Gerald M. Hinkley
W. Reece Hirsch
As the April 14 privacy standards compliance deadline approaches, covered entities should make sure their business associate contracts reflect HIPAA's requirements.
Issues and Actions
HIPAA's business associate rules require covered entities to identify their business associates and enter into contracts with them to safeguard the privacy of individually identifiable health information.
- Covered entities need to determine who their business associates are and whether exceptions apply.
- Covered entities need to examine their business associate contracts to ensure that the contracts contain provisions required by HIPAA.
- Covered entities should not enter into business associate contracts unnecessarily.
- Existing business associate contracts are subject to a transition period for compliance with HIPAA.
A bank processes credit-card transactions for your hospital, giving the bank access to certain protected health information (PHI). A hospital hires a consulting firm to review its billing practices. A health plan provides a list of its members to a pharmaceutical company to market a drug. Do any of these situations constitute a business associate relationship as defined by HIPAA? You will need to know before April 14.
Although the ambiguous language and breadth of the requirements in the HIPAA privacy standards leave room for error, HIPAA compliance is attainable. In terms of business associate contracts, HIPAA requires that covered entities identify and enter into contracts with their business associates to safeguard the privacy of PHI.
Identifying Business Associates
The first step toward compliance with the HIPAA business associate requirements is to identify the covered entity's business associates.
Determine who is a business associate. A business associate is anyone who performs or helps perform a function or activity involving the use or disclosure of PHI, transmitted or maintained in any form, including electronic media, when that function or activity is performed on behalf of a covered entity or an organized healthcare arrangement in which the covered entity participates. As such, the definition of a business associate relies on what the entity does, not what it is.
A business associate's functions and activities are likely to include claims processing or administration; data analysis, processing, or administration; utilization review; quality assurance; billing; benefit management; practice management; or repricing. For example, a hospital that contracts with a billing company has created a business associate relationship because the billing company is acting on the provider's behalf and is receiving PHI in the form of patient billing information.
Business associates need not be businesses traditionally associated with healthcare services. Any individual or entity that receives PHI from a covered entity while providing legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services may be a business associate. For example, a hospital that hires a consultant to review its billing practices enters into a business associate relationship with that consultant.
Narrow your list. Not all of a covered entity's contracting parties are business associates under HIPAA. A contracting party that does not have access to PHI is not a business associate. For example, a medical group that uses a courier service to deliver medical records to a laboratory does not have a business associate relationship with that courier service, provided that the courier does not view the medical records in the course of its services. Incidental access is permitted if the covered entity has reasonable safeguards in place to prevent unauthorized disclosure of PHI. A janitorial service, for example, is not a business associate as long as the covered entity has taken reasonable precautions to limit disclosure. Although the service is performed on behalf of the covered entity, a janitor's access to PHI would be incidental to the job of cleaning.
Even contracting parties that receive PHI are not business associates in all instances. Importantly, the business associate rule applies to contracts that are performed on behalf of the covered entity. If the individual or entity is acting independently or on behalf of someone other than the covered entity, no business associate relationship exists. For example, physicians who contract with a health plan to participate in its provider network typically are not business associates of the health plan. Although the physicians are providing PHI to the health plan (for payment purposes), they are acting on behalf of the patients, not on behalf of or providing a service to the health plan. Similarly, if a health plan provides a list of its members to a pharmaceutical company to market a drug to certain plan members, the pharmaceutical company is not a business associate of the health plan because it is not acting on behalf of the health plan. Although the disclosure to the company probably would require the plan members' authorization, the transaction between the plan and the pharmaceutical company does not create a business associate relationship.
Cross-check your contracts with an exceptions checklist. Additional exceptions to the business associate rule exist (see sidebar, page 56). Even a covered entity's contracts that clearly fall under the rule should be cross-checked against the exceptions.
Avoid entering into a business associate contract where no business associate relationship exists. A covered entity, such as a hospital, does not need a business associate contract with a bank that processes consumers' payment for health care. By processing credit- or debit-card transactions or clearing checks for a hospital, a bank will have access to certain PHI, but access to that information does not make the bank a business associate of the hospital. The bank is not acting on behalf of the hospital in performing its functions; it is providing financial services. Entering into a business associate agreement would unnecessarily burden both parties with provisions that do not suit the nature of the arrangement, such as the requirement that the business associate return or destroy, if feasible, all PHI received from the covered entity upon termination of the agreement.
