HIPAA compliance, part 1: who are your "business associates"? The answer matters, because you are responsible for their adhering to HIPAA privacy rules. (Feature Article).With the effective date of the Health Insurance Portability and Accountability Act's (HIPAA) privacy standards approaching on April 13, 2003, long-term care facilities must focus on complying with many new rules dealing with privacy of residents' health information. One of the major concerns is how to protect this information when it passes from the facility to an outside source. In implementing the HIPAA rules, the regulators have created a "new" relationship--that of "business associate." How facilities will deal with their business associates and meet the requirements of HIPAA is a complex task, which begins by identifying which of your vendors and independent contractors can be termed "business associates." The guiding principle under the HIPAA privacy standards is that as society enters the electronic era, health plans, healthcare data clearinghouses and healthcare providers (collectively referred to as "covered entities") will be gathering "individually identifiable health information" about residents. This information is private and deserves protection in the ways it is collected and disclosed. However, there is also the recognition that healthcare providers who are "covered entities," and thus subject to HIPAA, must deal with third parties in order to operate. The business associate rules are designed to ensure that the privacy of personal health information is maintained even when the individually identifiable information is passed on to these third parties. Who are your business associates? HIPAA defines a business associate as a person or entity who, on behalf of a covered entity, performs or assists in the performance of a function or activity involving the use or disclosure of individually identifiable health information. The regulations include examples of functions handled by business associates, such as claims processing; administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefits management and practice management. In addition, individuals or entities that provide legal, accounting, actuarial, data aggregation, management, administration, accreditation or financial services to or for a covered entity, and who receive individually identifiable health information from the covered entity or another business associate, are themselves considered business associates. Some relationships that fall under the business associate umbrella include those with billing companies that act on behalf of the provider and receive individually identifiable health information in the form of resident billing information, or the hiring of a consultant to review the accuracy of billing and coding practices. Based on this definition, are the attending physicians in your facility considered business associates? Certainly they have access to individually identifiable health information. But there is a general exception to the business associate rule concerning disclosures by a covered entity to a healthcare provider when treatment is involved. In short, it does not apply. This exception means that the attending physician who only renders treatment would not need to enter into a business associate relationship with the facility. However, should the physician also serve in another capacity, such as medical director, and perform services such as quality assurance or utilization management on behalf of the covered entity, then the facility and the physician will need to enter into a business associate relationship. To determine whether an entity is a business associate, look at the activities, functions or services being provided by the third party. Whether a vendor or contractor needs a business associate contract depends on what that vendor does for the facility, not what the vendor calls itself. The previous medical director example is a good starting point for analyzing this concept. It is not the title "medical director," but the services that a medical director provides to the facility, that could result in a business associate relationship. Similarly, a software vendor who only provides software to the facility probably would not be a business associate. If that same software vendor needs or obtains access to individually identifiable health information in the process of using or installing the software, however, then that individual would be considered a business associate. Who isn't a business associate? A member of the facility's workforce would not be considered a business associate ("workforce" meaning employees, volunteers, trainees and others whose activities are directly controlled by the covered entity). Independent contractors can be considered members of the workforce in those situations where the individual's job duties are controlled by the covered entity and the contractor is treated as a member of the workforce by virtue of not having entered into a business associate agreement. For example, an independent contractor who provides information technology support under the direction of the facilities information technology manager and maintains an office at the facility would be assumed to be a member of the workforce if no business associate contract exists. (A word of caution on independent contractors: If a facility wants to ensure that the Internal Revenue Service will treat its independent contractors as truly independent for tax reasons, the facility might choose to be consistent and not treat its contractors as members of the workforce.) There are other instances where the relationship between two parties does not rise to the level of that of a business associate. If a healthcare provider provides individually identifiable health information to a health plan for the purpose of payment, no business associate relationship is created because neither entity is acting within a service capacity in performing this transaction. A group health plan that purchases insurance or coverage from a health insurance provider or HMO does not create a business association. However, if the provider or HMO undertakes activities with the covered entity that are in addition to or not directly related to insurance, then the health insurer could become a business associate. A business associate relationship does not exist when the organization acts as a conduit for individually identifiable health information. That is to say, the conduit transports the information, but does not have access to it on other than a random or infrequent basis. The U.S. Postal Service and private courier services are examples of conduit organizations. Next Steps After completing the difficult task of identifying business associates, a facility's next step is to amend existing agreements or prepare new agreements with the business associates named in order to meet HIPAA requirements. The good news is that included in the proposed regulations issued on August 14, 2002, is an extension of the deadline for completing these business associate agreements. The regulations allow providers to continue to operate under existing contracts for up to one year beyond the April 14, 2003, deadline, provided that the existing contract is not reviewed or modified. This extension allows facilities to amend existing contracts in the course of business, as long as the modifications take place no later than April 14, 2004. Lastly, a facility needs to have provisions included in agreements with its business associates that meet the requirements of the privacy standard. In the next installment, we'll discuss how to monitor business associates for HIPAA compliance once the agreements have been signed. At the time of this writing, Sandra K. Battaglia, Esq., was special counsel to the Health Law Department of Cozen O'Connor, practicing in the firm's Wilmington, Delaware office. Battaglia concentrates her practice in the area of transactional issues for long-term care and other healthcare providers, including regulatory and compliance matters, as well as physician practice management. To comment on this article, please send e-mail to battaglia1002@nursinghomesmagazine.com. |
|
||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion