• Health reform
• EMRs
• Medicare
• Liability
• AMA House
• » More

• Contract Language
• Ethics Forum
• In the Courts
• Practice Management
• Technically Speaking
• » More

• Issue dates
• Regions
• Health plans
• Sections
• News briefs
• Columns
• Editorials
• Letters
• Series
• Writers
• Other years

• Search tips
• Email alert
• RSS
• Mobile
• Subscribe
• Institutions
• Staff directory
• Advertising
• Permissions
• Reprints
• News media
• Site guide
• Useful links
• About
• Premium
• Contact

• AMA Wire
• CPT
• DMPHP
• JAMA
• JAMA&Archives
• news@JAMA
• Virtual Mentor
• Physician jobs

Privacy duty extends to business associates

Contract Language. By Steven M. Harris, amednews contributor. May 6, 2002.

• PRINT|
• E-MAIL|
• RESPOND|
• REPRINTS|
• SHARE
•  

CONTRACT LANGUAGE

A column examining the ins and outs of contract issues

SEE ARCHIVES

My last column addressed HIPAA considerations within the context of managed care contracts. This column will discuss HIPAA compliance requirements for your business associate contracts.

HIPAA requires that you and your practice have a written agreement with vendors who are business associates. A "business associate" is a person or entity who performs a function or activity involving the use or disclosure of protected health information on behalf of your practice." That includes claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing.

Business associates who access and use protected health information may include: technology vendors, third-party plan administrators, billing companies, collection agencies, lawyers and accountants.

A business associate does not include a member of the work force such as employees, volunteers, trainees, and other persons whose conduct in the performance of work for your practice is under your direct control, whether or not they are paid.

You may not disclose protected information to a business associate without satisfactory assurance that it will be appropriately safeguarded.

Pursuant to the HIPAA regulations, you must enter into a written contract with each of your business associates, and the contract must extend your privacy obligations to the business associate.

The written agreement must:

• Establish the permitted and required uses and disclosures of health information that the business associate may make.
• Require the business associate not to use or disclose the health information, except as permitted by the contract or required by law.
• Require the business associate to use appropriate safeguards to prevent misuse and inappropriate disclosure of health information other than as provided for by the contract.
• Ensure that the business associate reports any unauthorized uses and disclosures of health information to your practice.
• Require the same disclosure conditions/restrictions of the business associate's agents and subcontractors.
• Make an individual's health information available to him/her for access and copying.
• Make health information available for amendment and incorporate any amendments to the PHI.
• Require the business associate to make information needed to provide patients with an accounting of disclosures of their health information available to the practice.
• Make internal practices, books, and records relating to the use and disclosure of health information received from, or created or received by, the business associate available to the Dept. of Health and Human Services for purposes of determining your practice's compliance with HIPAA requirements.
• Require that, upon termination of the contract, the business associate return or destroy all protected health information received from, created by or received by the business associate on behalf of your practice. If this isn't possible, then limit disclosures of protected information beyond the termination of the contract.

Also make sure that you are able to terminate the contract if the business associate commits a serious violation such as a material breach of the contract, including, without limitation, the confidentiality and privacy provisions of the contract.

All of your business associate contracts should contain additional provisions to address the allocation of risk between the parties in the event of a HIPAA violation. Such risks include civil monetary penalties and exposure to damages in a lawsuit brought by an individual whose information has been inappropriately used or disclosed.

You should consider including the following additional provisions for the allocation of these risks between the business associate and your practice:

Indemnification and insurance. Seek indemnification for your practice and its affiliates by the business associate against any claim, cost or damage arising from a breach by the vendor of its obligations in connection with security, privacy or confidentiality of protected information.

Exclusion from limitation of liability. You should exclude any damages arising from breach of obligations relating to information use and privacy, security and confidentiality obligations from any limitations on the liability of the vendor.

Data ownership. Include a provision in the contract that clearly states that between the vendor and your practice, you are the owner of the health information and will retain such ownership during the term of the contract and upon termination.

Minimum necessary representations. HIPAA requires that you may rely, if reasonable under the circumstances, on a requested disclosure of health information as the minimum necessary for the stated purpose. You should have a provision in the business associate contract whereby your vendor makes the appropriate minimum necessary representations.

Right to cure. Under the Business Associate Standard of the HIPAA privacy regulations, if you know of a pattern of activity or practice of the business associate that constitutes a material breach or violation of the business associate's obligations, you must take reasonable steps to cure the breach or end the violation. Make sure you retain the right to cure a breach by the vendor and include the right to terminate the contract and seek related remedies even if the vendor is able to cure the breach.

Injunctive relief. You should also include a provision within the contract stating that any breach of the contract would result in irreparable harm to your practice and that you have the right to immediately seek an injunction and any other available equitable rights and remedies.

On March 27, HHS published proposed changes to the medical privacy rules under HIPAA. HHS has proposed a delay in the business associate contract requirements that would apply only to contracts in existence prior to April 14, 2003, and would be effective only until either those contracts were renewed or modified, or April 14, 2004, whichever occurs first.

While most of the changes would further enable covered entities to be in compliance with the HIPAA privacy requirements, it will be several months before the final regulations based on HHS' recent proposed changes will be published. In the interim, you should become aware of HIPAA's impact on your practice and identify which of your vendors will require business associate contracts.

Harris, a partner at McDonald Hopkins in Chicago, concentrates on health care law and has counseled physicians, physician networks and health care groups nationally. The author and publisher are not rendering professional advice and assume no liability in connection with its use. He can be reached at 312-280-0111, or by email (sharris@mcdonaldhopkins.com).

Back to top