Advanced Issues in Business Associate Contracting

Slides:



Advertisements
Similar presentations
Davis Wright Tremaine LLP HIT Legal Issues: HIPAA Implications to a Regional Health Information Organization Becky Williams, R.N., J.D. Partner, Co-Chair,
Advertisements

H OGAN & H ARTSON, L.L.P.
The HIPAA Privacy Rule And Its Impact On Agents And Employers National Association of Health Underwriters Capitol Conference March 23, 2003 Joseph T. Holahan,
Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.
Steps to Compliance: Managing Business Associates PRESENTED BY.
HIPAA Privacy Rule Training
Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.
HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
1 HIPAA and Research and YOU. 2 INTRODUCTION Rule #1:Don’t Panic Rule #2:Bottom Line for Researchers: HIPAA is Manageable thru Education/Awareness and.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Presented by the Office of the General Counsel An Overview of HIPAA.
TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.
HIPAA Health Insurance Portability and Accountability Act.
 Original Intent: ◦ Act passed in 1996 with two main goals: 1.Ensure individuals would be able to maintain their health insurance between jobs (the “portability”
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.
Business Associate Contracts: Time Is Running Out... Rebecca L. Williams, RN, JD Partner Davis Wright Tremaine LLP Seattle, WA
Your HIPAA rules Ben Burton, JD, MBA, RHIA, CHP, CHC Notice of Privacy Practices.
HIPAA Compliance Strategies for Employers, METs, MEWAs and Taft Hartley Union Trust Funds The HIPAA Colloquium at Harvard University Presented by: Melissa.
Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
HIPAA Collaborative of Wisconsin Business Associates Extending the Reach of the Privacy Rule.
HIPAA Health Insurance Portability & Accountability Act of 1996.
Health Insurance Portability and Accountability Act (HIPAA)
COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements.
Notice of Privacy Practices Nebraska SNIP Privacy Subgroup July 18, 2002 Michael J. Brown, MHA, CPA Vice-President, Administrative & Regulatory Affairs,
HIPAA Trading Partners, Legal Relationships October 2, 2001 presented by Peter B. Goldstein, Esq. Cap Gemini Ernst & Young, US LLC.
HIPAA PRIVACY AND SECURITY AWARENESS.
Dealing with Business Associates Business Associates Business Associates are persons or organizations that on behalf of a covered entity: –Perform any.
Advanced HIPAA Privacy Compliance Strategies: Those Nagging Issues That Don’t Seem to Go Away Rebecca L. Williams, RN, JD Partner; Co-Chair of HIT/HIPAA.
HIPAA – How Will the Regulations Impact Research?.
HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.
© 2009 The McGraw-Hill Companies, Inc. All rights reserved. 1 McGraw-Hill Chapter 2 The HIPAA Privacy Standards HIPAA for Allied Health Careers.
Advanced Issues in Privacy: Drafting and Negotiating Business Associate Contracts Thomas E. Jeffry, Jr. Partner Davis Wright Tremaine LLP Los Angeles,
Davis Wright Tremaine LLP Case Study: Small Group Health Plan HIPAA Privacy Compliance for Employers September 15, 2003 Speaker Jason Froggatt Becky Williams.
FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.
HIPAA THE PRIVACY RULE. 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti- depressant medications.
OHCAs, ACEs and Hybrid Entities Paul Smith Davis Wright Tremaine LLP One Embarcadero Center Suite 600 San Francisco, CA (415)
A Professional Corporation Stinson, Mag & Fizzell (402) Business Associates 101 Jennifer Wolfe Jerram, B.S.N., J.D.
C HAPTER 34 Code Blue Health Sciences Edition 4. Confidentiality of sensitive information is an important issue in healthcare. Breaches of confidentiality.
Health Insurance portability and Accountability Act (HIPAA)‏
HIPAA Privacy: Those Nagging Issues That Don’t Seem to Go Away Rebecca L. Williams, RN, JD Partner; Co-Chair of HIT/HIPAA Practice Group Davis Wright.
A NATIONAL HIPAA SUMMIT AUDIOCONFERENCE Davis Wright Tremaine LLP Legal Requirements For Vendor And Clearinghouse HIPAA Compliance; Business Associate.
HIPAA Privacy Rule Implementation Status Report Richard M. Campanelli, J.D. Director, Office for Civil Rights Before the The Tenth National HIPAA Summit.
Functioning as a Business Associate Under HIPAA William F. Tulloch Director, PCBA March 9, 2004.
HIPAA Privacy Rule Positive Changes Affecting Hospitals’ Implementation of the Rule.
COMMUNITY-WIDE HEALTH INFORMATION EXCHANGE: HIPAA PRIVACY AND SECURITY ISSUES Ninth National HIPAA Summit September 14, 2004 Prepared by: Robert Belfort,
Final HIPAA Privacy Rule: The Research Provisions Julie Kaneshiro DHHS Office for Human Research Protections Phone: Fax:
HIPAA Privacy Rule Positive Changes Affecting Hospitals’ Implementation of the Rule Melinda Hatton -- Oct. 31, 2002.
HIPAA Privacy Rule Training
UNDERSTANDING WHAT HIPAA IS AND IS NOT
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)
What is HIPAA? HIPAA stands for “Health Insurance Portability & Accountability Act” It was an Act of Congress passed into law in HEALTH INSURANCE.
HIPAA CONFIDENTIALITY
HIPAA Administrative Simplification
HOGAN & HARTSON, L.L.P. “Publications” “Health”
HIPAA PRIVACY AWARENESS, COMPLIANCE and ENFORCEMENT
Disability Services Agencies Briefing On HIPAA
HIPAA Privacy The Morning After
Purchasing Contracts Training
Business Associate Contracts: Time Is Running Out . . .
2003 Immunization Registry Conference
National Congress on Health Care Compliance
Making Your IRBs and Clinical Investigators HIPAA-Ready
Issues in HIPAA Research Compliance
Analysis of Final HIPAA Privacy Modification Rule
The Health Insurance Portability and Accountability Act
Presentation transcript:

