THE ACADEMY OF MEDICINE OF CLEVELAND/

NORTHERN OHIO MEDICAL ASSOCIATION

AND

MCDONALD, HOPKINS, BURKE & HABER CO., L.P.A.

 

 

The Impact of the HIPAA Requirements on Physicians

Part Three: Business Associates

 

By Richard S. Cooper

 

            This is the third in a series of articles addressing the impact of the final privacy regulations promulgated by the Federal government pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

 

            The HIPAA privacy regulations impose a new set of privacy requirements where a covered entity (such as a physician or physician group) releases protected health information (“PHI”) to any third party other than another treating physician or the patient.  This type of “business association” occurs when a covered entity engages a third party to perform an activity on behalf of the covered entity and must therefore disclose PHI to that party.  The regulation of business associations under HIPAA must be understood and correctly applied as this type of outsourcing occurs frequently in health care provider and health plan relationships.

 

            The overall concept of business associates is very broad.  Specifically, a “business associate” is defined as any entity or person that performs a function or activity involving the use or disclosure of PHI on behalf of the covered entity, or which provides specified services to the covered entity if the services involve the disclosure of PHI.  Functions or activities performed “on behalf of” a covered entity include: (1) claims processing and administration; (2) data analysis, processing or administration; (3) utilization review; (4) quality assurance; and (5) billing.  Similarly, “specific services” utilized by a covered entity that constitute a business associate include: (1) legal; (2) actuarial; (3) accounting; (4) consulting; (5) data integration; (6) management; (7) administration; (8) accreditation; and (9) financial services.

 

            A covered entity must document that it has received “satisfactory assurance” that the business associate will safeguard the PHI.  This must be accomplished through a written contract between the business associate and covered entity.  Contracts are required when a covered entity discloses PHI to a business associate, as well as when a business associate creates or receives PHI on behalf of the covered entity.  Generally, the contract must be in plain language and must inform the business associate that PHI may be used and disclosed solely to carry out treatment, payment or health care operations and then only for purposes for which it was provided.  The agreement must also provide for its termination if the covered entity determines that the business associate has violated a material term of the agreement.  There are other specific contractual obligations that must be included in the agreement to safeguard the confidentiality of PHI.

 

           

 

            The final rule continues to obligate covered entities that act as business associates of other covered entities to comply with the other entities’ privacy practices.  In essence, each covered entity must comply with all the privacy practices of the covered entities with which it contracts as a business associate.

 

            The final HIPAA regulations limit the extent to which a covered entity must monitor the actions of a business associate.  Covered entities are only required to take  “reasonable steps” to cure a breach or terminate the contract if the covered entity knows of a material violation of the contract by the business associate.  The covered entity will be deemed to have knowledge of the violation if it has substantial credible evidence to that effect.  Failure by a business associate to cure a violation after notification of such violation requires the covered entity to report the violation to the Secretary of Health and Human Services.

 

            Lastly, the final HIPAA regulations eliminated the provision making each individual a third party beneficiary of the contract between the covered entity and business associate, thereby removing the private right of action that would have otherwise existed under the proposed rule.

 

            Mr. Cooper is a Shareholder in the law firm of McDonald, Hopkins, Burke and Haber Co., LPA, and Manager of the firm’s Health Law Department.