Presentation is loading. Please wait.

Presentation is loading. Please wait.

Business Associate Contracts: Time Is Running Out... Rebecca L. Williams, RN, JD Partner Davis Wright Tremaine LLP Seattle, WA 206-628-7769.

Published byAkira Millet Modified over 9 years ago

Similar presentations

Presentation on theme: "Business Associate Contracts: Time Is Running Out... Rebecca L. Williams, RN, JD Partner Davis Wright Tremaine LLP Seattle, WA 206-628-7769."— Presentation transcript:

1 Business Associate Contracts: Time Is Running Out... Rebecca L. Williams, RN, JD Partner Davis Wright Tremaine LLP Seattle, WA beckywilliams@dwt.com 206-628-7769 Davis Wright Tremaine LLP

2 2... Or April Angst, Again  April 2003: First deadline  April 14, 2004: Second deadline  Small plans and  Grandfathered contracts  April 2003: First deadline  April 14, 2004: Second deadline  Small plans and  Grandfathered contracts

3 Davis Wright Tremaine LLP 3 Two Sides to Every Contract  Covered entity  Has obligation to enter into contract  Often want added assurances  Business associate  If business associate wants to work in the industry ─ must contract  May be a covered entity  Battle of the forms  Covered entity  Has obligation to enter into contract  Often want added assurances  Business associate  If business associate wants to work in the industry ─ must contract  May be a covered entity  Battle of the forms

4 Davis Wright Tremaine LLP 4 Comparison of HIPAA Contracts  Chain of Trust Agreement  Now Eliminated in Final Security Rule  Trading Partner Agreement  Transaction & Code Set Rule  Business Associate Contract  Privacy and Security Rules  Data Use Agreement  Privacy Rule (for use with limited data sets)  Confidentiality Agreement  Long-time historical use  Contracts may be combined as appropriate, such as  Clearinghouses may require Trading Partner – BAC Combo  BA who creates limited data sets  Chain of Trust Agreement  Now Eliminated in Final Security Rule  Trading Partner Agreement  Transaction & Code Set Rule  Business Associate Contract  Privacy and Security Rules  Data Use Agreement  Privacy Rule (for use with limited data sets)  Confidentiality Agreement  Long-time historical use  Contracts may be combined as appropriate, such as  Clearinghouses may require Trading Partner – BAC Combo  BA who creates limited data sets

5 Davis Wright Tremaine LLP 5 Approach to Contracting  Contract management system  Identification of business associate functions  Development of templates and forms  How much negotiating?  How many forms?  Stand-alone contract v. addendum or exhibit  Approval process  Contract management system  Identification of business associate functions  Development of templates and forms  How much negotiating?  How many forms?  Stand-alone contract v. addendum or exhibit  Approval process

6 Davis Wright Tremaine LLP 6 Need to Identify Who is a Business Associate?  Performs or assists with a function or activity involving Individually identifiable information, or Otherwise covered by HIPAA  Performs certain identified services involving PHI  Performs or assists with a function or activity involving Individually identifiable information, or Otherwise covered by HIPAA  Performs certain identified services involving PHI Auditors, Actuaries Billing Firms Lawyers ClearinghousesTPAs Covered Entity Management Companies Consultants, Vendors Accreditation Organizations  A person who, on behalf of a covered entity or OHCA —

7 Davis Wright Tremaine LLP 7 Business Associate Contracts — Required Terms Under Privacy Rule  Use and disclose information only as authorized in the contract  No further uses and disclosures  Not to exceed what the covered entity may do  Implement appropriate safeguards  Report unauthorized disclosures to covered entity  Facilitate covered entity’s access, amendment and accounting of disclosures obligations  Allow HHS access to determine CE’s compliance  Return/destroy protected health information upon termination of arrangement, if feasible  If not feasible, extend BAC protections  Ensure agents and subcontractors comply  Authorize termination by covered entity  Use and disclose information only as authorized in the contract  No further uses and disclosures  Not to exceed what the covered entity may do  Implement appropriate safeguards  Report unauthorized disclosures to covered entity  Facilitate covered entity’s access, amendment and accounting of disclosures obligations  Allow HHS access to determine CE’s compliance  Return/destroy protected health information upon termination of arrangement, if feasible  If not feasible, extend BAC protections  Ensure agents and subcontractors comply  Authorize termination by covered entity

8 Davis Wright Tremaine LLP 8 Liability... Of the Covered Entity  If covered entity knows of a pattern of activity constituting a breach by the business associate, then  Must take reasonable steps to Cure the breach or end the violation Require business associate to cure  If unsuccessful, Must terminate if feasible or Report to DHHS  How much monitoring is required?  Affirmative representations by business associate?  Investigate complaints?  Covered entity should train its workforce to recognize and report violations by business associates  If covered entity knows of a pattern of activity constituting a breach by the business associate, then  Must take reasonable steps to Cure the breach or end the violation Require business associate to cure  If unsuccessful, Must terminate if feasible or Report to DHHS  How much monitoring is required?  Affirmative representations by business associate?  Investigate complaints?  Covered entity should train its workforce to recognize and report violations by business associates

9 Davis Wright Tremaine LLP 9 Liability... Of the Business Associate  Contract Liability (e.g., damages for breach, injunctive relief)  State privacy torts  Criminal Liability?  Suggested by a U.S. Attorney’s Office  Argue criminal provisions apply to all ─ not just CEs  Conspiracy statutes (aiding & abetting)  If a BA willfully causes an act to be done (the wrongful disclosure of PHI), which would be an offense if done by a CE, then the BA arguably could be punished as if a CE  Note higher standard than “knowingly”  Never been tested/Grain of salt  Contract Liability (e.g., damages for breach, injunctive relief)  State privacy torts  Criminal Liability?  Suggested by a U.S. Attorney’s Office  Argue criminal provisions apply to all ─ not just CEs  Conspiracy statutes (aiding & abetting)  If a BA willfully causes an act to be done (the wrongful disclosure of PHI), which would be an offense if done by a CE, then the BA arguably could be punished as if a CE  Note higher standard than “knowingly”  Never been tested/Grain of salt

10 Davis Wright Tremaine LLP 10 Business Associate Contracts Under Security Rule or April Angst Part III  Implement administrative, physical and technical safeguards that reasonably and appropriately protect the  Confidentiality  Integrity and  Availability of electronic protected health information  Ensure any agent agrees to same restrictions  Report any “security incident”  Very broad  Authorize termination if the covered entity determines business associate has breached  When to implement?  Now?  2005?  Implement administrative, physical and technical safeguards that reasonably and appropriately protect the  Confidentiality  Integrity and  Availability of electronic protected health information  Ensure any agent agrees to same restrictions  Report any “security incident”  Very broad  Authorize termination if the covered entity determines business associate has breached  When to implement?  Now?  2005?

11 Davis Wright Tremaine LLP 11 Limited Data Set — Not Quite De-Identified  Limited Data Set = PHI that excludes direct identifiers except:  Full dates  Geographic detail of city, state and 5-digit zip code  Not de-identified  Special rules apply  Limited Data Set = PHI that excludes direct identifiers except:  Full dates  Geographic detail of city, state and 5-digit zip code  Not de-identified  Special rules apply

12 Davis Wright Tremaine LLP 12 Data Use Agreements  A CE may use or disclose a limited data set for research, public health or health care operations if recipient signs data use agreement  Required elements:  Establish permitted uses and disclosures by recipient  Establish who is permitted to use or receive limited data set  Require recipient to: Not further use or disclose information Use appropriate safeguards Report impermissible use or disclosure Ensure agents comply Not identify the information or contact the individuals  Beware of state law twists  A CE may use or disclose a limited data set for research, public health or health care operations if recipient signs data use agreement  Required elements:  Establish permitted uses and disclosures by recipient  Establish who is permitted to use or receive limited data set  Require recipient to: Not further use or disclose information Use appropriate safeguards Report impermissible use or disclosure Ensure agents comply Not identify the information or contact the individuals  Beware of state law twists

13 Davis Wright Tremaine LLP 13 Issues in Negotiations  Covered entity obligations listed in “sample” language  Notice to BA  No nonpermissible requests  Obligation to notify BA of changes to NPP or PHI  Business associate’s obligation to mitigate  CE has duty to mitigate under HIPAA  Would want assistance from BA  Not required  Covered entity obligations listed in “sample” language  Notice to BA  No nonpermissible requests  Obligation to notify BA of changes to NPP or PHI  Business associate’s obligation to mitigate  CE has duty to mitigate under HIPAA  Would want assistance from BA  Not required

14 Davis Wright Tremaine LLP 14 Issues in Negotiations  Indemnification  Insurance  Limitations on liability  Right to review contracts between business associates and their subcontractors/agents  Right to inspect/investigate/audit  Change in law  Agree to negotiate amendments  Unilateral amendments  Ability to terminate if parties do not agree to amend  Indemnification  Insurance  Limitations on liability  Right to review contracts between business associates and their subcontractors/agents  Right to inspect/investigate/audit  Change in law  Agree to negotiate amendments  Unilateral amendments  Ability to terminate if parties do not agree to amend

15 Davis Wright Tremaine LLP 15 Issues in Negotiations  Termination provisions  Right to immediately terminate  Cure periods Authorized to terminate Not required to terminate Breach of underlying contract  Determinations of feasibility of return or destruction upon termination  May be built into contract  Termination provisions  Right to immediately terminate  Cure periods Authorized to terminate Not required to terminate Breach of underlying contract  Determinations of feasibility of return or destruction upon termination  May be built into contract

16 Davis Wright Tremaine LLP 16 Issues in Negotiations  What about non-applicable provisions?  BA certifies HIPAA compliance to avoid contract  No go  BA promises to comply as if it were a covered entity  No third-party beneficiaries  Beneficial to both parties  Whistleblower provision  45 CFR Section 164.502(j)(1)(i)  What about non-applicable provisions?  BA certifies HIPAA compliance to avoid contract  No go  BA promises to comply as if it were a covered entity  No third-party beneficiaries  Beneficial to both parties  Whistleblower provision  45 CFR Section 164.502(j)(1)(i)

17 Davis Wright Tremaine LLP 17 Issues in Negotiations  Permissible provisions  Allow BA to use and disclose PHI for its proper management and administration  Permit BA to use and disclose PHI to carry out its legal responsibilities  Disclosures must be required by law or with appropriate assurances  De-identification and data aggregation (relating to CE’s operations) of PHI  Meeting state law timeframes/obligations  Ownership of information  Permissible provisions  Allow BA to use and disclose PHI for its proper management and administration  Permit BA to use and disclose PHI to carry out its legal responsibilities  Disclosures must be required by law or with appropriate assurances  De-identification and data aggregation (relating to CE’s operations) of PHI  Meeting state law timeframes/obligations  Ownership of information

18 Davis Wright Tremaine LLP 18 Questions

Download ppt "Business Associate Contracts: Time Is Running Out... Rebecca L. Williams, RN, JD Partner Davis Wright Tremaine LLP Seattle, WA 206-628-7769."

Similar presentations

Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.

Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.
H = P = A = HIPAA DEFINED HIPAA … A Federal Law Created in 1996 Health

H = P = A = HIPAA DEFINED HIPAA … A Federal Law Created in 1996 Health
H OGAN & H ARTSON, L.L.P.

H OGAN & H ARTSON, L.L.P.
The HIPAA Privacy Rule And Its Impact On Agents And Employers National Association of Health Underwriters Capitol Conference March 23, 2003 Joseph T. Holahan,

The HIPAA Privacy Rule And Its Impact On Agents And Employers National Association of Health Underwriters Capitol Conference March 23, 2003 Joseph T. Holahan,
An Overview for In-Home Service Providers Legal advice must be tailored to specific circumstances. Information provided in this presentation should not.

An Overview for In-Home Service Providers Legal advice must be tailored to specific circumstances. Information provided in this presentation should not.
“Reaching across Arizona to provide comprehensive quality health care for those in need” Our first care is your health care Arizona Health Care Cost Containment.

“Reaching across Arizona to provide comprehensive quality health care for those in need” Our first care is your health care Arizona Health Care Cost Containment.
Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.

Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
Steps to Compliance: Managing Business Associates PRESENTED BY.

Steps to Compliance: Managing Business Associates PRESENTED BY.
HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.

HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
1 Navigating the Privacy and Security Issues: HITECH Overview Rebecca L. Williams, RN, JD Partner Co-chair of HIT/HIPAA Practice Davis Wright Tremaine.

1 Navigating the Privacy and Security Issues: HITECH Overview Rebecca L. Williams, RN, JD Partner Co-chair of HIT/HIPAA Practice Davis Wright Tremaine.
TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.

TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.
Thank You For Your Participation Kansas City   Omaha  Overland Park St. Louis  Jefferson City www.spencerfane.com www.UBAbenefits.com This Employer.

Thank You For Your Participation Kansas City   Omaha  Overland Park St. Louis  Jefferson City This Employer.
Importance of the Information Risk Assessment. Compliance Programs are intended to proactively audit and assess an organization’s operations to detect.

Importance of the Information Risk Assessment. Compliance Programs are intended to proactively audit and assess an organization’s operations to detect.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
Hot Topics Legal Update Jill D. Moore, JD, MPH University of North Carolina School of Government September 2014.

Hot Topics Legal Update Jill D. Moore, JD, MPH University of North Carolina School of Government September 2014.
Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.

Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.

Similar presentations

Ads by Google