Advanced Issues in Business Associate Contracting Alice J. Becker, JD Senior Associate General Counsel PeaceHealth Bellevue, WA abecker@peacehealth.org Rebecca L. Williams, RN, JD Partner Davis Wright Tremaine LLP Seattle, WA beckywilliams@dwt.com Davis Wright Tremaine LLP

Two Sides to Every Contract Covered entity Has obligation to enter into contract Often want added assurances Business associate If business associate wants to work with health care or insurance industries, must contract May be a covered entity Battle of the Forms

Comparison of HIPAA Contracts Chain of Trust Agreement Now Eliminated in Final Security Rule Trading Partner Agreement Transaction & Code Set Rule Business Associate Contract Privacy and Security Rules Data Use Agreement Privacy Rule (for use with limited data sets) Contracts may be combined as appropriate, such as Clearinghouses may require Trading Partner –BAC Combo BA who creates limited data sets

A Short Overview — Who is a Business Associate? A person who, on behalf of a covered entity or OHCA — Performs or assists with a function or activity involving Individually identifiable information, or Otherwise covered by HIPAA Performs certain identified services Auditors, Actuaries Billing Firms Lawyers Clearinghouses TPAs Covered Entity Management Companies Consultants, Vendors Accreditation Organizations

Business Associate Contracts — Required Terms Under Privacy Rule Use and disclose information only as authorized in the contract No further uses and disclosures Not to exceed what the covered entity may do Implement appropriate safeguards Report unauthorized disclosures to covered entity Facilitate covered entity’s access, amendment and accounting of disclosures obligations Allow HHS access to determine CE’s compliance Return/destroy protected health information upon termination of arrangement, if feasible If not feasible, extend BAC protections Ensure agents and subcontractors comply Authorize termination by covered entity

Business Associate Contracts —Required Terms Under Security Rule Implement administrative, physical and technical safeguards that reasonably and appropriately protect the Confidentiality, Integrity and Availability of electronic protected health information Ensure any agent agrees to same restrictions Report any security incident Authorize termination if the covered entity determines business associate has breached When to implement? Now? 2005?

Limited Data Set — Not Quite De-Identified LDS = PHI that excludes direct identifiers except: Full dates Geographic detail of city, state and 5-digit zip code Not de-identified Special rules apply

Data Use Agreements A CE may use or disclose a limited data set for research, public health or health care operations if recipient signs data use agreement Required Elements: Establish permitted uses and disclosures by recipient Establish who is permitted to use or receive limited data set Require recipient to: Not further use or disclose information Use appropriate safeguards Report impermissible use or disclosure Ensure agents comply Not identify the information or contact the individuals Beware of state law twists

Transition Provisions Covered entities may continue existing contracts for up to one year beyond April 14, 2003 Existing contract prior to effective date of final amendment Contract not renewed or amended between October 15, 2002 and April 14, 2004 Covered entity still required to comply with Privacy Rule

PeaceHealth — An Organizational Challenge 3 states (Oregon, Washington and Alaska) 6 hospitals Outpatient clinics, nursing home, EAPs, home health, hospice, retail pharmacies, laboratories Self-insured health plan

PeaceHealth Identification Process Security and Privacy Oversight Committee (“SPOC”) Regional contract coordinators Education and training Website information Agreements normally subject to Legal Department review Ignore “extension”

Contract Process — PeaceHealth Forms Template Business Associate documents Existing, new, and no written agreement Incorporate security requirements — no separate agreement Incorporate state law requirements (patient rights) Other template agreements with business associate provisions embedded (e.g., medical director agreements) New agreements — add templated language (e.g., transcription agreements) Negotiations — PeaceHealth does not insist on non-required provisions

Contract Process — Third Party Forms Examples — “large vendors” (e.g., Siemens, Premier, IDX, Xerox) to accreditation entities (e.g., CAP) Educate PeaceHealth to send to Legal Department Avoid battle of the forms: Agree to form if tracks the rule Don’t agree to non-required provisions, e.g., OCR language Check for state law compliance Allow each region to sign own form, i.e., JCAHO

PeaceHealth Approach as Business Associate All third party documents must come to Legal Department PeaceHealth templated agreements Include minimum requirements

Issues in Negotiations Covered entity obligations listed in OCR language Notice to BA No nonpermissible requests Obligation to notify BA of changes to NPP or PHI Requirement to mitigate on business associate CE has duty to mitigate under HIPAA Would want assistance from BA Not required

Issues in Negotiations Indemnification Insurance Right to review contracts between business associates and their subcontractors/agents Right to inspect/investigate/audit Ownership of information Change in law Agree to negotiate amendments Unilateral amendments No third-party beneficiaries Beneficial to both parties

Issues in Negotiations Termination provisions Right to immediately terminate Cure periods Authorized to terminate Absence of termination provisions Reference back to underlying contract Unilateral approach

Issues in Negotiations Whistleblower provision 45 CFR Section 164.502(j)(1)(i) De-identification of PHI Don’t meet state law timeframes/obligations Challenges to relationship Treatment only? OHCA?

Issues in Negotiations Data Use Agreement Detailed v. simple Correct purposes? Public Health Health Care Operations Research Underlying agreement Review scope of use Is it a limited data set? Check State Law

Miscellaneous Issues Medical staff — “PeaceHealth OHCA” Board members Removes need for business associate contract Board members Institutionally related foundations Registries Services to PeaceHealth/BAC Authorized by law Accounting of disclosures Equipment maintenance Medical devices FDA reporting May be providers

Miscellaneous Issues Volunteers Expert witnesses Lean and mean contract Do experts need a BAC or Second Tier BAC/subcontractor agreement? EAP agreements Plan sponsor requirement or No disclosure of PHI What about non-applicable provisions? Shredders

FAQs Between providers for treatment Third party payors “Conduits” (couriers, mail services and electronic equivalents) Janitorial services Organ and tissue procurement contracts

Questions

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.