Obligations of the business associate (continued)
advertisement
HIPAA Trading Partners, Legal Relationships October 2, 2001 presented by Peter B. Goldstein, Esq. Cap Gemini Ernst & Young, US LLC Agenda Definition of Terms Explicit Obligations of the Covered Entity Explicit Obligations of the Business Associate Implicit Obligations Example for Discussion Questions Under HIPAA, “trading partner” has special meaning Trading Partnership: “A partnership whose usual business involves buying and selling.” Black’s Law Dictionary Business Associate: “With respective to a covered entity, a person who, on behalf of the covered entity or of an organized health care arrangement in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or arrangement, performs, or assists in the performance of a function or activity involving the use or disclosure of individually identifiable health information….” 45 CFR §160.103 The connection between covered entities and business associates will be defined by contract and the law Legal: “Arising by operation of law, as distinguished from that which arises by agreement or act of the parties….” Relation: “State of being mutually or reciprocally interested, as in social or commercial matters….” Relationship: “A state of affairs existing between those having relations or dealings….” Webster’s Third New International Dictionary Legal Relation: “The connection in law between one person or entity and another.” Black’s Law Dictionary New and explicit obligations will be imposed upon relationships Obligations of the covered entity Before a covered entity may disclose protected information to a business associate, “it must: Obtain satisfactory assurances that the business associate will appropriately safeguard the information.” Section 164.502(e)(1). The assurances from the business associate must provided by means of a written contract or other agreement that documents the permitted and required uses and disclosures of protected health information by the business associate. The business associate cannot use or disclose the information in any manner which would not be permissible for the covered entity under the HIPAA privacy regulations. Id. New and explicit obligations will be imposed upon relationships(continued) Obligations of the business associate: The business associate must contractually agree that it will: Not use or further disclose the information other than as permitted under the contract or as required by law; Use appropriate safeguards to prevent use or disclosure of the information other than as provided by its contract; Report to the covered entity any use or disclosure not provided for by its contract of which it becomes aware; Ensure that any agents to whom it provides protected health information agree to the same restrictions and conditions that apply to the business associate with respect to such information; Afford individuals access their protected health information as required under Section 164.524; New and explicit obligations will be imposed upon relationships(continued) Obligations of the business associate (continued): The business associate must contractually agree that it will: Make information available for amendment and incorporate amendments to it in accordance with Section 164.526; Make available the information to provide an accounting of disclosures in accordance with Section 164.528; Make its internal practices, books and records relating to the use and disclosures of protected health information received from, or created or received by the business associate on behalf of the covered entity available to the Secretary for the purposes of assessing the covered entity’s compliance with the privacy regulations; and At the termination of the contract, if feasible, return or destroy all protected health information received from or created or received by the business associate on behalf of the covered entity Some obligations will not be as readily apparent A covered entity’s exposure under Section 164.504 arises from two elements: Knowledge of “a pattern of activity or practice of the business associate that constituted a material breach or violation of the business associate’s obligation under the contract or other arrangement; and Failure to take reasonable steps to cure the breach or end the violation, as applicable, and, if such steps were unsuccessful, • • Terminate the arrangement, if feasible, or Report the problem to the Secretary. Regulatory compliance is more than a matter of strict construction “The concept of ‘knowledge’ for purposes of the criminal law is not limited to positive knowledge, but includes the state of mind of one who does not possess positive knowledge only because he consciously avoided it.” U.S. v. Shannon, 137 F.3d 1112 (9th Cir. 1998), cert. den. 118 S. Ct. 23900, 141 L.Ed.2d 755. A defendant can be deemed willfully ignorant if it can be shown that there were facts that “put her on notice of the probability of criminal activity, that the defendant failed to investigate, thus deliberately choosing to not verify or discover the criminal activity.” Id. at 1118. Under RICO (Racketeer Influenced and Corrupt Organizations Act), a “pattern” is defined as “at least two distinct but related predicate acts that amount to, or threaten the likelihood of continued criminal activity.” U.S. v. Alexander, 888 F.2d 777 (11th Cir. 1989), cert. den. 110 S. Ct. 2623, 496 U.S. 927, 110 L.Ed.2d 643. Policies and Procedures must address issues the rules do not A covered entity might make the determination that it is in its best interest not to monitor the activities of its business associates. Such an approach might not necessarily shield a covered entity from civil liability that might arise from a business associate’s failure to adequately safeguard protected health information entrusted to it by a covered entity. A covered entity might find itself defending itself from allegations of negligently entrusting protected health information to a business associate whose background it failed to investigate, or whose practices it failed to monitor or supervise. As the regulations provide no guidance in this area, covered entities will have to reach their own conclusions and establish policies and procedures to address monitoring business associates after consulting with counsel as to just how much investigation and monitoring or supervision, if any, of business associates will be appropriate for them, given the legal risks involved. Discussion Example: Before providing PHI to a plan sponsor, a the group health plan must “ensure that the plan documents restrict uses and disclosures [sic] of such information by the plan sponsor consistent with the requirements of this subpart.” This means that, among other things, the plan documents must “describe those employees or classes of employees or other persons under the control of the plan sponsor to be given access to the PHI to be disclosed .” Must a third party administrator for the group health plan review the plan documents for language meeting the implementation specification requirements of Section 164.504? What if the TPA suspects that the plan sponsor shares PHI with employees other than those described in the plan documents? Additional questions? Peter B. Goldstein Cap Gemini Ernst & Young US LLC 9781 South Meridian Blvd. Suite 220 Englewood, Colorado 80112 720-568-4323 peter.goldstein@cgey.com
