Presentation is loading. Please wait.

Presentation is loading. Please wait.

Business Associate Contracts: Time Is Running Out . . .

Published byJonas Bradley Modified over 5 years ago

Similar presentations

Presentation on theme: "Business Associate Contracts: Time Is Running Out . . ."— Presentation transcript:

1 Business Associate Contracts: Time Is Running Out . . .
Rebecca L. Williams, RN, JD Partner Davis Wright Tremaine LLP Seattle, WA Davis Wright Tremaine LLP

2 . . . Or April Angst, Again April 2003: First deadline
April 14, 2004: Second deadline Small plans and Grandfathered contracts

3 Two Sides to Every Contract
Covered entity Has obligation to enter into contract Often want added assurances Business associate If business associate wants to work in the industry ─ must contract May be a covered entity Battle of the forms

4 Comparison of HIPAA Contracts
Chain of Trust Agreement Now Eliminated in Final Security Rule Trading Partner Agreement Transaction & Code Set Rule Business Associate Contract Privacy and Security Rules Data Use Agreement Privacy Rule (for use with limited data sets) Confidentiality Agreement Long-time historical use Contracts may be combined as appropriate, such as Clearinghouses may require Trading Partner – BAC Combo BA who creates limited data sets

5 Approach to Contracting
Contract management system Identification of business associate functions Development of templates and forms How much negotiating? How many forms? Stand-alone contract v. addendum or exhibit Approval process

6 Need to Identify Who is a Business Associate?
A person who, on behalf of a covered entity or OHCA — Performs or assists with a function or activity involving Individually identifiable information, or Otherwise covered by HIPAA Performs certain identified services involving PHI Auditors, Actuaries Billing Firms Lawyers Clearinghouses TPAs Covered Entity Management Companies Consultants, Vendors Accreditation Organizations

7 Business Associate Contracts — Required Terms Under Privacy Rule
Use and disclose information only as authorized in the contract No further uses and disclosures Not to exceed what the covered entity may do Implement appropriate safeguards Report unauthorized disclosures to covered entity Facilitate covered entity’s access, amendment and accounting of disclosures obligations Allow HHS access to determine CE’s compliance Return/destroy protected health information upon termination of arrangement, if feasible If not feasible, extend BAC protections Ensure agents and subcontractors comply Authorize termination by covered entity

8 Liability . . . Of the Covered Entity
If covered entity knows of a pattern of activity constituting a breach by the business associate, then Must take reasonable steps to Cure the breach or end the violation Require business associate to cure If unsuccessful, Must terminate if feasible or Report to DHHS How much monitoring is required? Affirmative representations by business associate? Investigate complaints? Covered entity should train its workforce to recognize and report violations by business associates

9 Liability . . . Of the Business Associate
Contract Liability (e.g., damages for breach, injunctive relief) State privacy torts Criminal Liability? Suggested by a U.S. Attorney’s Office Argue criminal provisions apply to all ─ not just CEs Conspiracy statutes (aiding & abetting) If a BA willfully causes an act to be done (the wrongful disclosure of PHI), which would be an offense if done by a CE, then the BA arguably could be punished as if a CE Note higher standard than “knowingly” Never been tested/Grain of salt

10 Business Associate Contracts Under Security Rule or April Angst Part III
Implement administrative, physical and technical safeguards that reasonably and appropriately protect the Confidentiality Integrity and Availability of electronic protected health information Ensure any agent agrees to same restrictions Report any “security incident” Very broad Authorize termination if the covered entity determines business associate has breached When to implement? Now? 2005?

