Marketing / Office / Staff

Business Associate Agreements Are Coming!

What to Expect, What to Watch Out For

In 2004, most health care providers will be required to sign Business Associate Agreements with almost every company with whom they share patient information. This will apply to a variety of vendors and services, including claims processing; Web services; billing; X-rays, MRIs;and other diagnostic imaging procedures.

The Health Insurance Portability and Accountability Act (HIPPA) requires that health care providers and insurance companies protect the privacy of patient information. As a part of that requirement, entities that do business together (such as insurance companies and doctors) and transmit information (in any form of transmission, paper included) are required to protect that information from disclosure by the receiving party, by requiring that party to enter into a business associate agreement.

You are likely to see numerous versions of the business associate agreements, each with terms and conditions that need to be considered, separately and within the context of the entire agreement.

Perhaps the least stringent type of business associate agreement is the sample released by the Department of Health and Human Services (HHS).1 However, even its version includes the following provisions in which you, the doctor, would be considered the "Business Associate" and the third-party payer would be considered the "Covered Entity":

Obligations and Activities of Business Associate

  1. Business Associate agrees to not use or disclose Protected Health Information other than as permitted or required by the Agreement or as Required By Law.

  2. Business Associate agrees to use appropriate safeguards to prevent use or disclosure of the Protected Health Information other than as provided for by this Agreement.

  3. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement. [This provision may be included if it is appropriate for the Covered Entity to pass on its duty to mitigate damages to a Business Associate.]

  4. Business Associate agrees to report to Covered Entity any use or disclosure of the Protected Health Information not provided for by this Agreement of which it becomes aware.

  5. Business Associate agrees to ensure that any agent, including a subcontractor, to whom it provides Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information.

  6. Business Associate agrees to provide access, at the request of Covered Entity, and in the time and manner [Insert negotiated terms], to Protected Health Information in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 CFR ¤ 164.524 (of the HIPAA regulations). [Not necessary if business associate does not have protected health information in a designated record set.]

  7. Business Associate agrees to make any amendment(s) to Protected Health Information in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 CFR ¤ 164.526 (of the HIPAA regulations) at the request of Covered Entity or an Individual, and in the time and manner [Insert negotiated terms]. [Not necessary if business associate does not have protected health information in a designated record set.]

  8. Business Associate agrees to make internal practices, books, and records, including policies and procedures and Protected Health Information, relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, Covered Entity available [to the Covered Entity, or] to the Secretary (of Health and Human Services), in a time and manner [Insert negotiated terms] or designated by the Secretary, for purposes of the Secretary determining Covered Entity's compliance with the Privacy Rule.

  9. Business Associate agrees to document such disclosures of Protected Health Information and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR ¤ 164.528 (of the HIPAA regulations).

  10. Business Associate agrees to provide to Covered Entity or an Individual, in time and manner [Insert negotiated terms], information collected in accordance with Section [Insert Section Number in Contract Where Provision (i) Appears] of this Agreement, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR ¤ 164.528 (of the HIPAA regulations).

Privacy Rule. "Privacy Rule" shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164, Subparts A and E (of the HIPAA regulations).

Protected Health Information. "Protected Health Information" shall have the same meaning as the term "protected health information" in 45 CFR ¤ 164.501 (of the HIPAA regulations), limited to the information created or received by Business Associate from or on behalf of Covered Entity.

Required By Law. "Required By Law" shall have the same meaning as the term "required by law" in 45 CFR ¤ 164.501 (of the HIPAA regulations).

It should be obvious from the above provisions that your office will be required to follow most HIPAA privacy requirements, even if you don't consider yourself a "covered entity. (Editor's note: See "HIPAA Privacy Laws - Violators Face Jail Time, Fines up to $250,000, and No Payments by Insurance Companies" in the January issue of Dynamic Chiropractic, or online at www.chiroweb.com/archives/21/01/21.html.) This means you will want to have HIPAA privacy and administrative manuals in place for your practice before you sign any of these business associate agreements.

In addition to the above stipulations, the agreement will, at the very least, include the following:

  • Permitted Uses and Disclosures of Protected Health Information by Business Associate;
  • Specific Use and Disclosure Provisions for Protected Health Information (only necessary if parties wish to allow Business Associate to engage in such activities);
  • Obligations of Covered Entity;
  • Provisions for Covered Entity to Inform Business Associate of Privacy Practices and Restrictions (provisions dependent on business arrangement);
  • Permissible Requests by Covered Entity;
  • Term and Termination;
  • Termination for Cause;
  • Effect of Termination;
  • Regulatory References;
  • Amendment;
  • Survival; and
  • Interpretation. (Any ambiguity in this Agreement shall be resolved to permit Covered Entity to comply with the Privacy Rule.)

A condition of indemnity will probably also be included in the business associate agreements you are asked to sign. Since there are serious penalties for violations of the HIPAA privacy provisions, you will be asked to "indemnify" or hold the other party harmless if something happens and fines are assessed, or if someone files a lawsuit.

You should be particularly careful with indemnity clauses; they should not be one-sided. Whatever protection the other party expects from you, it should be willing to give. The language should be equal for both sides. Also, it should be clear that you are only responsible for actions in your control. You should not be asked to protect the other party against acts by third parties.

Finally, you need to be confident that your office has the appropriate HIPAA privacy manuals and is well-prepared to function in a manner that is HIPAA privacy-compliant and allows you to abide by the specific provisions from whom you are indemnifying the other party. This is your only real assurance that you won't inadvertently forget what you signed and face heavy penalties later.

The level and type of malpractice insurance you carry may also be part of the business associate agreement. We have already seen agreements that require you to carry "occurrence" type coverage at specified levels. If this is the case, you may have to change your insurance.

Another thing to consider is that your malpractice insurance will not generally cover violations of HIPAA privacy rules or business associate agreements. Unless there are mitigating circumstances, your policy will probably not protect you should you or one of your staff violate the privacy rules, or if you are found practicing without HIPAA privacy manuals. This is another reason to take these business associate agreements very seriously.

If you haven't gotten your first business associate agreement yet, you will soon. Don't assume they are all the same. Read each one, and don't be afraid to challenge provisions you feel are unfair and one-sided. If you are agreeing to abide by the HIPAA privacy laws, make sure you have HIPAA privacy and administration manuals specifically customized to your practice, and that your staff is following the new procedures.

Reference

  1. Medical Privacy - National Standards to Protect the Privacy of Personal Health Information. SAMPLE BUSINESS ASSOCIATE CONTRACT PROVISIONS (Published in FR 67 No.157 pg. 53182, 53264, August 14, 2002). http://www.hhs.gov/ocr/hipaa/contract prov.html#1.

Michael J. Schroeder, Esq.
Santa Ana, California

Mr. Schroeder is a longtime member of the National Association of Chiropractic Attorneys (NACA), and its vice president for the last 17 years. He was selected as NACA's Chiropractic Attorney of the Year in 1995.

January 2003
print pdf