Presentation is loading. Please wait.

Presentation is loading. Please wait.

Headaches and Pitfalls in Business Associate Contract Management © 2013 Christiansen IT Law American Bar Association Health Law Section eHealth, Privacy.

Similar presentations


Presentation on theme: "Headaches and Pitfalls in Business Associate Contract Management © 2013 Christiansen IT Law American Bar Association Health Law Section eHealth, Privacy."— Presentation transcript:

1 Headaches and Pitfalls in Business Associate Contract Management © 2013 Christiansen IT Law American Bar Association Health Law Section eHealth, Privacy & Security Committee Webinar, August 30, 2013

2 © 2013Christiansen IT Law Privacy/Security/Compliance2 Presenter CV John R. Christiansen, J.D. - Christiansen IT Law Chair, ABA HITECH Megarule/Business Associates Task Force (2009 – pres.); Committees on Healthcare Privacy, Security and Information Technology (2004 – 06); on Healthcare Informatics (2000 – 04); and PKI Assessment Guidelines Health Information Protection and Security Task Group (2000 – 2003) Author, The HITECH Business Associate Contracts Bible (ABA 2013); State and Federal Consent Laws Affecting Health Information Exchange (NGA 2011); Policy Solutions for Advancing Interstate Health Information Exchange (NGA 2009); An Integrated Standard of Care for Healthcare Information Security (AHLA 2005); Electronic Health Information: Security and Privacy Compliance under HIPAA (AHLA 2000)The HITECH Business Associate Contracts Bible Special Assistant Attorney General to Washington State Health Care Authority, health care information issues related to HIPAA, HITECH, and related issues Privacy and Security Expert, ONC/OCR Comprehensive Campaign for Communication and Education About the HITECH Act (2010 – 2012); Consultant, ONC State Health Policy Consortium (2010 – pres.); Technical Advisor, ONC Health Information Security and Privacy Collaboration (2005 – 2009) Executive Committee/Secretary, Washington State Bar Association Health Law Section (2012 – pres.) Adjunct Faculty, University of Washington Information School (2008 – 2012); Oregon Health and Sciences University Division of Medical Informatics and Outcomes Research (2000 – 2003)

3 © 2013Christiansen IT Law Privacy/Security/Compliance3 Our Agenda We Assume You Know at Least the Fundamentals of the Omnibus Rule –September 23 is Less than Four Weeks Away Quick Basics of Terminology –See HITECH Business Associates Task Force Publications for More Details Business Associate Contract Pass-Along Problems A Few Sample Problems

4 You Think Organic Chemistry is Complicated? © 2013Christiansen IT Law Privacy/Security/Compliance4

5 A Few HITECH BA Chain Variations © 2013Christiansen IT Law Privacy/Security/Compliance5

6 Business Associate Terminology “Long Chain” Subcontracting “Upstream:” CE, or BA delegating function “Downstream:” BA to which function is delegated “First tier” BA: BA with direct delegation from CE “Second tier” BA: BA with direct delegation from first tier BA (and third, fourth tier, etc.) “Lower tier” BAs: BAs below first tier © 2013Christiansen IT Law6

7 Business Associate Terminology “Side Chain” Services Providers BA retains organization to provide services to BA –Not a BA/Subcontractor* “BA Services Provider” may use, disclose PHI for BA purposes BA Services Provider may use other parties to provide support/related services for BA purposes –These parties are also not BAs * Note: Same kind of services provider to CE is a BA © 2013Christiansen IT Law7

8 © 2013Christiansen IT Law Privacy/Security/Compliance8 Pass-Along Problems 1. PHI Use/Disclosure Limitations for CE Functions, Activities, Services CE must pass-along to First Tier BA: –General Privacy Rule limitations – required part of BAC –NOPP limitations (if any) – implied, not required in BAC –Additional restrictions (if any) – implied, not required in BAC –Minimum necessary policies (see below) – implied, not required in BAC First Tier BA must pass-along BAC limitations to Second Tier BA –First Tier BA may add “more stringent” limitations to Downstream BAC Each Lower Tier BA must pass-along limitations from Upstream BAC –Each BA may add “more stringent” limitations to Downstream BAC

9 © 2013Christiansen IT Law Privacy/Security/Compliance9 Pass-Along Problems 2. Individual Access/Accounting Timing and Format Long-chain relationships must ensure CE can comply with: –30 day access response (permitted 60 day extension if PHI not maintained on-site by CE) CE review for denial may be necessary –Requests for copies in specified electronic formats –60 day response for accounting of disclosure (permitted 30 day extension if CE gives statement of reasons) BAC response requirements shorten with each link in the chain – permitted as “More Stringent” requirement

10 © 2013Christiansen IT Law Privacy/Security/Compliance10 Pass-Along Problems 3. PHI Use/Disclosure Permissions for BA/Subcontractor Purposes Optional BAC provisions permitting Business Associates to use/disclose PHI for Business Associate management, administration, legal responsibilities, if required by law –CE not required to include in BAC –First and Lower Tier BAs not required to include in BAC even if CE permits (“more stringent”) –If not included, BAs below “cutoff” (BAC not including optional provisions) may not use/disclose PHI for e.g. legal services, audit, consultants, breach investigation, personnel matters (e.g. Security Rule sanctions enforcement), etc., etc.

