HIPAA compliance, part 1: who are your "business associates"? The answer matters, because you are responsible for their adhering to HIPAA privacy rules. (Feature Article).With the effective date of the Health Insurance Portability and Accountability Act's (HIPAA (Health Insurance Portability & Accountability Act of 1996, Public Law 104-191) Also known as the "Kennedy-Kassebaum Act," this U.S. law protects employees' health insurance coverage when they change or lose their jobs (Title I) and provides standards for patient health, ) privacy standards approaching on April 13, 2003, long-term care facilities long-term care facility n. See skilled nursing facility. must focus on complying with many new rules dealing with privacy of residents' health information. One of the major concerns is how to protect this information when it passes from the facility to an outside source. In implementing the HIPAA rules, the regulators have created a "new" relationship--that of "business associate." How facilities will deal with their business associates and meet the requirements of HIPAA is a complex task, which begins by identifying which of your vendors and independent contractors A person who contracts to do work for another person according to his or her own processes and methods; the contractor is not subject to another's control except for what is specified in a mutually binding agreement for a specific job. can be termed "business associates." The guiding principle under the HIPAA privacy standards is that as society enters the electronic era, health plans, healthcare data clearinghouses and healthcare providers (collectively referred to as "covered entities") will be gathering "individually identifiable health information" about residents. This information is private and deserves protection in the ways it is collected and disclosed. However, there is also the recognition that healthcare providers who are "covered entities," and thus subject to HIPAA, must deal with third parties in order to operate. The business associate rules are designed to ensure that the privacy of personal health information is maintained even when the individually identifiable information is passed on to these third parties. Who are your business associates? HIPAA defines a business associate as a person or entity who, on behalf of a covered entity, performs or assists in the performance of a function or activity involving the use or disclosure of individually identifiable health information. The regulations include examples of functions handled by business associates, such as claims processing; administration; data analysis, processing or administration; utilization review u·til·i·za·tion review n. A process for monitoring the use, delivery, and cost-effectiveness of services, especially those provided by medical professionals. ; quality assurance; billing; benefits management and practice management. In addition, individuals or entities that provide legal, accounting, actuarial ac·tu·ar·y n. pl. ac·tu·ar·ies A statistician who computes insurance risks and premiums. [Latin , data aggregation, management, administration, accreditation accreditation, n a process of formal recognition of a school or institution attesting to the required ability and performance in an area of education, training, or practice. or financial services The examples and perspective in this article or section may not represent a worldwide view of the subject. Please [ improve this article] or discuss the issue on the talk page. to or for a covered entity, and who receive individually identifiable health information from the covered entity or another business associate, are themselves considered business associates. Some relationships that fall under the business associate umbrella include those with billing companies that act on behalf of the provider and receive individually identifiable health information in the form of resident billing information, or the hiring of a consultant to review the accuracy of billing and coding practices. Based on this definition, are the attending physicians in your facility considered business associates? Certainly they have access to individually identifiable health information. But there is a general exception to the business associate rule concerning disclosures by a covered entity to a healthcare provider when treatment is involved. In short, it does not apply. This exception means that the attending physician who only renders treatment would not need to enter into a business associate relationship with the facility. However, should the physician also serve in another capacity, such as medical director, and perform services such as quality assurance or utilization management Utilization management is the evaluation of the appropriateness, medical need and efficiency of health care services procedures and facilities according to established criteria or guidelines and under the provisions of an applicable health benefits plan. on behalf of the covered entity, then the facility and the physician will need to enter into a business associate relationship. To determine whether an entity is a business associate, look at the activities, functions or services being provided by the third party. Whether a vendor or contractor needs a business associate contract depends on what that vendor does for the facility, not what the vendor calls itself. The previous medical director example is a good starting point Noun 1. starting point - earliest limiting point terminus a quo commencement, get-go, offset, outset, showtime, starting time, beginning, start, kickoff, first - the time at which something is supposed to begin; "they got an early start"; "she knew from the for analyzing this concept. It is not the title "medical director," but the services that a medical director provides to the facility, that could result in a business