11 Limited Data Set — Not Quite De-Identified
Limited Data Set = PHI that excludes direct identifiers except: Full dates Geographic detail of city, state and 5-digit zip code Not de-identified Special rules apply

12 Data Use Agreements A CE may use or disclose a limited data set for research, public health or health care operations if recipient signs data use agreement Required elements: Establish permitted uses and disclosures by recipient Establish who is permitted to use or receive limited data set Require recipient to: Not further use or disclose information Use appropriate safeguards Report impermissible use or disclosure Ensure agents comply Not identify the information or contact the individuals Beware of state law twists

13 Issues in Negotiations
Covered entity obligations listed in “sample” language Notice to BA No nonpermissible requests Obligation to notify BA of changes to NPP or PHI Business associate’s obligation to mitigate CE has duty to mitigate under HIPAA Would want assistance from BA Not required

14 Issues in Negotiations
Indemnification Insurance Limitations on liability Right to review contracts between business associates and their subcontractors/agents Right to inspect/investigate/audit Change in law Agree to negotiate amendments Unilateral amendments Ability to terminate if parties do not agree to amend

15 Issues in Negotiations
Termination provisions Right to immediately terminate Cure periods Authorized to terminate Not required to terminate Breach of underlying contract Determinations of feasibility of return or destruction upon termination May be built into contract

16 Issues in Negotiations
What about non-applicable provisions? BA certifies HIPAA compliance to avoid contract No go BA promises to comply as if it were a covered entity No third-party beneficiaries Beneficial to both parties Whistleblower provision 45 CFR Section (j)(1)(i)

17 Issues in Negotiations
Permissible provisions Allow BA to use and disclose PHI for its proper management and administration Permit BA to use and disclose PHI to carry out its legal responsibilities Disclosures must be required by law or with appropriate assurances De-identification and data aggregation (relating to CE’s operations) of PHI Meeting state law timeframes/obligations Ownership of information

18 Questions

Download ppt "Business Associate Contracts: Time Is Running Out . . ."

Similar presentations

Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.

Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.
H = P = A = HIPAA DEFINED HIPAA … A Federal Law Created in 1996 Health

H = P = A = HIPAA DEFINED HIPAA … A Federal Law Created in 1996 Health
Davis Wright Tremaine LLP HIT Legal Issues: HIPAA Implications to a Regional Health Information Organization Becky Williams, R.N., J.D. Partner, Co-Chair,

Davis Wright Tremaine LLP HIT Legal Issues: HIPAA Implications to a Regional Health Information Organization Becky Williams, R.N., J.D. Partner, Co-Chair,
H OGAN & H ARTSON, L.L.P.

H OGAN & H ARTSON, L.L.P.
The HIPAA Privacy Rule And Its Impact On Agents And Employers National Association of Health Underwriters Capitol Conference March 23, 2003 Joseph T. Holahan,

The HIPAA Privacy Rule And Its Impact On Agents And Employers National Association of Health Underwriters Capitol Conference March 23, 2003 Joseph T. Holahan,
HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
An Overview for In-Home Service Providers Legal advice must be tailored to specific circumstances. Information provided in this presentation should not.

An Overview for In-Home Service Providers Legal advice must be tailored to specific circumstances. Information provided in this presentation should not.
Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.

Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
Steps to Compliance: Managing Business Associates PRESENTED BY.

Steps to Compliance: Managing Business Associates PRESENTED BY.
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.

HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Thank You For Your Participation Kansas City   Omaha  Overland Park St. Louis  Jefferson City www.spencerfane.com www.UBAbenefits.com This Employer.

Thank You For Your Participation Kansas City   Omaha  Overland Park St. Louis  Jefferson City This Employer.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
Business Associate Contracts: Time Is Running Out... Rebecca L. Williams, RN, JD Partner Davis Wright Tremaine LLP Seattle, WA 206-628-7769.

Business Associate Contracts: Time Is Running Out... Rebecca L. Williams, RN, JD Partner Davis Wright Tremaine LLP Seattle, WA
HIPAA Compliance Strategies for Employers, METs, MEWAs and Taft Hartley Union Trust Funds The HIPAA Colloquium at Harvard University Presented by: Melissa.

HIPAA Compliance Strategies for Employers, METs, MEWAs and Taft Hartley Union Trust Funds The HIPAA Colloquium at Harvard University Presented by: Melissa.
Version 6.0 Approved by HIPAA Implementation Team April 14, 2003 1 HIPAA Learning Module The following is an educational Powerpoint presentation on the.

Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.

Similar presentations

Ads by Google