Negotiate with multiple entities. Covered entities that have a significant number of contract relationships can simplify compliance with the business associate agreement requirements by using a standard addendum, rather than trying to amend each contract individually. An addendum supplements and amends an existing contract and may be drafted to override any conflicting provisions in the pre-existing document that violate HIPAA requirements. Few business associate agreements will be strictly limited to the legally required provisions. Most covered entities will include certain additional terms arising from the organization's privacy and security policies and procedures and contracting practices. Covered entities should determine which provisions in their addendum are not negotiable because they are legally required or are integral to the entity's approach to privacy and security.
Business Associate Contracts
Business associate contracts must comply with the HIPAA requirements. HIPAA demands that business associates use appropriate safeguards to prevent use or disclosure of PHI. Accordingly, every business associate contract must contain certain provisions to ensure that such protections are in place.
Required HIPAA provisions include:
- Ensuring that PHI will not be used or disclosed except in accordance with the business associate contract;
- Ensuring that appropriate safeguards are in place to protect the confidentiality of PHI;
- Requiring business associates to report breaches to the covered entity;
- Requiring agents and subcontractors to comply with the same requirements that apply to business associates;
- Making PHI available to satisfy patients' rights;
- Making PHI available to satisfy HHS's right to investigate and enforce HIPAA; and
- Returning or destroying all PHI upon termination of the agreement, if feasible.
Some covered entities may wish to include additional protections in their contracts, even though not specifically required by HIPAA. A covered entity's ability to obtain additional assurances from its business associates will depend primarily upon its bargaining power in the relationship. Suggested provisions include:
- Requiring compliance with a written privacy and security policy;
- Requiring adequate liability insurance; and
- Limiting any third-party beneficiary rights.
Although the compliance date for the privacy standards is April 14, 2003 (April 14, 2004, for small health plans), a transition period extends the compliance date for existing business associate contracts that are not renewed or modified before April 14, 2003. Such "ever-green contracts" would be deemed in compliance with the privacy standards until the date the contract is renewed or modified or April 14, 2004, whichever is sooner. At that point, the contract must be brought into compliance with the business associate rules. The one-year transition period does not apply to existing oral contracts or other existing arrangements not in writing. Nor does it apply to new written contracts entered into after April 14, 2003. Thus, most covered entities need to begin working toward compliance well before April 14, 2003. Because many healthcare organizations will need to modify a large number of contracts, early action will help covered entities satisfy the requirements by that date. Although covered entities are not required to police their business associates, they must be prepared to respond to a business associate's breaches under the contract and try to mitigate any resulting harms.
Meeting deadlines. The required business associate provisions should be included in new contracts, particularly those that run through April 14, 2003. If a covered entity enters into a business associate contract addendum today, the addendum probably should not become effective until the privacy standards compliance date. Many business associates will object if a covered entity seeks to require compliance with potentially burdensome business associate requirements before compliance is required, such as the ability to track uses and disclosures of PHI as required by the HIPAA patient rights provisions.
In some instances, a covered entity may need to renew or enter into a contract with a business associate immediately without finalizing the provisions of the business associate addendum. In such instances, the parties could include a provision that does not bind the business associate to HIPAA requirements, but does bind both parties to negotiate a HIPAA business associate addendum satisfactory to the covered entity prior to the privacy standard compliance date. Such a provision must include an option to terminate in the event that the business associate fails to promptly enter into negotiations or ultimately sign the business associate contract addendum requested by the covered entity. This approach is not recommended because it simply defers the inevitable negotiation of the terms of the business associate addendum, but in some situations it may be necessary.
Record-keeping. HIPAA gives patients the right to receive an accounting of the disclosures that a covered entity has made for the past six years. Certain disclosures do not need to be reported to the patient, such as disclosures for treatment. However, disclosures to business associates must be included in every requested accounting, which must state the date of the disclosure, identify the recipient and the recipient's location, briefly describe the PHI disclosed, and briefly state the purpose of the disclosure. Accordingly, a covered entity must ensure that it has a system in place to monitor its disclosures to business associates.
Oversight. Even if their business associate contracts comply with all of the requirements of the privacy standards, covered entities cannot rely on the contract provisions alone to shield them from government sanctions or criminal penalties. Adequate performance of the contract is essential, and covered entities cannot ignore a business associate's failure to comply with the HIPAA requirements. While ensuring that a business associate has taken appropriate safeguards to prevent unauthorized use or disclosure of PHI does not require active monitoring, a covered entity cannot entirely disclaim responsibility for the actions of its business associates. HIPAA specifies that a covered entity must mitigate, to the extent practicable, any harmful effects that are known to the covered entity when such harm arises from a disclosure of PHI in violation of the covered entity's policies and procedures or HIPAA. This requirement applies whether the unauthorized use or disclosure is by the covered entity or its business associate.