associate relationship. Similarly, a software vendor who only provides software to the facility probably would not be a business associate. If that same software vendor needs or obtains access to individually identifiable health information in the process of using or installing the software, however, then that individual would be considered a business associate. Who isn't a business associate? A member of the facility's workforce would not be considered a business associate ("workforce" meaning employees, volunteers, trainees and others whose activities are directly controlled by the covered entity). Independent contractors can be considered members of the workforce in those situations where the individual's job duties are controlled by the covered entity and the contractor is treated as a member of the workforce by virtue of not having entered into a business associate agreement. For example, an independent contractor who provides information technology support under the direction of the facilities information technology manager and maintains an office at the facility would be assumed to be a member of the workforce if no business associate contract exists. (A word of caution on independent contractors: If a facility wants to ensure that the Internal Revenue Service will treat its independent contractors as truly independent for tax reasons, the facility might choose to be consistent and not treat its contractors as members of the workforce.) There are other instances where the relationship between two parties does not rise to the level of that of a business associate. If a healthcare provider provides individually identifiable health information to a health plan for the purpose of payment, no business associate relationship is created because neither entity is acting within a service capacity in performing this transaction. A group health plan that purchases insurance or coverage from a health insurance provider or HMO HMO health maintenance organization. HMO n. A corporation that is financed by insurance premiums and has member physicians and professional staff who provide curative and preventive medicine within certain financial, does not create a business association. However, if the provider or HMO undertakes activities with the covered entity that are in addition to or not directly related to insurance, then the health insurer An individual or company who, through a contractual agreement, undertakes to compensate specified losses, liability, or damages incurred by another individual. An insurer is frequently an insurance company and is also known as an underwriter. could become a business associate. A business associate relationship does not exist when the organization acts as a conduit conduit /con·du·it/ (kon´doo-it) channel. ileal conduit the surgical anastomosis of the ureters to one end of a detached segment of ileum, the other end being used to form a stoma on the for individually identifiable health information. That is to say, the conduit transports the information, but does not have access to it on other than a random or infrequent in·fre·quent adj. 1. Not occurring regularly; occasional or rare: an infrequent guest. 2. basis. The U.S. Postal Service The U.S. Postal Service (USPS) processes and delivers mail to individuals and businesses within the United States. The service seeks to improve its performance through the development of efficient mail-handling systems and operates its own planning and engineering programs. and private courier A monospaced typeface originating from the typewriter that is commonly used for letters. It is still considered by many to be the "appropriate" typeface for business correspondence. services are examples of conduit organizations. Next Steps After completing the difficult task of identifying business associates, a facility's next step is to amend existing agreements or prepare new agreements with the business associates named in order to meet HIPAA requirements. The good news is that included in the proposed regulations issued on August 14, 2002, is an extension of the deadline for completing these business associate agreements. The regulations allow providers to continue to operate under existing contracts for up to one year beyond the April 14, 2003, deadline, provided that the existing contract is not reviewed or modified. This extension allows facilities to amend existing contracts in the course of business, as long as the modifications take place no later than April 14, 2004. Lastly, a facility needs to have provisions included in agreements with its business associates that meet the requirements of the privacy standard. In the next installment, we'll discuss how to monitor business associates for HIPAA compliance once the agreements have been signed. At the time of this writing, Sandra sandra (sänˑ·dr  ),adj K. Battaglia, Esq., was special counsel to the Health Law Department of Cozen coz·en v. coz·ened, coz·en·ing, coz·ens v.tr. 1. To mislead by means of a petty trick or fraud; deceive. 2. To persuade or induce to do something by cajoling or wheedling. 3. O'Connor, practicing in the firm's Wilmington, Delaware Wilmington is the largest city in the state of Delaware and is located at the confluence of the Christina River and Brandywine Creek, near where the Christina flows into the Delaware River. office. Battaglia concentrates her practice in the area of transactional issues for long-term care long-term care (LTC), n the provision of medical, social, and personal care services on a recurring or continuing basis to persons with chronic physical or mental disorders. and other healthcare providers, including regulatory and compliance matters, as well as physician practice management. To comment on this article, please send e-mail to battaglia1002@nursinghomesmagazine.com. |
|
||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion