PrivaGuide: Business Associate Agreements

By Lesley Berkeyheiser and David Ginsberg

Introduction

The HIPAA Privacy Rule requires that you enter into legally binding contracts or agreements with your business “associates” to guarantee that they will protect PHI. HIPAA requires specific assurances and language that these “associates” must adhere to.

How to do this:

In this section we document some practical suggestions for meeting the core HIPAA privacy requirements.  “Implementation” suggestions relate to the initial steps you take to get into HIPAA compliance. “Maintenance” suggestions relate to on-going activities that must be accomplished on a recurring basis.  Your implementation policy and procedure documentation should be based upon your specific needs and on your understanding of how the HIPAA privacy regulation applies to you.

The sample procedures included in this PrivaGuide will help you do the following:

1.    Identify your business partners who are considered a “business associate”.

2.    Develop and implement business associate contracts or agreements.

3.    Handle problems when business associates violate their agreement with you.

4.    Document the above.

PROCEDURE—Identify Business Associates

The first step is to determine who is a “business associate”. HIPAA defines a business associate as someone other than a member of the workforce. This means that employees, independent contractors, volunteers, trainees or other persons under the direct control of your organization, whether or not you pay them are not considered a business associate.

Other individuals or companies are considered a business associate if they act on your behalf, perform or assists in the performance of a function or activity involving the use or disclosure of protected health information. In other words, do they “borrow” your PHI to provide a service that you have requested.

Examples of such services or companies can include:

• Claims processing or billing
• Collections or claims follow up
• Data analysis
• Answering service
• Transcription services
• Practice management firm or consultant
• Quality assurance programs such as a coding review for Medicare Fraud and Abuse
• Legal or accounting advice
• Hardware maintenance company that supplies the computers for your billing system
• Computer software maintenance
• Professional liability insurance

Implementation Suggestion:  Inventory current business associates.

1.     Conduct a review of all non-workforce services you have purchased in the last several years.

2.     Determine if any of these meet the definition of a business associate.

3.     Determine if you have a written agreement currently in place with any of these entities.

4.     Determine if the written agreement will expire before the compliance date of April 14, 2003.

5.     Document steps 1-4 in a Business Associates inventory log or form.

Note: Sometimes a Business Associate is also a covered entity. For example a billing service that generates electronic claims, or a claims clearing house is defined by HIPAA as a “covered entity”. This means that like your practice, they must be HIPAA compliant and have policies and procedures for their compliance effort. However, they are also a Business Associate of your practice. Therefore you still need a Business Associates agreement with them.

On the other hand, treating providers with whom you interact are not considered Business Associates. You are not required to have a Business Associates agreement with referring physicians, the hospital or nursing home, home health agencies, public health agencies, or other “treating” providers including laboratories and pharmacies.

Implementation Suggestion: Develop and Implement the Business Associates Agreement.

Review the Business Associate Agreement template under Document Templates.

1.     Complete additional customization steps. Wherever words appear in brackets (such as “[organization name]”), fill in the data that is appropriate for your organization.  Read the legal disclaimer and customization instructions at the beginning of the document and then delete them.  (This information is for your use in customizing the document; it is not intended to be read by your patients.)

2.     Review special notes. Review every section of the template document that is enclosed in square brackets and written in a bold font (i.e. “[Note: …]”).  These are notes that may change how you customize your Business Associate agreement.  Delete these notes once you have read them and taken the appropriate action.

3.     Contact all Business Associates identified earlier and inform them that they will need to sign the Business Associates Agreement. You must have a Business Associates agreement in place by the compliance date for any new Business Associate starting services as of or after that date, or for any existing Business Associate where the current agreement expires on or before the compliance date. You have until April 2004 for all “evergreen” agreements (those that do not have a formal expiration or termination date). However, we suggest that you proceed with acquiring executed Business Associates agreements for all Business Associates by the compliance date. Most medical practices do not have a large number of Business Associates.

4.     Ensure that the underlying agreement with the Business Associate and the HIPAA Business Associates agreement have the same termination language! HIPAA provides for termination of your Business Associates agreement if the Business Associate violates the agreement and does not correct the problem. However, many “vendor” agreements have different termination clauses; some might have a specified notification period (for example you might need to give 60 days notice) or they might have an early termination penalty. If you are not sure about how to do this, or the “underlying” agreement is confusing seek advice from legal counsel! The business associates agreement template handles this by providing that its terms supercede anything to the contrary in an underlying agreement.

5.     Execute the Business Associates agreement and file this in a separate administrative file titled “Business Associates Agreements”, or file these with the underlying agreement in the contract file for that Business Associate.

6.     Enter each Business associate in the Business Associate agreement log. Once the agreement has been signed, enter the name and contact information on the log. Also enter if the underlying agreement with the Business Associate is “evergreen”, (automatically renews each year or at the end of a contract period). If the underlying agreement is not “evergreen” indicate the start and end dates of the agreement. Also indicate the termination notice requirements of the underlying agreements (most contracts have some kind of advance notice for termination). This log will become a “control” document to manage Business Associate agreements.

Maintenance Suggestion: Handle problems when Business Associates violate their agreement.

1.     If you are aware that your business associate is not complying with the terms of the business associate agreement, HIPAA requires that you take action.  You are not required to police the actions of your business associates; however, if you are aware of a violation you may not ignore it. You should first attempt to resolve the issue with the business associate.  If these attempts are not successful you should terminate the agreement.  If it is not feasible to terminate the agreement, you must notify the Department of Health and Human Services.

2. Be sure that staff understands the necessity of reporting to the Privacy Official any indication that a business associate is out of compliance. For example, your front office staff may learn that the billing service has an employee who has gossiped about the condition of one of your patients! This should be reported to the Privacy Official immediately.

3. Create and keep a written record of any complaints or problems you become aware of.

4. Contact the Business Associate immediately and request that they confirm the “breach” and inform you of how they will correct this from happening again.

5. If their response is too slow, or unsatisfactory, immediately terminate the agreement. You may need to seek legal counsel if the termination clause in the agreement is problematic. (if you are not able resolve any conflict as advised in step 4 above). For example your agreement with a practice management software maintenance vendor might have an early termination penalty. Use the Business Associate Log form to track termination dates and terms. The Business Associate Log template is under Document Templates.

6. If for some reason you cannot terminate the agreement and the response is unsatisfactory, immediately notify the Department of Health and Human Services, office of the Secretary of the breach and your documented efforts to cure this breach!

Transferring PHI to Business Associates of another covered entity:

Often physicians are asked to transfer or disclose PHI to the business associates of another covered entity. For example health plans often require the release of HEDIS data to a business associate of the health plan that collects such information. Such disclosures are for health care operations and permissible.  Business associates are authorized to receive or collect data on behalf of other covered entities (45 CFR  164.502(e)(1)(i).

Cleaning Services

Depending on the specific service they provide, your cleaning service may or may not be a business associate.  If you discard documents or other materials containing PHI in wastebaskets that are emptied by a cleaning service you are, in effect, ‘disclosing’ this PHI to them and a business associate agreement is needed.  On the other hand, if you shred every document before depositing them in waste containers (“de-identifying the PHI), there is no such ‘disclosure.’ In this case you are not disclosing any PHI to the cleaning service and a business associate agreement is not needed.

It is extremely important to remember that you are responsible for documents containing PHI even after they leave your facility.  If your cleaning service performs a ‘secure document disposal’ service for you, by shredding or incinerating the documents, then they are acting as a business associate.  On the other hand, if they deposit documents containing PHI in a dumpster or a landfill, you (not they) are in violation of the HIPAA ‘safeguards’ requirement.  In such circumstances, having a business associate agreement with the cleaning service is not sufficient to protect you from a HIPAA violation.

A note on “Limited Data Use Recipients”

HIPAA has defined another kind of business associate, called a “limited date use recipient”. Limited data sets may be disclosed or used only for research, public health or health care operations. Examples might include disease studies or registries, or quality assurance committees. In these cases you should limit the PHI being shared, and the recipient is considered a “limited data set recipient” rather than a business associate. Limited data set recipients might include state hospital associations, researchers, and public health officials.

To be considered a limited data set, you must delete the following information, called direct identifiers, relating to the individual, the individual’s relatives, or other household members:

1. 1.     Names
2. 2.     Postal address information, other than town or city, State, and zip
   code 
3. 3.     Telephone numbers, including fax numbers 
4. 4.     Internet identifiers such as email addresses, universal resource
   locators (URLs), and Internet Protocol (IP) address numbers 
5. 5.     Social security numbers  
6. 6.     Medical record numbers 
7. 7.     Health plan beneficiary numbers 
8. 8.     Account numbers 
9. 9.     Certificate/license numbers 
10. 10.  Vehicle identifiers and serial numbers, including license plate numbers 
11. 11.  Device numbers and serial numbers 
12. 12.  Biometric identifiers, including finger and voice prints 
13. 13.  Full face photographic images and any comparable images

About the Authors:

This PrivaGuide has been greatly improved and customized by the California Medical Association. Specifically, the work of Catherine I. Hanson, Vice President and General Counsel of the CMA and Steven M. Fleisher, Esq. of Fleisher and Associates.

Lesley Berkeyheiser

Ms. Berkeyheiser has over twenty years experience in the healthcare industry, most of it involving managed care, including direction and management of healthcare operations at various renowned health plans. She is Principal and founder of The Clayton Group, LLC, an independent consulting company specializing in healthcare issues including Health Insurance Portability and Accountability Act of 1996 (HIPAA) preparation work, business development and technology.   She either has created and/or maintains ownership in various HIPAA remediation products, including HIPAA training products, (PrivaPlanED), Gap Analysis (PrivaPlan), and HIPAA Policies and Procedures (Clayton MacBain HIPAA Templates) and actively participates as Co-Chair for Security and Privacy, and was past Leader of the Vendor Technologies Interdependencies subgroup of the workgroup for Electronic Data Interchange Strategic National Implementation Process (WEDI SNIP). This gives her an extensive and current knowledge of HIPAA remediation solutions.

Ms. Berkeyheiser can be contacted at The Clayton Group, 53 Bethel Road, Glen Mills, PA 19342.  Telephone: (610)-558-3332.  Email: lberkeyheiser@theclaytongroup.org.

David Ginsberg

Mr. Ginsberg is President of PrivaPlan Associates, Inc. and is one of the founders.

David Ginsberg is a healthcare consultant with over twenty-five years experience. Most currently he organized and is Executive Director of the Colorado Physician Network, a statewide network of 2500 physicians. Mr. Ginsberg was also Vice President of Intellectron/Medcobill a large regional physician practice management and billing company providing services to over 1000 physicians in California; during this time he implemented the second Medicare electronic claims transmission program of its kind and pioneered an EDI solution for Medicaid.

Mr. Ginsberg has expertise in managed care operations, IPA development, and physician-hospital strategic planning, practice management consulting, and compliance issues.

Mr. Ginsberg can be contacted at David A. Ginsberg Consulting, 3 Monte Alto Way, Santa Fe, NM 87508.  Telephone:  877-218-7707.  Email:  dginsberg@PrivaPlan.com.

PrivaPlan Associates Privacy Policy