Headaches and Pitfalls in Business Associate Contract Management

Transcription

1 Headaches and Pitfalls in Business Associate Contract Management ISACA Puget Sound Chapter September Monthly Luncheon Meeting September 17, Christiansen IT Law

2 Presenter CV John R. Christiansen, J.D. - Christiansen IT Law Chair, ABA HITECH Megarule/Business Associates Task Force (2009 pres.); Committees on Healthcare Privacy, Security and Information Technology ( ); on Healthcare Informatics ( ); and PKI Assessment Guidelines Health Information Protection and Security Task Group ( ) Author, The HITECH Business Associate Contracts Bible (ABA 2013); State and Federal Consent Laws Affecting Health Information Exchange (NGA 2011); Policy Solutions for Advancing Interstate Health Information Exchange (NGA 2009); An Integrated Standard of Care for Healthcare Information Security (AHLA 2005); Electronic Health Information: Security and Privacy Compliance under HIPAA (AHLA 2000) Special Assistant Attorney General to Washington State Health Care Authority, health care information issues related to HIPAA, HITECH, and related issues Privacy and Security Expert, ONC/OCR Comprehensive Campaign for Communication and Education About the HITECH Act ( ); Consultant, ONC State Health Policy Consortium (2010 pres.); Technical Advisor, ONC Health Information Security and Privacy Collaboration ( ) Executive Committee/Secretary, Washington State Bar Association Health Law Section (2012 pres.) Adjunct Faculty, University of Washington Information School ( ); Oregon Health and Sciences University Division of Medical Informatics and Outcomes Research ( ) 2013 Christiansen IT Law Privacy/Security/Compliance 2

3 Our Agenda I Assume You Know at Least the Fundamentals of the Omnibus Rule September 23 is Less than Six Days Away Quick Basics of Terminology Scary Diagrams Business Associate Contract Pass-Along Problems A Few Sample Problems 2013 Christiansen IT Law Privacy/Security/Compliance 3

4 You Think Organic Chemistry is Complicated? 2013 Christiansen IT Law Privacy/Security/Compliance 4

5 A Few HITECH BA Chain Variations 2013 Christiansen IT Law Privacy/Security/Compliance 5

6 Covered Entities (CE): Business Associate Terminology Organizations directly involved in health claims transactions Any health care provider which gets paid electronically, health plans, health care clearinghouses Must have Business Associate Contract (BAC) with Business Associate Business Associate (BA): Performs or assists in the performance of a function or activity involving the use or disclosure of PHI on behalf of a CE Claims processing or administration; data analysis, processing or administration; utilization review; billing; quality assurance; benefit management; practice management, repricing; IT services; security management and administration; legal, actuarial, accounting, consulting, etc. services to or for CE 2013 Christiansen IT Law 6

7 Subcontractor: Business Associate Terminology Any person to which BA delegates function, activity or service involving PHI which BA performs for a CE Defined as BA, required to have BAC with BA delegating function/activity/service Conduit: Data transmission services only Hosting services are not conduits, even if data is well-encrypted and services has no access to keys No BAC Services Provider: A person which BA allows to obtain, use, disclose PHI for BA purposes No BAC Agreement to keep PHI confidential, only use/disclose PHI for BA purposes (or required by law), report breaches of confidentiality 2013 Christiansen IT Law 7

8 Subcontractor: Business Associate Terminology Any person to which BA delegates function, activity or service involving PHI which BA performs for a CE Defined as BA, required to have BAC with BA delegating function/activity/service Conduit: Data transmission services only Hosting services are not conduits, even if data is well-encrypted and services has no access to keys No BAC Services Provider: A person which BA allows to obtain, use, disclose PHI for BA purposes No BAC Agreement to keep PHI confidential, only use/disclose PHI for BA purposes (or required by law), report breaches of confidentiality 2013 Christiansen IT Law 8

9 Business Associate Terminology Regulatory status is definitional If it does what a CE, BA or Subcontractor does, it s a CE, BA or Subcontractor Knowledge or intent are irrelevant Presence, absence or content of a contract is irrelevant 2013 Christiansen IT Law Privacy/Security/Compliance 9

10 Business Associate Terminology Long Chain Subcontracting Upstream: CE, or BA delegating function Downstream: BA to which function is delegated First tier BA: BA with direct delegation from CE Second tier BA: BA with direct delegation from first tier BA (and third, fourth tier, etc.) Lower tier BAs: BAs below first tier 2013 Christiansen IT Law 10

11 Business Associate Terminology Side Chain Services Providers BA retains organization to provide services to BA Not a BA/Subcontractor* BA Services Provider may use, disclose PHI for BA purposes BA Services Provider may use other parties to provide support/related services for BA purposes These parties are also not BAs * Note: Same kind of services provider to CE is a BA 2013 Christiansen IT Law 11

12 Pass-Along Problems 1. PHI Use/Disclosure Limitations for CE Functions, Activities, Services CE must pass-along to First Tier BA: General Privacy Rule limitations required part of BAC NOPP limitations (if any) implied, not required in BAC Additional restrictions (if any) implied, not required in BAC Minimum necessary policies (see below) implied, not required in BAC First Tier BA must pass-along BAC limitations to Second Tier BA First Tier BA may add more stringent limitations to Downstream BAC Each Lower Tier BA must pass-along limitations from Upstream BAC Each BA may add more stringent limitations to Downstream BAC 2013 Christiansen IT Law Privacy/Security/Compliance 12

13 Pass-Along Problems 2. Individual Access/Accounting Timing and Format Long-chain relationships must ensure CE can comply with: 30 day access response (permitted 60 day extension if PHI not maintained on-site by CE) CE review for denial may be necessary Requests for copies in specified electronic formats 60 day response for accounting of disclosure (permitted 30 day extension if CE gives statement of reasons) BAC response requirements shorten with each link in the chain permitted as More Stringent requirement 2013 Christiansen IT Law Privacy/Security/Compliance 13

