|
|
|
BUSINESS
AND CORPORATE LAW |
|
 |
|
August
2003
HIPAA
Business Associate Agreements
Before
you sign, look out for provisions that obligate you
beyond the legal requirements
Steven
M. Goldstein
|
You
may be familiar with the Health Insurance Portability and
Accountability Act (HIPAA), and the privacy regulations issued
under that Act. Those privacy regulations took effect on April
14, 2003.
One
important regulation requires “covered entities” – health
care providers, health plans, and health care clearinghouses –
to enter into agreements with their “business associates,”
i.e., third party administrators, legal counsel, accountants,
consultants and other plan providers who may have access to
protected health information.
If
you work with a health care provider, health plan or health care
clearinghouse, you may be asked to sign a Business Associate
Agreement. These agreements take many forms, from a simple
paragraph addendum to an existing agreement to a brand- new,
lengthy agreement. You should carefully review such a document
before you sign it, as it can impose significant
responsibilities on you. Here are the main points to consider:
-
Your
obligations described in the agreement should be limited
only to those required in the federal regulation (see “Required
Obligations” below).
-
The
provisions requiring you to provide patients with access to
records in your possession, as well as the opportunity for
patients to amend records in your possession, should apply
to you only if the records in your possession are a
“Designated Record Set.” (Most business associates will
not have records bearing that designation.)
-
If
the agreement requires you to mitigate any damages, make
sure that requirement is limited “to the extent
practicable.”
-
The
agreement should allow you to use the protected health
information for your own management and administration and
to carry out your own legal responsibilities.
-
The
agreement should require the return or destruction of
information in your possession upon termination of the
agreement “only if such return or destruction is
feasible.”
-
You
are not required to indemnify the other party to the
agreement. If the agreement contains an indemnity provision,
remove it.
-
You
should add a provision to any business associate agreement
stating that “no person or entity is to be considered a
third-party beneficiary under the agreement, nor shall any
third party have any rights as a result of the agreement.”
This will limit an individual patient’s ability to use the
agreement as a basis to make a claim against you.
-
Avoid
unnecessary boilerplate in the agreement. If there are
additional provisions that are unnecessary or unusual, do
not agree to them.
Required
Obligations. According to 45 CFR Section
164.504(e)(2)(ii), a contract between the covered entity and a
business associate must provide that the business associate
will:
-
not
use or further disclose the information other than as
permitted or required by the contract or as required by law;
-
use
appropriate safeguards to prevent use or disclosure of the
information other than as provided for by its contract;
-
report
to the covered entity any use or disclosure of the
information not provided for by its contract of which it
becomes aware;
-
ensure
that any agents, including a subcontractor, to whom it
provides protected health information received from, or
created or received by the business associate on behalf of,
the covered entity agrees to the same restrictions and
conditions that apply to the business associate with respect
to such information;
-
make
available protected health information in accordance with §164.524;
-
make
available protected health information for amendment and
incorporate any amendments to protected health information
in accordance with §164.526;
-
make
available the information required to provide an accounting
of disclosures in accordance with §164.528;
-
make
its internal practices, books, and records relating to the
use and disclosure of protected health information received
from, or created or received by the business associate on
behalf of, the covered entity available to the Secretary for
purposes of determining the covered entity's compliance with
this subpart; and
-
at
termination of the contract, if feasible, return or destroy
all protected health information received from, or created
or received by the business associate on behalf of, the
covered entity that the business associate still maintains
in any form and retain no copies of such information or, if
such return or destruction is not feasible, extend the
protections of the contract to the information and limit
further uses and disclosures to those purposes that make the
return or destruction of the information infeasible.
These materials
are designed to provide general information prepared by
professionals in regard to the subject matter covered. It is
provided with the understanding that the author is not engaged
in rendering legal, accounting, or other professional service.
Although prepared by professionals, these materials should not
be utilized as a substitute for professional service in specific
situations. If legal advice or other expert assistance is
required, the service of a professional should be sought.
|
