The following is an outline of a presentation I’ve done on new Business Associate compliance and risk issues under the Health Information Technology for Economic and Clinical Health Act (HITECH), the portion of the American Recovery and Reinvestment Act (ARRA) dealing principally with electronic health records (EHRs).
HITECH compliance is both possible and necessary, but needs to be approached with care, a willingness to analyze difficult legislative provisions, and a sense of humor. Professional help is highly recommended. If you are so inclined, an alcoholic beverage after a HITECH work session – not before! – is also recommended.
If you’d like a copy of the presentation let me know and I’ll send it along. Good luck!
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
What Is HITECH?
1. Title XIII of the American Recovery and Reinvestment Act of 2009, H.R. 1, Pub.L. 111-5 (February 17, 2009)
a. “ARRA” or “the Stimulus Bill
b. 407 pages
2. Title XIII of ARRA: Health Information Technology for Economic and Clinical Health Act – “HITECH Act”
a. 53 pages
3. Subtitle D: Privacy
a. 21 pages
ARRA was principally intended as stimulus vehicle. HITECH was drafted principally to provide funding for electronic health records (EHRs) and related activities. Subtitle D was added to provide additional legal protections given increased use of electronic systems for healthcare use. My opinion: It was hastily drafted, will be hard to interpret in some cases, and will have unintended consequences.
Compare: HIPAA Administrative Simplification was principally intended for claims processing reform, and wound up reforming healthcare privacy and security.
B. Principal HITECH Concepts (in order of current importance)
1. Extend regulation over key healthcare IT players (Business Associates)
2. Create new security breach notification requirements
3. Increase penalties and tighten enforcement
4. Tighten some PHI use and disclosure limitations
5. Tweak patient/consumer data access rights
C. Business Associates Overview
1. The Old Business Associate (BA) Rules
As a matter of jurisdiction HIPAA applies only to Covered Entities (CE), defined by statute to include health plans, health care clearinghouses and health care providers. See 45 CFR § 160.103
The “Business Associate” (BA) was therefore created to allow CEs to use non-Ces to work with Protected Health Information (PHI) on their behalf, without the PHI losing legal protection. A BA is therefore defined as a person to whom a CE discloses PHI so the person can carry out, assist with, or perform a function or activity on behalf of the CE. 45 CFR § 160.103. BA examples include:
2. The Old Business Associate Contracts Rules
A CE may disclose Protected Health Information (PHI) to/allow a BA to create or receive PHI on CE’s behalf upon “satisfactory assurance” BA will “appropriately safeguard” PHI. 45 CFR § 164.502. A “satisfactory assurance” is a Business Associate Contract (BAC) including required provisions (or equivalent memorandum of understanding if governmental entities, plan document provisions if group health plan). 45 CFR § 164.504(e). A BAC must include the following provisions:
45 CFR §§ 164.314(a), .504(e)
PHI protection is enforced because a CE may be penalized if CE “knew of a pattern of activity or practice” of the BA “that constituted a material breach or violation” of the BAC, unless:
45 CFR §.504(e)(1)(ii). HIPAA provides no jurisdiction to penalize BAs.
D. The New HITECH BA Rules: Summary
1. Subtitle D incorporates the following HIPAA regulatory terms incorporated by reference
2. BAs are now required to comply with HIPAA security regulations, and HITECH security requirements
3. BAs required to comply with HITECH privacy requirements
4. HITECH privacy and security requirements incorporated in BACs
5. BAs required to terminate BAC or notify DHHS of CE breach or violation
6. BAs may be audited by DHHS
7. BAs subject to civil and criminal penalties for HIPAA privacy or security regulation violations
E. Business Associates Security Drill-Down
1. BAs are now required to comply with the HIPAA Security Rule:
Sections 164.308, 164.310, 164.312, and 164.316 of [the HIPAA security regulations] shall apply to a business associate of a covered entity in the same manner that such sections apply to the covered entity. The additional requirements of this title that relate to security and that are made applicable with respect to covered entities shall also be applicable to such a business associate and shall be incorporated into the business associate agreement between the business associate and the covered entity.
HITECH § 13401(a)
2. The regulations Included for compliance are the following:
a. 45 CFR §164.308: Administrative safeguards
i. Standard: Security management process
A. Specifications
I. Risk analysis ®: “Accurate and thorough assessment of potential risks and vulnerabilities”
II. Risk management ®: Security measures “sufficient to reduce risks and vulnerabilities,” to ensure confidentiality, integrity and availability, protect against reasonably anticipated threats or hazards, protect against improper uses or disclosures, and ensure workforce compliance
III. Sanction policy ®: Against workforce for failure to comply with security policies and procedures
IV. Information system activity review ®: Regular review of audit logs, access reports, security incident tracking reports
ii. Standard: Assigned security responsibility
A. No separate specification; identify security official responsible for policy and procedure development and implementation
iii. Standard: Workforce security
A. Specifications
I. Authorization and/or supervision (A): Of workforce with access to electronic protected health information
II. Workforce clearance procedure (A): For determination whether access rights are appropriate
III. Termination procedures (A): To end access to electronic protected health information when employment terminated or clearance determined inappropriate
iii. Standard: Information access management
A. Specifications
I. Isolate health care clearinghouse functions (R)
II. Access authorization (A): Policies and procedures to grant users access to system resources allowing access to electronic protected health information (e.g. workstations, transactions, processes)
III. Access establishment and modification (A): Policies and procedures to establish, document, review and modify users’ access authorizations
iv. Standard: Security awareness and training program (all workforce, “including management”)
A. Specifications
I. Security reminders (A)
II. Protection from “malicious software” (A): Guarding against, detecting, reporting viruses, etc.
III. Log-in monitoring (A): Procedures for monitoring log-in attempts and reporting “discrepancies”
IV. Password management (A): Creation, changing and safeguarding
v. Standard: Contingency planning (emergency and “other occurrences” such as fire, vandalism, system failure, natural disaster) for information systems
A. Specifications
I. Data backup plan (R)
II. Disaster recovery plan (R)
IV. Emergency mode operation (R)
V. Plan testing and revision (A)
VI. Applications and data criticality analysis (A): “Assess relative criticality of specific applications and data”
vi. Standard: Evaluation
A. No separate specification; “technical and nontechnical evaluation,” periodic and “in response to environmental or operational changes,” of extent to which policies and procedures meet Security Rule requirements
vii. Standard: Business associates
A. Specifications (45 CFR § 164.314)
I. Contract or “other arrangement” required before covered entity “may permit a business associate to create, receive, maintain, or transmit electronic protected health information” on its behalf
a. Not required for transmissions to providers for treatment, by group health plan, HMO, health insurance issuer on behalf of group health plan to plan sponsor, or transmission to government agencies providing public benefits
B. Contract must include provisions (45 CFR 164.314(a) that:
I. Business associate will “implement administrative, physical and technical safeguards that reasonably and appropriately protect” electronic protected health information
II. Any business associate agent or subcontractor will also implement such safeguards
III. Business associate will report “any security incident of which it becomes aware”
IV. Contract may be terminated for breach of material term
b. 45 CFR §164.310: Physical safeguards
i. Standard: Facility access controls: Policies and procedures to limit physical access to information systems, while permitting authorized access
A. Specifications:
I. Contingency operations (A): Procedures for access to restore lost data under disaster recovery and emergency mode operations
II. Facility security plan (A): To safeguard facility and equipment against unauthorized access, tampering, theft
III. Access control and validation (A): Control and validate individuals’ access to facility and equipment, including visitor control and software testing/revision access control
IV. Maintenance records (A): Security-related facility elements (e.g. hardware, walls, doors, locks)
ii. Standard: Workstation use
A. No separate specification; policies and procedures to specify proper workstation functions, manner of performing functions, and physical attributes of workstation “surroundings”
iii. Standard: Workstation security
B. No separate specification; physical safeguards to restrict access to authorized users
iv. Standard: Device and media controls (hardware, electronic media)
A. Specifications:
I. Disposal (R)
II. Media Re-use (R)
III. Accountability (A): Records of “movement of hardware and electronic media and any person responsible therefore”
IV. Data backup and storage (A): “Create retrievable, exact copy of electronic protected health information, when needed, before movement of equipment”
c. 45 CFR §164.312: Technical safeguards
i. Standard: Access controls
A. Specifications:
I. Unique user identification (R): Unique name or number for identifying and tracking
II. Emergency access procedure (R): For obtaining access to electronic protected health information
III. Automatic log-off (A): Session termination after predetermined period of inactivity
IV. Encryption and decryption (A): Electronic protected health information in storage
ii. Standard: Audit controls
A. No separate specification; “hardware, software or procedural mechanisms that record and examine” system activity
iii. Standard: Integrity (protection against improper alteration or destruction)
A. Specification (A): Electronic mechanisms
iv. Standard: Person/entity authentication (confirmation of identity)
A. No separate specification; procedures to verify identity
v. Standard: Transmission security
A. Specifications:
I. Integrity controls (A): Ensure information is not improperly modified without detection
II. Encryption (A)
d. 45 CFR §164.316: Policies and procedures documentation
i Standard: Policies and procedures
A. No separate specification; may be changed at any time but changes must be documented
ii Standard: Documentation (policies and procedures; security actions, activities, assessment; in writing or electronic)
A. Specifications:
I. Time limit (R): Six years from later of creation or applicability
II. Availability (R): To individuals responsible for implementing documented procedures (presumably also to DHHS)
III. Updates (R): Periodic review, and in response to “environmental or operational changes”
3. Security regulations not included:
a. 45 CFR § 164.304: Definitions. Lack of inclusion confusing but not a problem – defined terms used in HITECH and Security Rule.
b. 45 CFR § 164.306: General rules – Security objectives, flexible approach, required vs. addressable specifications, maintenance. Lack of inclusion implies less discretion? Or nothing in particular?
c. 45 CFR § 164.314: Organizational requirements – Business associate contracts. Lack of inclusion confusing but meaningless? Is a business associate required to have a business associate contract with subcontractors or not?
F. HITECH Security Requirements Included
“This title” presumably means Title XIII – not just Subtitle D
1. Subtitle D requirements:
a. § 13401 – redundant, recursive
b. § 13401 – security breach notification
2. Other Title XIII security requirements – future standards adopted under § 3004?
G. BA Security Compliance Requirements
1. Implement security program meeting all the security regulation requirements
2. Also review CMS Sample Interview and Document Request for HIPAA Security Onsite Investigations and Compliance Reviews for supplemental perspective
3. Coordinate with CE(s) – some security measures may interfere with common or shared activities or systems
Examples: Transmission encryption, system access, authorization roles – there are others
Look for problems with differing risk tolerances
H. New BAC Privacy Rules
[A Business Associate may use and disclose PHI obtained pursuant to a BAC only] in compliance with each applicable requirement of [45 CFR § 164.504(e).] The additional requirements of this subtitle that relate to privacy and that are made applicable with respect to covered entities shall also be applicable to such a business associate and shall be incorporated into the business associate agreement between the business associate and the covered entity.
HITECH § 13404(a)
1. 45 CFR § 164.504(e): Privacy regulations BAC standard and specifications (see above)
2. Other privacy regulation compliance not required of BAs – except as provided in old BAC required provisions
3. BAC compliance now required of BAs by law
4. HITECH privacy requirements applied to BAs
a. “This subtitle” presumably means Subtitle D, not Title XIII
b. Subtitle D requirements applicable to CEs (see below) – health plan PHI disclosure restrictions, new minimum necessary provisions, new EHR accounting of disclosures rules, new patient access to information rules, new limitations on EHR sales and marketing
I. BAC Compliance
HITECH §§ 13401(a), 13404(a) provide that HITECH requirements “of this title” (security) and “of this subtitle” (privacy) “shall be incorporated into the business associate agreement between the business associate and the covered entity.”
Does “shall be incorporated” mean:
No OCR guidance as of drafting date, so here are some suggestions for dealing with BACs:
1) Statutory provisions are hard to interpret as contract terms – especially HITECH
2) Statutory obligations do not define details of contract compliance
1) Implement new forms to use going forward – new and renewing contracts
2) Ensure BACs are identified and subject to management
3) Communicate SOON with key BA or CE business partners
J. New BAC Termination Rules:
Section 164.504(e)(1)(ii) of title 45, Code of Federal Regulations, shall apply to a business associate . . . in the same manner that such section applies to a covered entity, with respect to compliance with the standards in sections 164.502(e) and 164.504(e) of such title, except that in applying such section 164.504(e)(1)(ii) each reference to the business associate, with respect to a contract, shall be treated as a reference to the covered entity involved in such contract.
HITECH § 13404(b)
K. Old BAC Termination Rule
A covered entity is not in compliance with the standards in §164.502(e) and paragraph (e) of this section, if the covered entity knew of a pattern of activity or practice of the business associate that constituted a material breach or violation of the business associate’s obligation under the contract or other arrangement, unless the covered entity took reasonable steps to cure the breach or end the violation, as applicable, and, if such steps were unsuccessful: (A) Terminated the contract or arrangement, if feasible; or (B) If termination is not feasible, reported the problem to [DHHS]
45 CFR § 164.504(e)(1)(ii)
L. Interpretation of the New Termination Rule
Here’s the old rule, with “Business Associate” substituted for “Covered Entity” and vice-versa, to demonstrate how this works.
A [Business Associate] is not in compliance with the standards in §164.502(e) and paragraph (e) of this section, if the [Business Associate] knew of a pattern of activity or practice of the [Covered Entity] that constituted a material breach or violation of the [Covered Entity’s] obligation under the contract or other arrangement, unless the [Business Associate] took reasonable steps to cure the breach or end the violation, as applicable, and, if such steps were unsuccessful: (A) Terminated the contract or arrangement, if feasible; or (B) If termination is not feasible, reported the problem to [DHHS]
45 CFR § 164.504(e)(1)(ii)
M. New Rules on HIPAA Criminal/Civil Penalties
Applicable to both CEs and BAs
In the case of a business associate that violates any provision of subsection (a) or (b), the provisions of sections 1176 and 1177 of the Social Security Act (42 U.S.C. 1320d–5, 1320d–6) shall apply to the business associate with respect to such violation in the same manner as such provisions apply to a person who violates a provision of part C of title XI of such Act.
HITECH § 13404(c)
N. The Old Civil Penalties Rules
1. $100 per violation of Privacy or Security Rule requirement or prohibition
2. Maximum $25,000 per calendar year per “identical” requirement or prohibition
3. “Continuing” violations (e.g. failure to conduct risk assessment) counted at one violation per day until cured
45 CFR §§ 164.404, .406
4. Affirmative defenses: Violation due to “reasonable cause,” not “willful neglect,” and under correction. 45 CFR § 160.410
5. Penalty aggravation/mitigation factors: Nature, harm caused by violation; intentional violation vs. violation “beyond control;” compliance history; financial factors. 45 CFR § 164.408
O. The New Civil Penalties Rules
HITECH § 13410
1. New penalty regime changes the BA calculus
a) Is the contract worth the risk?
b) Can the BA provide the same (or similar) services without PHI?
c) Some organizations clearly not – RHIOs, QIOs, etc.
d) Some organizations might be able to, for some services – consulting, accounting, law, etc.
e) Should the BA increase fees to meet increased regulatory burdens and risks?
P. Effective Dates and Potential for Extension Pending Regulations?
“Unless otherwise specified:” Feb. 17, 2010. HITECH § 13423.
Q. New Privacy Rules – PHI: Health Plan Disclosures
1. Existing Rule: 45 CFR § 164.522
(a)(1) Standard: right of an individual to request restriction of uses and disclosures.
(i) A covered entity must permit an individual to request that the covered entity restrict:
(A) Uses or disclosures of protected health information about the individual to carry out treatment, payment, or health care operations; and
(B) Disclosures permitted under § 164.510(b).
(ii) A covered entity is not required to agree to a restriction.
(iii) A covered entity that agrees to a restriction under paragraph (a)(1)(i) of this section may not use or disclose protected health information in violation of such restriction, except that, if the individual who requested the restriction is in need of emergency treatment and the restricted protected health information is needed to provide the emergency treatment, the covered entity may use the restricted protected health information, or may disclose such information to a health care provider, to provide such treatment to the individual§13405(a)
45 CFR § 164.522
2. New Mandatory Restriction:
REQUESTED RESTRICTIONS ON CERTAIN DISCLOSURES OF HEALTH INFORMATION.—In the case that an individual requests under paragraph (a)(1)(i)(A) of section 164.522 of title 45, Code of Federal Regulations, that a covered entity restrict the disclosure of the protected health information of the individual, notwithstanding paragraph (a)(1)(ii) of such section, the covered entity must comply with the requested restriction if—
(1) except as otherwise required by law, the disclosure is to a health plan for purposes of carrying out payment or health care operations (and is not for purposes of carrying out treatment); and
(2) the protected health information pertains solely to a health care item or service for which the health care provider involved has been paid out of pocket in full.
HITECH §13405(a)
3. Questions and Implications:
R. New Privacy Rules: Minimum Necessary
1. Existing Rules: 45 CFR § 164.502(b)
When using or disclosing protected health information or when requesting protected health information from another covered entity, a covered entity must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
This requirement does not apply to:
(i) Disclosures to a health care provider for treatment;
(ii) Uses or disclosures made to the individual, as permitted under paragraph (a)(1)(i) of this section or as required by paragraph (a)(2)(i) of this section;
(iii) Uses or disclosures made pursuant to an authorization under § 164.508.
(iv) Disclosures made to the Secretary in accordance with subpart C of part 160 of this subchapter;
(v) Uses or disclosures that are required by law, as described by § 164.512(a); and
(vi) Uses or disclosures that are required for compliance with applicable requirements of this subchapter.
a. Applies to requests for PHI by Covered Entities, as well as their disclosures
45 CFR § 164.514(d)
2. New Rule:
a. Two phase compliance:
b. Statutory period: The following provision applies:
A covered entity shall be treated as being in compliance with section 164.502(b)(1) . . . with respect to the use, disclosure, or request of protected health information only if the covered entity limits such protected health information, to the extent practicable, to the limited data set . . . or, if needed by such entity, to the minimum necessary to accomplish the intended purpose of such use, disclosure, or request, respectively.
Subject to same exceptions as apply under regulations
HITECH § 13405(b)
3. A limited data set is protected health information that excludes the following direct identifiers of the individual or of relatives, employers, or household members of the individual:
45 CFR § 164.514(d)(2), (3)
BUT SEE:
Agreement required. A covered entity may use or disclose a limited data set under paragraph (e)(1) of this section only if the covered entity obtains satisfactory assurance, in the form of a data use agreement that meets the requirements of this section, that the limited data set recipient will only use or disclose the protected health information for limited purposes.
45 CFR § 164.514(d)(4)
4. Questions and Implications:
S. Accounting of Disclosures
1. Existing Rule:
Individual entitled to accounting for disclosures made for six years prior to request, except for:
45 CFR § 164.528(a)
2. New Requirements:
a. Grandfathered, delayed compliance:
i. Current EHR users: January 1, 2014 (may be extended by rule to 2016)
ii. EHR acquired after January 1, 2009: Date of acquisition or January 1, 2011 (may be extended by rule to 2013)
3. New rules for EHR disclosures
(1) IN GENERAL.—In applying section 164.528 of title 45, Code of Federal Regulations, in the case that a covered entity uses or maintains an electronic health record with respect to protected health information—
(A) the exception under paragraph (a)(1)(i) of such section shall not apply to disclosures through an electronic health record made by such entity of such information; and
(B) an individual shall have a right to receive an accounting of disclosures described in such paragraph of such information made by such covered entity during only the three years prior to the date on which the accounting is requested.