11 Pass-Along Problems 3. PHI Use/Disclosure Permissions for BA/Subcontractor Purposes First Tier BAC does not permit use/disclosure for BA purposes First Tier BA cannot disclose PHI to law firm Second Tier BA cannot disclose PHI to security services provider Third Tier BA cannot use third party hosting services Etc. © 2013Christiansen IT Law11

12 © 2013Christiansen IT Law Privacy/Security/Compliance12 Pass-Along Problems 4. Minimum Necessary “A covered entity’s contract with a business associate may not authorize the business associate to use or further disclose the information in a manner that would violate the HIPAA Privacy Rule if done by the covered entity. See 45 CFR 164.504(e)(2)(i). Thus, a business associate contract must limit the business associate’s uses and disclosures of, as well as requests for, protected health information to be consistent with the covered entity’s minimum necessary policies and procedures...” –OCR Health Information Privacy FAQ, http://www.hhs.gov/ocr/privacy/hipaa/faq/business_associates/252.html All BAs have to comply with CE minimum necessary policies BAs (mostly) don’t have the authority to adopt their own minimum necessary policies

13 © 2013Christiansen IT Law Privacy/Security/Compliance13 Pass-Along Problems 4. Minimum Necessary Not a specifically required BAC provision Strongly implied: BA can’t use/disclose PHI in a manner CE can’t, and CE mostly can’t use/disclose except under minimum necessary policy – OCR BAC Sample “optional” provisions Does the CE have minimum necessary policies and procedures? Are the CE’s minimum necessary policies complete and intelligible? Do the CE’s minimum necessary policies include purposes, positions, PHI scope consistent with BA services, functions, activities? –Both for CE purposes, and for BA administrative etc. purposes –E.g. physician practice outsources all EHR functions, has no need or policy for network administrator Note that professional services provider (e.g. law firm) can define minimum necessary in request to CE – but can’t in request to BA

14 © 2013Christiansen IT Law Privacy/Security/Compliance14 Pass-Along Problems 5. BAC Termination Problems How to coordinate termination of lower tiers? How does CE obtain “return” of PHI from lower tiers? –Lower tier BAC probably specifies that PHI will be returned to upstream BA upon termination Can lower tier BAC include permission to retain PHI if upstream BAC does not? Should CE have notice of lower tier BA retention?

15 © 2013Christiansen IT Law Privacy/Security/Compliance15 Pass-Along Problems 6. Breach Notification BAC required to specify reporting of security incidents, unauthorized use/disclosure of PHI, breaches –Lower tier BACs probably specify that Downstream BA will notify Upstream BA –Agreements with Services Providers must include requirement to report “breach of confidentiality” – not the same as a Breach Notification Rule “breach?” Breach Notification Rule independently requires any BA to notify CE of breaches

16 Pass-Along Problems 6. Breach Notification First Tier BA has regulatory and contract requirement to notify CE Second Tier BA has regulatory requirement to notify CE, and contract requirement to notify First Tier BA Third Tier BA has regulatory requirement to notify CE, and contract requirement to notify Second Tier BA Etc. © 2013Christiansen IT Law16

17 © 2013Christiansen IT Law Privacy/Security/Compliance17 Pass-Along Problems 6. Breach Notification Breach Notification Rule specifies that the CE (or its “designee”) has the authority to determine if an unauthorized use/disclosure is a “breach” –Even though BAs must report “breaches?” Under some conditions both CE and BA may have state law breach notification obligations BA must notify CE with no “unreasonable delay,” maximum 60 days from when it knew/should have known of breach CE must notify individuals, OCR (if more than 500 affected individuals) with no “unreasonable delay,” maximum 60 days from when it knew/should have known of breach –CE imputed BA knowledge if BA is CE agent under “federal common law” State laws typically require maximum 60 days notice BAC response requirements shorten with each link in the chain

18 Now Contract to Pass Along in These Variations Bundled IT Service Provider BA with multiple Subcontractor Chains and Side Chains © 2013Christiansen IT Law Privacy/Security/Compliance18

19 Now Contract to Pass Along in These Variations Multi-Services QIO with Multiple CEs Using Various Services Provided through multiple Subcontractor Chains, with Side Chains © 2013Christiansen IT Law Privacy/Security/Compliance19

20 Now Contract to Pass Along in These Variations HIO Providing Multiple Services to Open Community of CEs and BAs Using Various Services Provided through multiple Subcontractor Chains, with Side Chains © 2013Christiansen IT Law Privacy/Security/Compliance20

21 How to Solve These Problems © 2013Christiansen IT Law Privacy/Security/Compliance21

22 If That Doesn’t Work... © 2013Christiansen IT Law Privacy/Security/Compliance22

23 Questions? Answers? Thanks! © 2013Christiansen IT Law Privacy/Security/Compliance23

24 SciTech Listeners – Claim Your Complimentary Membership in ABA’s Health Law Section: http://ow.ly/o3VnI. http://ow.ly/o3VnI –Then, join the eHealth, Privacy & Security interest group (also complimentary, after joining the Health Law Section): http://ow.ly/ncV3R. http://ow.ly/ncV3R HL Section Listeners – Claim Your Complimentary Membership in ABA’s Science and Technology Section: http://ow.ly/ooTgnhttp://ow.ly/ooTgn Remaining Agenda –Discuss upcoming eHealth IG initiatives. –Call for volunteers to work on eHealth IG committees and initiatives. –Other Hot Topics/open microphone. Collaborate with your peers! The HITECH Business Associate Contracts Bible


Download ppt "Headaches and Pitfalls in Business Associate Contract Management © 2013 Christiansen IT Law American Bar Association Health Law Section eHealth, Privacy."

Similar presentations


Ads by Google