14 Pass-Along Problems 3. PHI Use/Disclosure Permissions for BA/Subcontractor Purposes Optional BAC provisions permitting Business Associates to use/disclose PHI for Business Associate management, administration, legal responsibilities, if required by law CE not required to include in BAC First and Lower Tier BAs not required to include in BAC even if CE permits ( more stringent ) If not included, BAs below cutoff (BAC not including optional provisions) may not use/disclose PHI for e.g. legal services, audit, consultants, breach investigation, personnel matters (e.g. Security Rule sanctions enforcement), etc., etc Christiansen IT Law Privacy/Security/Compliance 14

15 Pass-Along Problems 3. PHI Use/Disclosure Permissions for BA/Subcontractor Purposes First Tier BAC does not permit use/disclosure for BA purposes First Tier BA cannot disclose PHI to law firm Second Tier BA cannot disclose PHI to security services provider Third Tier BA cannot use third party hosting services Etc Christiansen IT Law 15

16 Pass-Along Problems 4. Minimum Necessary A covered entity s contract with a business associate may not authorize the business associate to use or further disclose the information in a manner that would violate the HIPAA Privacy Rule if done by the covered entity. See 45 CFR (e)(2)(i). Thus, a business associate contract must limit the business associate s uses and disclosures of, as well as requests for, protected health information to be consistent with the covered entity s minimum necessary policies and procedures... OCR Health Information Privacy FAQ, All BAs have to comply with CE minimum necessary policies BAs (mostly) don t have the authority to adopt their own minimum necessary policies 2013 Christiansen IT Law Privacy/Security/Compliance 16

17 Pass-Along Problems 4. Minimum Necessary Not a specifically required BAC provision Strongly implied: BA can t use/disclose PHI in a manner CE can t, and CE mostly can t use/disclose except under minimum necessary policy OCR BAC Sample optional provisions Does the CE have minimum necessary policies and procedures? Are the CE s minimum necessary policies complete and intelligible? Do the CE s minimum necessary policies include purposes, positions, PHI scope consistent with BA services, functions, activities? Both for CE purposes, and for BA administrative etc. purposes E.g. physician practice outsources all EHR functions, has no need or policy for network administrator Note that professional services provider (e.g. audit, consulting, law firm) can define minimum necessary in request to CE but can t in request to BA 2013 Christiansen IT Law Privacy/Security/Compliance 17

18 Pass-Along Problems 5. BAC Termination Problems How to coordinate termination of lower tiers? How does CE obtain return of PHI from lower tiers? Lower tier BAC probably specifies that PHI will be returned to upstream BA upon termination Can lower tier BAC include permission to retain PHI if upstream BAC does not? Should CE have notice of lower tier BA retention? Can Services Providers retain PHI? Can BA allow Services Provider to retain PHI? Does retention provision have to be in BA/Services Provider agreement? 2013 Christiansen IT Law Privacy/Security/Compliance 18

19 Pass-Along Problems 6. Breach Notification BAC required to specify reporting of security incidents, unauthorized use/disclosure of PHI, breaches Lower tier BACs probably specify that Downstream BA will notify Upstream BA Agreements with Services Providers must include requirement to report breach of confidentiality not the same as a Breach Notification Rule breach? Breach Notification Rule independently requires any BA to notify CE of breaches 2013 Christiansen IT Law Privacy/Security/Compliance 19

20 Pass-Along Problems 6. Breach Notification First Tier BA has regulatory and contract requirement to notify CE Second Tier BA has regulatory requirement to notify CE, and contract requirement to notify First Tier BA Third Tier BA has regulatory requirement to notify CE, and contract requirement to notify Second Tier BA Etc Christiansen IT Law 20

21 Pass-Along Problems 6. Breach Notification Breach Notification Rule specifies that the CE (or its designee ) has the authority to determine if an unauthorized use/disclosure is a breach Even though BAs must report breaches? Under some conditions both CE and BA may have state law breach notification obligations BA must notify CE with no unreasonable delay, maximum 60 days from when it knew/should have known of breach CE must notify individuals, OCR (if more than 500 affected individuals) with no unreasonable delay, maximum 60 days from when it knew/should have known of breach CE imputed BA knowledge if BA is CE agent under federal common law State laws typically require maximum 60 days notice BAC response requirements shorten with each link in the chain 2013 Christiansen IT Law Privacy/Security/Compliance 21

22 Contract to Pass Along in These Variations Bundled IT Service Provider BA with multiple Subcontractor Chains and Side Chains 2013 Christiansen IT Law Privacy/Security/Compliance 22

23 Contract to Pass Along in These Variations Multi-Services QIO with Multiple CEs Using Various Services Provided through multiple Subcontractor Chains, with Side Chains 2013 Christiansen IT Law Privacy/Security/Compliance 23

24 Contract to Pass Along in These Variations HIO Providing Multiple Services to Open Community of CEs and BAs Using Various Services Provided through Multiple Subcontractor Chains, with Side Chains 2013 Christiansen IT Law Privacy/Security/Compliance 24

25 Contract to Pass Along in These Variations External Audit and Legal BAs, with Support Subcontractors, Reviewing Health Plan Compliance Issues 2013 Christiansen IT Law Privacy/Security/Compliance 25

26 How to Solve These Problems 2013 Christiansen IT Law Privacy/Security/Compliance 26

27 If That Doesn t Work Christiansen IT Law Privacy/Security/Compliance 27

28 Questions? Answers? Thanks! 2013 Christiansen IT Law Privacy/Security/Compliance 28