|
|
||||||
|
04/2002 |
||||||
|
James B. Wieland Howard L. Sollins Appeared in The Aegis Report When the Department of Health and Human Services (“HHS”) was drafting the HIPAA Privacy Standards, there was a dilemma. Congress had only drafted HIPAA to cover health care providers, health plans and clearinghouses. HHS knew that many third parties — billing companies, lawyers and consultants, collection agencies, outside managers and quality assurance providers to name but a few — have access to individually identifiable health information (“PHI”) pertaining to the patients/residents or beneficiaries of covered entities, such as nursing homes. Those third parties were beyond the direct reach of the legislation. HHS’s response was to regulate the manner in which all covered entities - such as long term care facilities — could turn over PHI to such third parties. You need to review all of your agreements with these types of entities to determine where “business associate” provisions are needed, or to establish new “business associate” agreements with them where PHI is exchanged. You may also be a “business associate” of another entity, asked to sign such an agreement. Often, companies proposing such terms impose or request additional provisions that go beyond HIPAA’s basic requirements. Thus, amendments to agreements purporting to be required by HIPAA need to be reviewed closely and your facility needs to decide on the form it will require. Such a third party is referred to in the HIPAA Privacy Standards as a “Business Associate”. A covered entity can turn PHI over to a business associate as long as two conditions are met. First, the business associate must need the PHI to perform a “function or activity” “on behalf of the covered entity. If a third party seeks access to PHI in order to perform a function or activity of the third-party, the third party is not a business associate. Second, the business associate must give the covered entity “satisfactory assurance” that it will safeguard the PHI that is disclosed to it. This assurance must take the form of a written business associate agreement. The required elements of the agreement are the agreement of the business associate to:
The privacy standards make it clear that a covered entity is not the guarantor of the business associate’s conduct, but simply has to take reasonable steps to monitor and enforce the agreement. Long term care facilities must have a business associate agreement in place with third parties that receive their PHI in order to assist the facility in a function or activity on April 14, 2003, the date upon which compliance by covered entities with the HIPAA privacy standards is currently required. That seems a long way off, but the time to start is flow, by identifying such entities and then begin-fling the work of obtaining their agreement. That may, unfortunately, involve some education of the third parties as to what HIPAA requires. The actual business associate agreement can, in many instances, take the form of an amendment to an existing contractua1 agreement between the business associate and the long term care facility. |
||||||
|
Ober, Kaler, Grimes & Shriver Maryland
Washington, D.C. Virginia |
||||||
