The trusted source for
healthcare information and
[Editor’s note: This column addresses specific questions related to Health Insurance Portability and Accountability Act (HIPAA) implementation. If you have questions, please send them to Sheryl Jackson, Same-Day Surgery, American Health Consultants, P.O. Box 740056, Atlanta, GA 30374. Fax: (404) 262-5447. E-mail: firstname.lastname@example.org.]
Question: Who are my business associates, and what needs to be included in a business associate agreement?
Answer: "A business associate is any entity that provides services to or on behalf of your patients that require the use or disclosure of their protected health information," says Joshua M. Kaye, Esq., an attorney with McDermott, Will, & Emery in Miami. Typical examples of business associates for same-day surgery programs include management companies, billing or collections companies, and transcription services, he says.
"Don’t forget other persons or companies that provide legal, accounting, or consulting services as well," he adds. This differs from an "organized health care agreement" in which all parties work together and seamlessly share patient information.
An agreement with accreditation organizations also is needed, Kaye says.
(Editor’s note: For a copy of the business associate agreement designed by the Joint Commission on the Accreditation of Healthcare Organizations, go to: www.jcaho.org/accredited+organizations/hospitals/index.htm and click on "business associate agreement." For a copy of the Accreditation Association of Ambulatory Health Care’s business association agreement, go to: www.aaahc.org/legislative/hipaa.htmle and click on "business associate agreement.")
If a company with which you contract work, such as maintenance or janitorial service, doesn’t require protected health information to provide services, a business associate is not required, says Kaye.
"Your business associates assume the same obligations as your same-day surgery program with respect to patient privacy under HIPAA regulations," says Michael R. Callahan, partner and head of the HIPAA section for Katten, Muchin, Zavis, and Rosenman, a Chicago-based law firm.
Their agreement with you should include language that shows they agree to protect a patient’s health information in the same manner your same-day surgery program protects the information, he explains.
Although vendors are not considered covered entities by HIPAA, the same-day surgery program, which is the covered entity, is liable for all actions of vendors that involve protected patient information, points out Callahan.
If your business associates misuse patient information, they cannot be fined or convicted, but you can, he explains.
For this reason, you may want to include a provision in your business associate agreements that require the business associate to indemnify your program if you should get sued for their mistakes, he adds. Your agreement also should address HIPAA rules that require the provider to take corrective action such as recovery of records or termination of service if your business associate violates a patient’s confidentiality, Callahan explains.
"You have until April 14, 2004, to negotiate amendments to your contracts with your business associates that were signed before Oct. 14, 2002," Kaye points out. However, if you enter into or renew a contract with a business associate between Oct. 15, 2002, and April 14, 2004, be sure that the contract incorporates the business associate requirements, he says.
"Also, you must still ensure that patients are afforded their privacy rights after April 14, 2003, even for business associate contracts that you do not amend until April 14, 2004," Kaye adds.
"Consider having each business associate sign a privacy addendum to your existing contract rather than entering into new agreements to avoid opening your existing contract up to negotiation on business terms rather than patient privacy," he says. While sample business associate provisions are available in the privacy standards, they’re not mandatory and shouldn’t be used "as is," because they place greater burdens than what is required by law, he points out.
A business associate agreement should make sure that a patient’s right to privacy flows throughout your business process, even if the information is passed along to one of your associates, Callahan says. Your business associates should meet the same requirements your same-day surgery program is required to meet, including a log of how the information is used, he adds.
Importantly, a business associate is not another health care provider, such as an anesthesiologist or radiologist, to which your program discloses a patient’s information for treatment purposes, says Kaye. A business associate agreement remains necessary to deal with disclosures to providers for purposes other than treatment, he says.
Examples include peer review and utilization review committees, he adds. If your same-day surgery program and its providers have qualified as and have an Organized Health Care Arrangement (OHCA) in place, a business associate agreement is not necessary to cover peer review activities, if all committee members are included in the OHCA, he says. An OHCA is a formal agreement that identifies the program and its providers as members of a single entity for the purposes of protecting patient information.