HITECH § 13405(c)
4. New rules for BA disclosures
In response to an request from an individual for an accounting, a covered entity shall elect to provide either an—
(A) accounting, as specified under paragraph (1), for disclosures of protected health information that are made by such covered entity and by a business associate acting on behalf of the covered entity; or
(B) accounting, as specified under paragraph (1), for disclosures that are made by such covered entity and provide a list of all business associates acting on behalf of the covered entity, including contact information for such associates (such as mailing address, phone, and email address). A business associate included on a list under subparagraph (B) shall provide an accounting of disclosures (as required under paragraph (1) for a covered entity) made by the business associate upon a request made by an individual directly to the business associate for such an accounting.
HITECH § 13405(c)
3. Questions and Implications:
a. Treatment, payment, health care operations disclosures from EHRs will be added
b. Applies whenever external entities are given access
c. If you disclose addresses only, will your BAs be able to respond? Will they want to?
T. Patient Access to PHI
1. Existing Rule: 45 CFR § 164.524
An individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set, except for:
2. New Rule:
In applying section 164.524 . . . in the case that a covered entity uses or maintains an electronic health record with respect to protected health information of an individual—
(1) the individual shall have a right to obtain from such covered entity a copy of such information in an electronic format and, if the individual chooses, to direct the covered entity to transmit such copy directly to an entity or person designated by the individual, provided that any such choice is clear, conspicuous, and specific; and
(2) notwithstanding paragraph (c)(4) of such section, any fee that the covered entity may impose for providing such individual with a copy of such information (or a summary or explanation of such information) if such copy (or summary or explanation) is in an electronic form shall not be greater than the entity’s labor costs in responding to the request for the copy (or summary or explanation).
HITECH § 13405(e)
3. Questions and Implications:
U. Prohibition on EHR and PHI Sales
1. Existing Rule:
Sale or transfer as part of treatment, payment, healthcare operations not prohibited as long as other conditions met – remuneration not a factor
2. New Rules:
A covered entity or business associate shall not directly or indirectly receive remuneration in exchange for any protected health information of an individual unless the covered entity obtained from the individual . . . a valid authorization that includes . . . a specification of whether the protected health information can be further exchanged for remuneration by the entity receiving protected health information of that individual.
HITECH § 13405(d)
Exceptions:
3. Questions and Implications:
What is “remuneration?”
What is “exchange” of PHI? May covered entity transfer temporary possession to 3rd party for use?
Can you quantify research-related costs?
V. Marketing
1. Existing Rule:
Use or disclosure of PHI for marketing purposes requires authorization and notice if “direct or indirect remuneration” is paid, excluding face-to-face communications and “nominal” gifts
45 CFR § 164.508(a)(3)
“Marketing” is a communication about a product or service that encourages recipients to purchase or use the product or service, or an arrangement between a covered entity and any other entity where the covered entity discloses protected health information to the other entity, in exchange for direct or indirect remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service.
45 CFR § 164.501
Exceptions
Health-related product or service (or payment for such) provided by, or included in a plan of benefits of, the covered entity making the communication, including communications about entities in a health care provider or health plan network or added-value health-related products or services available only to a health plan enrollee.
Treatment of the individual; or
Case management or care coordination, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care.
2. New Rule:
A communication by a covered entity or business associate that is about a product or service and that encourages recipients of the communication to purchase or use the product or service shall not be considered a health care operation . . . unless the communication is made as described in subparagraph (i), (ii), or (iii) of paragraph (1) of the definition of marketing in section 164.501 of such title.
HITECH § 13406(a)(1)
Exceptions:
A communication by a covered entity or business associate that is described in subparagraph (i), (ii), or (iii) of paragraph (1) of the definition of marketing . . . shall not be considered a health care operation . . . if the covered entity receives or has received direct or indirect payment in exchange for making such communication, except where—
Communication describes only a drug or biologic that is currently being prescribed for the recipient of the communication; and
Any payment received by such covered entity in exchange for making a communication described is reasonable; and either
The communication is made by the covered entity and the covered entity first obtains an authorization from the individual; or
The communication is made by a business associate on behalf of the covered entity and the communication is consistent with the written contract between such business associate and covered entity.
