Looming HIPAA rule highlights healthcare business associates

SAN DIEGO - While the Ides of March proved ominous for Julius Caesar, the Ides of April may hold equally dark clouds for U.S. radiology administrators. April, of course, is when soothsayers predict the final privacy rule of the Health Insurance Portability and Accountability Act (HIPAA) will take effect. Among the HIPAA compliance measures healthcare administrators are expected to have in place on April 14, 2003, are business associate agreements for protected health information.

The penalties for not having these agreements are stiff and serious, said attorney Diane McKenzie in a presentation Monday at the Healthcare Information and Management Systems Society (HIMSS) conference.

"A firm faces substantial fines and criminal prosecution for not following the HIPAA privacy requirements," said McKenzie, who is a senior partner with the Internet law firm of Gordon and Glickson in Chicago. McKenzie shared her thoughts on drafting business associate agreements with professionals and service groups, starting with a definition of protected health information.

"Protected health information is all medical records and all other individually identifiable health information created or received by a covered entity in any form, whether electronically, on paper, oral, or otherwise. This includes information transmitted by electronic media, maintained in electronic media, or transmitted in any other form or medium," she explained.

Associating associates

"A business associate is a person or entity that on behalf of a covered entity performs or assists in the performance of a function or activity that involves the use or disclosure of protected health information, or provides certain services to or for a covered entity (your practice), where the provision of the service involves disclosure of protected health information," McKenzie stated.

Firms that qualify as business associates include claims processing, claims administration, utilization review, quality assurance, billing, benefit management, practice management, data analysis, legal, actuarial, accounting, consulting, data aggregation, financial, staffing, and accreditation services.

Similarly, attorneys, actuaries, accountants, business consultants, management consultants, tax advisors, financial advisors, medical equipment suppliers, software and hardware vendors, software developers, information technology consultants, technology support, and maintenance service providers are among the professionals with whom a practice will want to have business associate agreements.

There are some businesses that are exempt from associate agreements. These are conduits for transport or transmission such as a delivery service or telephone company; financial institutions such as a bank or credit card company; and participants in an organized healthcare agreement where the function or activity is being performed as part of that agreement.

"Our recommendation is that when you’re in doubt as to whether or not someone or something is a business associate, then you should get a business associate agreement," advised McKenzie.

Structure

Even if the firm has business agreements in place with an associate, McKenzie recommends segregating HIPAA terms and conditions into a separate written agreement.

"It supplements your primary contract containing the terms on which you do business, it’s flexible and permits an adaptable approach. (It’s) good in case final HIPAA security rules require changes to the agreement, it compartmentalizes issues and negotiations, and it’s helpful for compliance purposes. You only have to show this document to HHS if they are investigating the business associate agreement," she noted.

Required provisions

There are several provisions that must be in all business associate agreements, which:

  • Must establish permitted and required uses and disclosures of protected health information.

  • May not authorize use or disclosure that would violate regulations if performed by the covered entity.

  • Use and disclosure only as permitted or required.

  • Use appropriate safeguards.

  • Report of unauthorized uses and disclosure.

  • Ensure that agents and subcontractors agree to similar restrictions.

  • Accommodate individual rights, such as the right of access to inspect or obtain a copy of protected health information.

  • Make internal practices, books, and records available.

  • Return or destruction of protected health information.

  • Have the ability to terminate.

"In addition, a firm may also want to include additional provisions permitted by the regulations, such as permitting the business associate to use and disclose, if necessary, protected health information for proper management and administration or as required by law; or allowing a business associate to combine protected health information of one covered entity with that of another covered entity for data aggregation services," McKenzie said.

Tilting agreements

Although the required provisions for each agreement may seem thorough, there are several additional items a firm should try to negotiate into its business associate agreements.

"The most highly recommended provision for a covered entity to have in its business associate agreements is a provision for mitigation," said McKenzie.

A mitigation provision holds that a business associate must promptly cure any breach or violation and take all necessary and appropriate steps, at its expense, to mitigate any harm caused, she said.

Other provisions that her firm recommends its clients try to obtain are:

  • Intervention, which grants the covered entity the right to intervene and effectuate a cure of a breach or violation, and stipulates that any breach or violation would cause irreparable harm entitling the covered entity to injunctive relief.

  • Compliance with all applicable laws and regulations, including future and modified HIPAA regulations.

  • Indemnification against claims or damages resulting from a breach or violation of a business associate’s duties.

  • Requiring a business associate to carry insurance coverage for claims and damages resulting from a breach of its duties.

  • Limit protected health information to the minimum necessary to accomplish the intended purpose of use and disclosure.

  • Document uses and disclosures as well as develop, maintain, and retain privacy polices and procedures.

  • Require a business associate to train its staff on privacy policies and procedures.

  • Define a business associate’s access, identification, and authentication processes for protected health information.

  • Notify the covered entity in the event of a subpoena or discovery request.

  • Provide methods and procedures for disposal or destruction of protected health information.

As the deadline for implementation of business associate agreements is only two months away, radiology administrators have to be sure that their firms are in compliance with the regulations.

"If a business associate doesn’t want to sign an agreement with your firm, and you don’t want to be a guest of Club Fed (i.e., prison), then you had better find another associate with whom to conduct business -- and get a signed agreement in place before you do," McKenzie advised.

By Jonathan S. Batchelor
AuntMinnie.com staff writer
February 11, 2003

Related Reading

Due diligence builds imaging center muscle, December 19, 2002

HIPAA-related courses and seminars: Worth the time, every time?, November 11, 2002

Privacy specialist offers a methodical approach to HIPAA compliance, August 30, 2002

Copyright © 2003 AuntMinnie.com

Page 1 of 775
Next Page