A covered entity's level of oversight and due diligence will depend in part upon the significance of the relationship and the degree of risk of inappropriate use or disclosure of PHI. If a covered entity knows of a business associate's pattern of activity or practice that breaches the obligations under the business associate agreement, the entity must take reasonable steps to remedy the situation. An isolated breach is unlikely to constitute a "pattern of activity" or a "practice." A covered entity probably would not be required to take action if a business associate inadvertently disclosed PHI because an employee mistakenly violated the business associate's privacy policies. However, if the disclosures are ongoing, appear to be part of a systemic problem, or are due to a defect in the business associate's protective measures, action by the covered entity probably will be required.
Failure to take action may result in a penalty. The government will treat a covered entity that has substantial and credible evidence of a violation by its business associate as knowing of the violation. No actual knowledge is required. While a covered entity is not required to actively monitor every action of a business associate, a covered entity must investigate if it receives complaints or other information that contains substantial and credible evidence of violations by the business associate, and it must act upon any knowledge of such violation that it possesses.
In the event of a breach by a business associate, the covered entity should procure an immediate assurance in writing that the problem has been corrected. If the breaching business associate fails to provide adequate assurance of correction, the covered entity probably should terminate the contract. If termination is not feasible, the covered entity must report the business associate's violation to the secretary of HHS. The feasibility of termination depends upon the burden it imposes upon the covered entity. Inconvenience or increased costs are not reason enough. Termination is feasible only if there are no viable alternatives to continuing a contract with a particular business associate.
Consequences of Violations
A violation of a business associate agreement may result in civil or criminal penalties and/or liability for breach of contract. The government may impose civil penalties upon a covered entity that fails to take steps to cure a business associate's violations, as described above. A business associate that is a covered entity also is subject to civil penalties for violating the satisfactory assurances it has provided as the business associate of another covered entity. Civil monetary penalties of up to $100 may be imposed for each violation, although the penalty cannot exceed $25,000 for the same violations in a single year. As yet, however, the government has not clarified how a violation will be measured. If, for example, a covered entity is found to have violated two implementation requirements within a single specified standard, it is not clear whether each violation constitutes a separate fine or, because they fall under the same standard, together they qualify as a single offense. Consequently, it is still unclear how to determine when the $25,000 threshold has been met. The Office of Civil Rights, which is responsible for HIPAA enforcement, plans to release an enforcement rule, which will specify how to apply these penalties under the HIPAA statute. But until the enforcement rule is finalized, all covered entities must look to the final privacy regulations for guidance regarding fines and sanctions for violations of the privacy standards.
Although the government has no civil recourse against a breaching business associate that is not a covered entity, every business associate that violates the assurances it provides in a business associate agreement is subject to contractual liability. The contract may specify the remedy for such a breach. Alternatively, as with any breach of contract, the breaching party may be forced to pay damages or be subjected to equitable remedies by a court of law.
In addition, a business associate that is not a covered entity is arguably also subject to criminal penalties.
Under HIPAA, any "person" may be subject to criminal penalties for wrongful disclosure of PHI. Therefore, whether or not it is a covered entity, every business associate may be subject to HIPAA's criminal provisions.a The law specifies three types of wrongful disclosures that are punishable by criminal penalties; the level of intent determines the degree of severity. The penalty for knowingly disclosing or obtaining PHI or using a unique health identifier may result in a fine of up to $50,000, a one-year imprisonment, or both. If such activity is performed under false pretenses, the penalty may increase up to $100,000. If the U.S. Department of Justice shows that the use or disclosure was made for commercial or personal gain, the penalty can reach $250,000 and the imprisonment 10 years.
Gerald M. Hinkley, Esq., is a partner, Davis Wright Tremaine LLP, San Francisco, and a member of HFMA's Northern California Chapter.
Rachel Glitz, Esq., is an associate, Davis Wright Tremaine LLP, San Francisco.
W. Reece Hirsch, Esq., is a partner, Sonnenschein, Nath & Rosenthal, San Francisco.
Questions or comments regarding this article may be sent to Gerald M. Hinkley at firstname.lastname@example.org.
a. Although HIPAA applies only to covered entities, the statutory language imposes criminal penalties more broadly upon "a person" who knowingly (and in violation of HIPAA) uses or causes to be used a unique health identifier, obtains PHI relating to an individual, or discloses PHI to another person. 42 U.S.C. § 1326d-6(a). The release of the enforcement rule should help clarify the applicability of criminal penalties to HIPAA violators that are not covered entities.
Business Associate Exceptions Checklist
All business associate contracts should be cross-checked against the following exceptions, even if one of the parties is using or disclosing protected health information (PHI) on behalf of a covered entity:
Workforce. Members of a covered entity's workforce are not that entity's business associates. The workforce includes employees, volunteers, trainees, and anyone else whose performance of work for the covered entity is under that entity's direct control, whether or not the covered entity is paying for the work.
Treatment. A covered entity need not enter into a business associate agreement with a healthcare provider with which or whom it shares PHI if the provider's sole activity is treating patients. For example, a physician who is a member of a hospital's medical staff is not the hospital's business associate as long as the physician's activity is limited to treatment. If the physician under contract is the medical director of a department of the hospital or provides quality-assurance or utilization-management services through participation in hospital committees, however, a business associate agreement
Disclosures between a group health plan and plan sponsor. The business associate rules do not apply to disclosures by a group health plan to a plan sponsor. These disclosures must conform to require-ments under Section 164.504(f) of the privacy standards. For example, a hospital that sponsors its own self-funded health insurance plan for hospital employees is not required to enter into a business associate agreement with the hospital with respect to disclosures of PHI of hospital employees that are made to the hospital as plan sponsor to administer the plan.
Organized healthcare arrangements. Providers that participate in an organized healthcare arrange-ment are not business associates of one another.
The HIPAA privacy standards apply to more than one type of organized healthcare arrangement, the first being a clinically integrated setting in which patients receive care from multiple healthcare providers. Such arrangements could include independent practice associations and hospital-medical staff arrangements. Alternatively, an organized healthcare arrangement may take the form of an organized system of health care in which two or more covered entities portray themselves to the public as participants in a joint arrangement and do, in fact, jointly participate in at least one of the following activities: utilization review, quality assessment, or payment activities. To qualify as a joint activity, utilization review and quality assessment must be performed by one of the covered entities on behalf of the other participants in the arrangement or by a third party on behalf of all participants in the arrangement. To qualify as a joint payment activity, the participants must share at least some financial risk for delivering health care and the PHI created or received must be reviewed for the purpose of administering that shared financial risk. The review may be performed by a participating covered entity or a third party on behalf of the joint arrangement. In addition, group health plans may form organized healthcare arrangements. These arrangements take three forms: a group health plan and a health insurance issuer or HMO (with respect to the PHI of participants or beneficiaries, created or received by the issuer or HMO); multiple group health plans maintained by the same plan sponsor; or multiple group health plans maintained by the same plan sponsor and a health insurance issuer or HMO (with respect to the PHI of participants or beneficiaries, created or received by the issuer or HMO).
Limited data sets. A limited data set is PHI that excludes certain direct identifiers, such as names, social security numbers, and electronic e-mail addresses, but is not completely "de-identified" in accordance with the HIPAA requirements. (The sharing of de-identified information does not require a business associate contract.) If a covered entity contracts for services with another party under an arrangement that involves the use and disclosure of information in a limited data set, no business contract is required. Instead, the parties must enter into a data-use agreement, which contains similar privacy protections but is not the same as a business associate contract.
Data-aggregation services. Data aggregation describes an entity's combination of PHI created or received as a business associate of one covered entity with the PHI received as a business associate of another covered entity, to permit data analyses relating to the healthcare operations of each of those covered entities. Although business associates generally are prohibited from uses or disclosures of PHI that would be prohibited if done by the covered entity, an exception exists for business associates providing data-aggregation services relating to the covered entity's operations. For example, a hospital may contract with a quality-assurance organization to evaluate its clinical practices with respect to treatment of a specific condition. To perform its functions, the quality-assurance organization must aggregate the PHI provided by each of its participating hospitals to develop meaningful statistical results. Similarly, two hospitals participating in a risk-pool arrangement may share utilization data, including PHI, with a consultant retained by the hospitals to assist in calculating the allocation of the risk-pool funds. This arrangement qualifies as data aggregation because it involves data analysis relating to the healthcare operations of multiple covered entities.
Publication Date: Wednesday, January 01, 2003