“Reasonable” to be determined by regulation
3. Questions and Implications:
I’ve had some interesting follow-up from my previous posting about HIPAA/HITECH and cloud computing. One question was about my statement that users authorized by one Covered Entity whose Protected Health Information and applications are hosted in a joint IT environment shouldn’t have access to the Protected Health Information and applications of other Covered Entities hosted […]
Read storyThe Notice of Proposed Rule Making (“NPRM”) for the proposed new regulations amending the HIPAA regulations as required by HITECH have just been informally published here. The formal publication date in the Federal Register is probably going to be July 14, 2010. This is a brief heads-up on a few issues the NPRM seems to […]
Read story
By moviedoc October 3, 2011 - 10:15 pm
Would you agree that contracted sign language and foreign language interpreters hired by physicians should sign BA agreements? (See my blog.)
By John R. Christiansen October 3, 2011 - 10:16 pm
I think so. They obtain protected health information on behalf of covered entities, threfore they are business associates.
By Cory October 3, 2011 - 10:16 pm
I would love a copy of this presentation. I suspect my employer is a business associate and would like to pass this along.
By John R. Christiansen October 3, 2011 - 10:17 pm
Anyone providing services in healthcare – IT services, certainly, but all or almost all others as well – needs to be familiar with Covered Entity and Business Associate concepts and their implications. They aren’t intuitive and aren’t necessarily easy to work through, but have very important implications for both contracting and operations.
By Brian October 3, 2011 - 10:17 pm
when would a law firm become a business associate? would they be subject to HITECH if they stored PII for health insurance litigation or a class action suit involving health information?
By John R. Christiansen October 3, 2011 - 10:17 pm
In my law practice, I’m a business associate to a number of health care organizations. I also help law firms (as clients) with their own compliance, which is becoming much more ethically problematic under HITECH; I recently did a half-day CLE for my state bar association and have a couple more talks coming up. So there is a lot to be said.
From one of my recent presentations, here are the rules on when lawyers are BAs:
>>>>>>>>>>>>>>>>>>>>>>>>
A. When do lawyers “obtain PHI on behalf of a CE?”
1. Privacy/security compliance support for CEs: Probably yes
2. Some other kinds of compliance support: Sometimes yes
3. Fraud and abuse/false claims: Probably yes
4. Healthcare professional discipline: Probably yes
5. Risk management for CEs: Probably yes
6. Due diligence for some types of CE transactions
7. Representing CE in any case involving individual patient diagnosis or treatment, individual health benefits: Yes
a. Even if PHI is already public record
b. Even if subject individual is plaintiff
c. Even if subject individual has authorized disclosure by CE
8. Not an exhaustive list
B. When lawyers don’t “obtain PHI on behalf of a CE.”
1. Representing any party which is not a CE
a. Including individual plaintiffs
2. Workers compensation cases
3. Social Security cases
4. Employment law matters
a. Except for representation of group health plans
5. Not an exhaustive list
C. Can lawyers escape regulated status?
1. GLBA litigation: American Bar Association v. Federal Trade Commission (2005): Gramm‐Leach‐Bliley Act (GLBA) did not give Federal Trade Commission (FTC) jurisdiction to regulate licensed attorneys in “practice of law by GLBA privacy regulations, based on interpretation of key GLBA term “financial institutions”
2. FACTA litigation: American Bar Association v. Federal Trade Commission (compliant filed August 2009): American Bar Association (ABA) complaint for declaratory judgment that licensed attorneys in “practice of law” are not “creditors” required to comply with identity theft protection “Red Flags Rules” issued by FTC under Fair and Accurate Credit Transactions Act of 2003 (FACTA)
3. No known HIPAA challenge to lawyers included as BAs
4. Legal theories behind GLBA and FACTA litigation do not apply under HIPAA or
HITECH