Countdown to HIPAA: Who are your HIPAA business associates?

February 17, 2003

What business contracts must be obtained from HIPAA business associates?

 

Countdown to HIPAA

Who are your HIPAA business associates?

Whether you are a pharmacy owner, a manager, or a staff pharmacist, you must understand the Health Insurance Portability & Accountability Act's rules regarding business associates. While a pharmacy manager or staff pharmacist may not be responsible for obtaining contracts with business associates, he or she is responsible for activities under the contract. Pharmacy owners are responsible both for obtaining contracts and for activities under the contract.

The essence of the HIPAA rule is that a covered entity must obtain "satisfactory assurances" from each business associate that it will appropriately safeguard protected health information (PHI) that it receives or creates on behalf of the covered entity. The satisfactory assurances must be in writing in the form of a contract or other agreement between the covered entity and the business associate. And very important: It is the responsibility of the covered entity, not the business associate, to obtain the contract.

A business associate is defined as a person or entity who performs certain functions or activities on behalf of, or provides services to, a covered entity, and performance of those functions, activities, and services involves PHI. (A member of the covered entity's workforce is not a business associate; however, one covered entity may be a business associate of another covered entity.)

Examples of functions and activities include claims processing or administration, data analysis, utilization review, quality assurance, billing, and practice management. Examples of services include legal, actuarial, accounting, consulting, management, and accreditation. But remember, merely providing these and other functions, activities, and services will not make a person or an entity a business associate. A business associate relationship arises only if PHI is involved.

And the opposite is true, in that giving PHI to another person or entity does not necessarily make that person or entity a business associate. For example, if a pharmacy contacts a physician about a drug-related problem and discloses PHI to the physician in order to resolve the problem, the physician does not become a business associate since he is not providing a function, activity, or service for the pharmacy.

This example also gives rise to another aspect of the HIPAA rules—exceptions to when a business associate contract is required. Most notable for pharmacy, disclosures by a covered entity to a health provider for purposes of treatment do not require a contract. Additional exceptions, together with more information about business associates, are included in a Dec. 3, 2002, guidance published by the Health & Human Services' Office for Civil Rights (OCR). This guidance can be obtained by going to the Web site, www.hhs.gov/ocr/hipaa and selecting the "What's New" link.

As to the contract itself, the following information must be included:

• A description of the permitted and required uses of PHI by the business associate

• A requirement that the business associate will not use or further disclose PHI other than as permitted or required by the contract or by law

• A requirement that the business associate will use appropriate safeguards to prevent a use or disclosure of the PHI other than as permitted or required by the contract or by law.

For some business associates, the pharmacy may already have a contract. If so, it may be possible to obtain an extension of the contract requirement from April 14, 2003, to April 14, 2004. Covered entities that have an existing written contract with a business associate prior to Oct. 15, 2002, are permitted to operate under that contract for up to one year beyond the April 14, 2003, compliance date, provided that the contract does not require renewal by an affirmative act (as opposed to an automatic renewal) or modification prior to April 14, 2003. The extension is not available for oral contracts.

During this "transition period," the covered entity must comply with other privacy requirements and fulfill the following responsibilities:

• Make information (including information held by a business associate available to HHS) available as necessary for HHS to determine compliance by the covered entity.

• Fulfill an individual's rights to access and amend PHI contained in a designated record set, including information held by a business associate, if appropriate, and receive an accounting of disclosures by a business associate.

• Mitigate, to the extent practicable, any harmful effect known to the covered entity regarding an impermissible use or disclosure of PHI by its business associate.

While a covered entity is not required to monitor and oversee a business associate's compliance, if it becomes aware of a material breach of the contract, then it must take reasonable steps to cure the breach or end the violation. If such steps are not successful, then the covered entity must terminate the contract. Finally, if termination is not feasible, the covered entity must report the problem to the OCR.

The existence of a contract between a covered entity and a business associate is required for compliance with HIPAA. Likewise, the content of the contract must be written in a manner that achieves the HIPAA requirements related to business associates. Those responsible for obtaining contracts with business associates need to study the guidance referenced above, together with other information available from HHS, including sample contract provisions.

Others need to become familiar with the HIPAA rules on business associates and the content of each business associate contract. For example, those responsible for obtaining contracts need to know that the contract must include a provision that the business associate will provide, if appropriate and necessary, any information that the pharmacy needs in order to fulfill a patient request for an accounting of disclosures. Others need to know that if an accounting is requested, it may require obtaining information from a business associate in accordance with the contract. In conclusion, the relationship between covered entities and business associates is an issue that deserves study by all pharmacists in order to ensure compliance with HIPAA requirements.

By Walter L. Fitzgerald Jr., R.Ph., J.D.

The author, a pharmacist-attorney, is a professor of pharmacy at the University of Tennessee College of Pharmacy and author of the NCPA HIPAA Compliance Handbook for Independent Pharmacy. To access the NCPA Web site, go to: www.ncpanet.org .

 

Walter Fitzgerald. Countdown to HIPAA: Who are your HIPAA business associates?. Drug Topics 2003;4:54.