that the Business Associate agrees to indemnify the Covered Entity from liability resulting from or in connection with the Business Associate's (and its employees, agents, etc.) failure to comply with HIPAA and the rules and regulations promulgated thereunder, and will maintain insurance coverage to support its indemnification obligations;
C. allocate among the Covered Entity and the Business Associate the obligation to mitigate harmful effects of a breach of HIPAA, and expressly give the Covered Entity the right to cure the Business Associate's breach of HIPAA;
D. provide that the Business Associate will comply with Covered Entity's security policies and procedures;
E. provide that the Business Associate represents/warrants that the PHI requested and used does not exceed the minimum amount necessary to serve the intended purpose of the Agreement;
F. require the Business Associate to stipulate to the burden of proof that the Covered Entity must meet to obtain an injunction as a cure;
G. affirmatively provide that the Covered Entity is the exclusive owner of PHI;
H. Require the Business Associate to relinquish control over response to a subpoena received by Business Associate to the Covered Entity;
I. require the Business Associate to conduct appropriate HIPAA security and privacy training for the Business Associate's workforce; and
J. provide that neither party is a third-party beneficiary of the other.
V. Proposed Security Regulations and Software Controls and Protocols: Additional Guidelines
The proposed Security Regulations also set forth requirements relating to software controls and protocols within and surrounding particular data systems. Parties that enter into an agreement to electronically exchange data (a "Chain-of-Trust Partner Agreement")<5> would also need to satisfy the requirements proposed under the Security Regulations. The controls and protocols set forth under the proposed Security Regulations are intended to:
A. regulate access to particular privilege classes (including provisions for emergency access);
B. ensure internal systems audits and controls;
C. provide for data authentication to prove stored data is neither altered nor inappropriately accessed or processed; and
D. ensure user/communicator authentication and access control, using such methods as automatic logoff, user identification and other access controls such as biometric identification, passwords, a callback function or token-based systems.
Proposed implementation requirements include:
A. internal verification that data being transmitted or stored is valid (integrity controls);
B. procedures ensuring that messages sent and received are the same (message authentication); and
C. either access control to transmissions, or encrypting. If encrypting techniques are not used, then alarms to signal abnormal communication, automatic recording of audit trail information and a means of entity authentication should be implemented.
VI. Trading Partners: More Guidelines Under the Transactions Standards Regulations
In addition to the guidelines set forth under the Privacy Regulations and the proposed Security Regulations, Transactions Standards Regulations establish yet another set of guidelines. For example, although Transactions Standards do not formally define a "Trading Partner," they do define a "Trading Partner Agreement" as an agreement related to the exchange of information in electronic transactions whether distinct or part of a larger agreement. Trading Partner Agreements may not include provisions which:
A. Change the definition, data condition or use of a data element or a segment in a standard;
B. Add any data elements or segments to the maximum defined data set;
C. Use any code or data elements that are either marked "not used" or are not used in the standards implementation specifications; and
D. Change the meaning or intent of the standard implementation specifications.
VII. Conclusion
As set forth above, there are many factors which should be considered whenever a Covered Entity enters into any agreement with another party that will in any way involve PHI. The healthcare practitioner should keep in mind not only the guidelines set forth in the Privacy Regulations but also the guidelines set forth in the Transactions Standards Regulations and the proposed Security Regulations.
_____________________________________________________
Footnotes
1. Claims and encounters; Enrollment and disenrollment; Eligibility; Health plan payment and remittance; Health plan premium payments; Additional information request; Health claim status and Referral certification and authorization.
2. As a practical matter, you will still need some agreement or assurance that Business Associates will allow you to grant an individual the rights of access and right to request amendments to PHI, that you must provide to the individual by April 14, 2003.
3. The preamble to the Privacy Regulations states: "In addition, we clarify that if the assigned work station of persons under contract is on the covered entity's premises and such persons perform a substantial proportion of their activities at that location, the covered entity may choose to treat them either as business associates or as part of the workforce, as explained in the discussion of the definition of business associate. If there is no business associate contract, we assume the person is a member of the covered entity's workforce. We note that independent contractors may or may not be workforce members. However, for compliance purposes we will assume that such personnel are members of the workforce if no business associate contract exists."
4. A group of Covered Entities may, subject to specific criteria, create a joint venture arrangement so that they can share PHI among participating Covered Entities. In addition, legally separate Covered Entities that meet affiliation requirements may designate themselves as a single Covered Entity. These arrangements in and of themselves do not create a business associate relationship. However, to the extent the joint venture participants provide other functions on behalf of each other, they may create business associate relationships.
5. The proposed Security Regulations define a "Chain-of-Trust Partner Agreement" as a contract entered into by two business partners in which the partners agree: (a) to electronically exchange data, and (b) to protect the integrity and confidentiality of the data exchanged.
Michael J. Compagni, Esq.
Scolaro, Shulman, Cohen, Fetter & Burstein, P.C.
315-471-8111
