HIPAA Regulatory Alert: How to draft documents for HIPAA implementation

Know requirements for consent, covered entities

The first task in drafting and negotiating Health Insurance Portability and Accountability Act (HIPAA) documents is to understand the requirements for consent, business associates, and covered entities.

By now, most providers know that under HIPAA’s privacy requirements, a provider with a direct-treatment relationship must have patient consent in order to use or disclose protected health information (PHI) for treatment, payment, or their own health care operations.

It also is important to remember that consent is a one-time event, says Thomas Bixby of Michael Best law firm in Madison, WI. Once you get it, you have it until the patient revokes it. "You may condition treatment on obtaining consent," he adds. "If the patient refuses to provide consent, you may refuse to provide treatment."

Under HIPAA’s consent requirements, providers must inform the individuals that their data may be used for treatment, payment, or their own health care operations, and must refer to the notice of privacy practices. They cannot, however, combine the consent with a privacy notice, Bixby says.

In addition, the consent must be visually and organizationally separate from an authorization or any other written legal permission and separately signed and dated. It must describe the individual’s right to request a restriction and state that it may be revoked at any time. If the covered entity is going to reserve the right to change its privacy practices, providers must indicate that in the consent, he adds.

Business associate agreements are required when two basic conditions are met, Bixby says. First, when a business performs a function or activity on behalf of the covered entity; and second, when that function or activity involves the use or disclosure of PHI.

Business associate functions

Claims, data processing, administration, and utilization review all are examples of functions or activities a business associate might engage in. A business associate also is any person who provides services on behalf of a covered entity that involve the use or disclosure of PHI, such as attorneys, actuaries, accountants, and auditors.

On the other hand, network providers of a health plan are not business associates. Nor are physicians automatically considered business associates simply by virtue of the fact that they provide services in a hospital, he says.

Bixby maintains that simply inserting a provision in the contract that says that the vendor shall comply with the HIPAA privacy rules is not sufficient to meet the needs of the business associate contract provisions in the privacy rules.

Monitoring compliance

Under the rule, a business associate contract must establish the permitted and required uses and disclosures of PHI by the business associate. "A simple phrase that the vendor shall comply with the HIPAA privacy rules obviously does not do that," he explains.

Also, the privacy rules provide that the business associate must not use or disclose PHI in violation of the contract or the privacy rules, must implement the safeguards to protect individually identifiable health information, require subcontractors to comply with the privacy rules, provide all of the rights that individuals are entitled to under the privacy rules, report improper use or disclosure to the covered entity, and authorize contract termination to material breach in addition to allowing the Department of Health and Human Services (HHS) access to its books and records.

Bixby notes that a covered entity has some responsibility for monitoring the compliance of its business associates with the business associate contract. It does not have to actively monitor, he adds. But if it becomes aware of a pattern or practice that the business associate engages in that is a breach of their privacy obligations under the contract or the rules, then the covered entity is responsible for making sure that the business associate starts to comply or, if necessary, terminate the contract or report the violation to HHS.

Bixby says there are several specific challenges in terms of dealing with business associate contracts. First, you must develop standard terms for business associate contracts, and then identify third parties that collect PHI on your behalf and third parties to whom you disclose PHI, and determine whether those third parties are business associates. "Not everybody to whom you disclose PHI is going to be a business associate," he adds.

Audit existing contracts

In addition, providers must audit existing contracts with business associates and add data privacy provisions to those contracts as warranted. "Obviously, when you reopen longstanding contracts, you are opening the contracts to renegotiation of all of their terms, including the cost of HIPAA compliance," Bixby says.

Providers must terminate noncompliant business associate arrangements before the compliance date of the HIPAA privacy rule, he adds.

Bixby says most covered entities must have and distribute a written notice of privacy practices, and each covered entity will have to implement written privacy policies and procedures. "You cannot implement a change in your privacy practices without first amending your privacy policies and issuing a revised notice," he says.