Section 3.9 Select Participation, Data Sharing, Data Use, Business Associate Agreements for HIE and EHR As part of selecting a vendor for your electronic health record (EHR), health information exchange (HIE) service, or other health information technology (HIT) there will be various agreements you will need to execute. Time needed: 2 hours Suggested other tools: NA How to Use 1. Identify the nature of legal agreements in which you must enter to acquire and use EHR, HIE, and other HIT. 2. Ensure any EHR or HIT technology systems meet minimum certified, qualified or interoperability mandates required by your State or other mandated program initiatives 3. Consult with legal counsel to ensure that agreements meet your needs. Identify Required legal or Mandated Program Requirements It’s important to understand and ensure the business relationships and legal requirements of all EHR and HIT technology system vendors participating in your data use and data sharing. The types of required legal agreements are outlined below. In addition consideration should be given to ensure any system requirements for mandated program initiative(s) that you may be participating in – or State interoperability program requirements – are reviewed for standards compliance as a part of selecting an EHR/HIE or HIT vendor. Example of mandated program initiatives are provided in table below. Program Mandate State of Minnesota Interoperability Mandate Meaningful Use Certified EHR Technology (CHPL) ONC Voluntary 2015 Edition EHR Certification Proposed Rule – Fact Sheet ONC Policy, Regulation, & Strategy for Behavioral Health Behavioral Health Data Exchange URL http://www.health.state.mn.us/e-health/hitimp/index.html http://www.cms.gov/Regulations-andGuidance/Legislation/EHRIncentivePrograms/Certification.html http://healthit.gov/sites/default/files/final2015certedfactsheet.0221 14.pdf http://healthit.gov/policy-researchers-implementers/behavioralhealth http://healthit.gov/policy-researchers-implementers/behavioralhealth-data-exchange Section 3 Select—Participation, Data Sharing, Data Use, Business Associate Agreements for HIE and EHR- 1 Types of Legal Agreements Business Associate Contract/Agreement (BAA) Requirement of HIPAA Privacy and Security Rules when other businesses require access to protected health information (PHI) on a routine basis in the performance of work for a covered entity. Under the Omnibus Rule that became effective 2013, business associates are now held directly accountable to the HIPAA Security Rule and certain provisions of the Privacy Rule. Although many business associates have in the past requested that their form of business associate agreement be signed by the provider receiving the services, this is likely to become even more prevalent as a result of this change. As a covered entity, however, you still have the right and responsibility to ensure that any BAA you sign conforms to the HIPAA requirements and that you are comfortable with any additional clauses included. Data Use Agreement A HIPAA requirement for a party to use a limited data set (data that are partially but not fully de-identified) for research, public health, or health care operations. The HIPAA Privacy Rule provides specific details of what must be in a data use agreement. The federal government does not offer a sample data use agreement although additional explanations are cited and available within Health Information Privacy FAQ’s for further clarification. Data Use and Reciprocal Support Agreement (DURSA) The legal, multi-party trust agreement that is entered into voluntarily by all entities, organizations and federal agencies that want to engage in electronic HIE using an agreed upon set of national standards, services and policies developed in coordination with the Office of the National Coordinator for Health IT (ONC). The DURSA describes the mutual responsibilities, obligations and expectations of all participants under the agreement. This creates a framework for safe and secure health information exchange, and is designed to promote trust among Participants and protect the privacy, confidentiality and security of health data that is shared. The DURSA is based upon the existing body of federal, state and local law covering privacy and security of health information. It supports the current policy framework for health information exchange. The DURSA is intended to be a legally enforceable contract. It reflects consensus among the government and private entities that developed DURSA regarding the following issues: Each state or other entity establishing an HIO may opt to establish their own form of DURSA or Data Exchange Support Agreement (DESA) including additional clauses. Ensure that you obtain legal counsel as you consider entering into such an agreement. Sample Minnesota Data Exchange and Support Agreement (DESA) is provided in table below. Section 3 Select—Participation, Data Sharing, Data Use, Business Associate Agreements for HIE and EHR - 2 Resource Name Sample Business Associate Agreement and Provisions HIPAA Privacy Rule – Data Use Agreement Definitions Data Use and Reciprocal Support Agreement (DURSA) URL http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentiti es/contractprov.html http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/i ndex.html DURSA – Current Version in Effect (2011) http://www.nationalehealth.org/ckfinder/userfiles/files/Restatemen t%20I__DURSA_5_3_11_FINAL_for%20PARTICIPANT%20SI GNATURE.pdf http://www.hiebridge.org/PDF/CHIC%20HIEBridge%20DESA% 20Agreement%20-%20FINAL%2011-29-2011.pdf Sample State Data Exchange Support Agreement – Minnesota/CHIC http://www.nationalehealth.org/dursa Note: all types of agreements should be reviewed with your legal counsel prior to executing the agreement. Copyright © 2014 Stratis Health. Updated 04-17-14 Section 3 Select—Participation, Data Sharing, Data Use, Business Associate Agreements for HIE and EHR - 3