A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1 Policy and Procedure Templates Reflects modifications published in the Federal Register as follows: August 14, 2002-Privacy, February 20, 2003 Security Rule February 19, 2009 The American Recovery Reinvestment Act 2009 Privacy Originally Published CLAYTON MACBAIN LLC April, 2003 Security Originally Published THE CLAYTON GROUP LLC April, 2005 Revised 2009 by: Lesley E. Berkeyheiser, Mark Cone N-Tegrity Solutions Group, LLC ARRA 2009 Published N-TEGRITY SOLUTIONS GROUP LLC
ARRA SEC. 13401 - APPLICATION OF SECURITY PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED ENTITIES; ANNUAL GUIDANCE ON SECURITY PROVISIONS BACKGROUND: Under HIPAA each business associate (BA) was responsible to safeguard and protect the PHI it handled. This was typically conveyed via the Business Associate Agreement. The Covered Entity was the only business entity directly subject to Civil Monetary Penalties for wrongful disclosures. However, ARRA extends monetary penalties to business associates. It is clear that all of the basic Safeguard provisions within HIPAA Security are now directly applied to business associates. The HIPAA Security Standards named include: 1) Administrative Safeguards; 2) Physical Safeguards; 3) Technical Safeguards; and 4) Policies and Procedures and Documentation Requirements. This means that every business associate must now conduct an initial (and perform routine and ongoing) HIPAA Security Risk Assessment, mitigate gaps between these requirements and their business and create and implement written policies and procedures to address these requirements. In addition to being responsible to carry out the Safeguards named above, the business associate is now also directly held accountable for wrongful disclosures (just as if they were covered entities). NOTE: Because wrongful disclosures in the law are specific to individually identifiable health information the extent to which Privacy Provisions are affected are addressed in ARRA Section 13404. EFFECTIVE DATE: As of July 2009 according to the Office of the National Coordinator (ONC) 2009 Implementation Plan, the Centers for Medicare/Medicaid Services (CMS) will be issuing regulations to extend certain HIPAA Security Rule provisions to business associates under Section 13401 by February 18, 2010. In addition, on a yearly basis DHSS shall continue to issue guidance on the most appropriate technical safeguards for use in carrying out the security standards. 2009 N-Tegrity Solution Group 1
IMPLEMENTATION NOTES: Revise your internal DISCLOSURE OF PROTECTED HEALTH INFORMATION TO BUSINESS ASSOCIATES AND OTHER CONTRACTORS Policy and Procedure. As a covered entity, review all business associate agreements to assure that they are valid (that the entity to which you are contracting is indeed acting as a business associate) and current (that the relationship is clearly defined and mirroring your business operations). NOTE: The BA DECISION TREE has been included in this document to assist in performing this step. Review and revise Business Associate Contract language. NOTE: A sample contract (revised with ARRA related language) has been included. Contact all business associates and amend language to assure contractual documents include the fact that business associates are now to be responsible for adopting Sections 164.308, 164.310, 164.312, and 164.316 (Administrative, Physical and Technical Safeguards and related documentation of policies and procedures) of title 45, Code of Federal Regulations. In addition, based on clarification by CMS, consider revising language to clearly address the uses and disclosures of PHI by the business associate. NOTE: To perform this step, first review the enclosed document: Implementing Business Associate Agreements To Meet HIPAA Privacy and Security Requirements (Revised to comply with ARRA 2009) Consider whether or not your organization wants to conduct due diligence steps on your business associate (you may choose to do so based on your organization s risk assessment results). For example, a covered entity which out-sources all of its operations to one business associate (who generates PHI on the CE s behalf) may choose to go farther in conducting due diligence efforts than if the BA only handled a copy of PHI for a very limited and specific purpose. Steps such as requiring the business associate to submit copies of recent Security Risk Analysis information and set of policies and procedures may be considered. AFFECTS THE FOLLOWING (Clayton-MacBain/Clayton Group) POLICIES AND PROCEDURES: For Covered Entities: DISCLOSURE OF PROTECTED HEALTH INFORMATION TO BUSINESS ASSOCIATES AND OTHER CONTRACTORS or BUSINESS ASSOCIATES CONTRACTS AND OTHER ARRANGEMENTS 2009 N-Tegrity Solution Group 2
DISCLOSURE OF PROTECTED HEALTH INFORMATION TO BUSINESS ASSOCIATES AND OTHER CONTRACTORS RESPONSIBILITY: Privacy Official, General Counsel, Security Official BACKGROUND: [ENTITY] sometimes contracts with other organizations, or with individuals who are not members of [ENTITY] s workforce, to perform services. This may range from computer system maintenance to accounting and legal services to quality improvement studies. These contractors may require access to protected health information (PHI) to perform their services for [ENTITY]. These contractors are termed business associates. HITECH introduced additional entities that provide data transmission services for a covered entity and require access to protected health information (Health Information Exchange Organization; e- Prescribing Gateway; etc ) or act as a vendor of a PHR on behalf of a covered entity and will be treated as a Business Associate. These entities will now be required to enter into a written contract or some other written arrangement. Contractors or business entities that do not require access to PHI to perform their duties under their contracts are not business associates and will not be treated as such. The purpose of this policy and procedure is to establish standards for contracts between [ENTITY] and its business associates and other contractors regarding the privacy and confidentiality of PHI. This is to provide assurance that PHI will be safeguarded and that [ENTITY] will have adequate access to PHI maintained by business associates. It also establishes accountability to [ENTITY] for how the business associate handles PHI. Sample wording for a business associate contract, as recommended by the federal Department of Health and Human Services (DHHS), is attached to this policy as an appendix. POLICY: 1. No member of the [ENTITY] workforce is permitted to disclose protected health information (PHI) to a contractor unless that contractor requires the information in order for it to perform the services for which [ENTITY] has contracted with it. 2. If [ENTITY] is conducting business with a contractor that provides data transmission services of protected health information and requires access to such information (e.g., Health Information Exchange; Regional Health Information Organization; or e-prescribing Gateway) or a vendor that allows [ENTITY] to offer workforce members access to a Personal Health Record, this contractor (non- HIPAA covered entity) will be treated as a business associate. 3. No member of the [ENTITY] workforce is permitted to disclose protected health information (PHI) to a business associate (see DEFINITIONS)/non-HIPAA covered entity, or to allow a business associate/non-hipaa covered entity to obtain PHI on behalf of [ENTITY], unless a written contract (or other written arrangement) 2009 N-Tegrity Solution Group 3
has been executed between [ENTITY] and the business associate/non-hipaa covered entity. This agreement must include provisions that meet the standards listed in this policy. 4. No business associate of [ENTITY] is permitted to disclose protected health information to another business associate unless a written agreement has been executed between [ENTITY] and each business associate. 5. If [ENTITY] learns that a business associate or non-hipaa covered entity being treated as a business associate has materially violated its agreement, [BUSINESS ASSOCIATE] will so notify [ENTITY]. Failure to cure the breach within thirty days will result in termination of the agreement. If, for some reason, [ENTITY] determines that it is not feasible to terminate the agreement, the Secretary, federal Department of Health and Human Services, will be notified. [NOTE: Organizations may want to include other specific remedies, such as the right to require a business associate to remove certain members of its workforce from participation under the contract in the event of a breach. However, this is not a substitute for the requirement that the contract be terminated if a breach is not cured within thirty days of notification from the organization.] 6. Contractors that do not require PHI in order to fulfill their contractual responsibilities to [ENTITY] are not considered business associates. However, since such contractors may encounter PHI incidentally in the process of performing their duties under their contracts, and since [ENTITY] has a duty to safeguard PHI, all [ENTITY] contracts for services will contain the basic confidentiality clause listed in this policy. Business Associate Agreement Not Required 7. When [ENTITY] discloses PHI to a provider of health care services, for purposes of providing medical treatment to the individual to whom the PHI pertains, a business associate agreement with the provider is not required. 8. A business associate agreement is not required to disclose PHI to a health plan for purposes of obtaining payment for health care services. However, health plan contracts with [ENTITY] must conform to the standards of the TRADING PARTNER AGREEMENT policy. 9. Disclosures of PHI from the [ENTITY] s group health plan to [ENTITY], in its capacity as plan sponsor, is governed by the plan documents, and a business associate agreement is not required. (See EMPLOYEE HEALTH BENEFIT PLAN policy). 10. If a business associate is required by law to perform a function or activity on behalf of [ENTITY], or to provide a service described in the definition of business associate (See DEFINITIONS), [ENTITY] may disclose protected health information to the business associate to the extent necessary to comply with the legal mandate. [ENTITY] will attempt in good faith to obtain an agreement that meets the standards of this policy, and, if such 2009 N-Tegrity Solution Group 4
attempt fails, will document the attempt and the reasons that the agreement cannot be obtained. Types Of Business Associates 11. At a minimum, persons and organizations that provide the following types of services to or on behalf of [ENTITY] are considered business associates: 11.1. Health care clearinghouse (an organization which transmits electronic transactions to, or receive electronic transactions from, other organizations on behalf of [ENTITY]) 11.2. Fundraising or marketing 11.3. Mailing 11.4. Data analysis or data aggregation of any kind, including services that de-identify PHI 11.5. Professional services, such as consulting, legal, accounting and auditing, actuarial, management or administration, financial, etc. 11.6. Accreditation 11.7. Electronic data processing, including software and hardware maintenance 11.8. Photocopying medical records and other sources of PHI 11.9. Document shredding 11.10. Repricing (such as performed by a preferred provider organization to apply negotiated discounts to claims) 11.11. Storage of PHI (both paper records and electronic media) 11.12. Outsourced services, such as billing or collections, that involve PHI in any way 11.13. Web site hosting 11.14. Collection of PHI from patients 11.15. Vendor of PHR for [ENTITY} 11.16. Health Information Exchange Organization (HIE) 11.17. Regional Health Information Organization (RHIO) 11.18. E-Prescribing Gateway ADDITIONAL POLICY EXISTS THIS SAMPLE IS MEANT TO PROVIDE AN IDEA OF HOW THE ORIGINAL CLAYTON GROUP TEMPLATE IS BEING CHANGED (SHOWN IN BLUE TEXT) OR THE NEW COMPONENTS THAT SHOULD BE CONSIDERED FOR POLICIES THAT YOUR ORGANIZATION INDEPENDENTLY DEVELOPED 2009 N-Tegrity Solution Group 5
Business Associate (BA) Decision Tree Updated and changed for HITECH Act from ARRA 2009 2009 N-Tegrity Solution Group 6
SAMPLE- HIPAA Business Associate Agreement (This document is constructed based on the original BAA released by CMS) This Business Associate Agreement ( Agreement ) is entered into this day of, between <covered entity>, a <state corporation> (Company ) and <business associate>, a <state corporation> ( Contractor ). RECITALS I. Company is a <type of organization> that <description of primary functions or activities> with a principal place of business at <address>. II. Contractor is a <type of organization> that <description of primary functions or activities> with a principal place of business at <address>. III. Company, as a Covered Entity defined herein under the Health Insurance Portability and Accountability Act of 1996 ( HIPAA ) is required to enter into this Agreement to obtain satisfactory assurances that Contractor, a Business Associate under HIPAA, will appropriately safeguard all Protected Health Information ( PHI ) as defined herein, disclosed, created or received by Contractor on behalf of, Company. IV. Company desires to engage Contractor to perform certain functions for, or on behalf of, Company involving the disclosure of PHI by Company to Contractor, or the creation or use of PHI by Contractor on behalf of Company, and Contractor desires to perform such functions. <Description of the services to be performed should be included here or attached in a specific Addendum> V. Contractor may be considered an organization that provides data transmission of protected health information to Company and requires access on a routine basis to protected health information or a Vendor of Personal Health Records. As required under Section 13408 of the HITECH Act, the Contractor will be treated as a business Associate of the Company. In consideration of the mutual promises below and the exchange of information pursuant to this agreement and in order to comply with all legal requirements for the protection of this information, the parties therefore agree as follows: A. Definitions of Terms 1. Agreement means this Business Associate Agreement. 2. Breach shall mean the acquisition, access, use or disclosure of protected health information which compromises the security or 2009 N-Tegrity Solutions Group 7
privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information. HITECH Act Subtitle D. 3. Business Associate shall have the meaning given to such term in 45 C.F.R. section 160.103. 4. C.F.R. shall mean the Code of Federal Regulations. 5. Designated Record Set shall have the meaning given to such term in 45 C.F.R. section 164.501. 6. Covered Entity shall have the meaning given to such term in 45 C.F.R. section 160.103. 7. Electronic Health Record shall mean an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff. 8. Electronic Protected Health Information means Protected Health Information that is transmitted by Electronic Media (as defined in the Security and Privacy Rule) or maintained in Electronic Media. 9. Personal Health Record shall mean an electronic record of identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared and controlled by or primarily for the individual. HITECH Act Subtitle D. 10. Protected Health Information or PHI shall have the meaning given to such term in 45 C.F.R. section 164.501, limited to the information created or received by Contractor from or on behalf of Covered Entity. 11. Required By Law. "Required By Law" shall have the same meaning as the term "required by law" in 45 CFR 164.501. 12. Secretary. "Secretary" shall mean the Secretary of the Department of Health and Human Services or his designee. 13. Security Incident means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. 14. Security Rule shall mean the Security Standards for the Protection of Electronic Protected Health Information at 45 CFR Parts 160 and 162, and Parts 164, Subparts A and C. The application of Security provisions Sections 164.308; 164.310, 164.312, and 164.316 of title 45, Code of Federal Regulations shall apply to a business associate of a covered entity in the same manner that such sections apply to the covered entity. 15. Unsecured PHR Identifiable Health Information is information that is not protected through the use of a technology or 2009 N-Tegrity Solutions Group 8
methodology specified by the Secretary in the guidance issued under section 13402(h)(2). 16. Vendor of Personal Health Records shall mean an entity, other than a covered entity that offers or maintains a personal health record. HITECH Act Subtitle D. B. Obligations and Activities of Contractor. 1. Contractor agrees to not use or disclose Protected Health Information other than as permitted or required by the Agreement or as Required By Law. 2. Contractor agrees to use appropriate safeguards to prevent use or disclosure of the Protected Health Information other than as provided for by this Agreement. 3. Contractor agrees to mitigate, to the extent practicable, any harmful effect that is known to Contractor of a use or disclosure of Protected Health Information by Contractor in violation of the requirements of this Agreement. 4. Contractor agrees to report to Covered Entity any use or disclosure of the Protected Health Information not provided for by this Agreement of which it becomes aware. 5. Contractor agrees to ensure that any agent, including a subcontractor, to whom it provides Protected Health Information received from, or created or received by Contractor on behalf of Covered Entity agrees to the same restrictions and conditions that apply through this Agreement to Contractor with respect to such information. 6. Contractor agrees to provide access, at the request of Covered Entity, and in the time and manner designated by the Covered Entity, to Protected Health Information in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements of 45 CFR 164.524. 7. Contractor agrees to make any amendment(s) to Protected Health Information in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 CFR 164.526 at the request of Covered Entity or an Individual, and in the time and manner designated by the Covered Entity. 8. Contractor agrees to make internal practices, books, and records, including policies and procedures and Protected Health Information, relating to the use and disclosure of Protected Health Information received from, or created or received by Contractor on behalf of, Covered Entity available to the Covered Entity, or to the Secretary, in a time and manner designated by the Covered Entity or designated by the Secretary, for purposes of the Secretary determining Covered Entity's compliance with the Privacy and Security Rules. 9. Contractor agrees to document such disclosures of Protected Health Information and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR 164.528. 10. Contractor agrees to provide to Covered Entity or an Individual, in time and manner designated by the Covered Entity, information collected in accordance with Section B 2009 N-Tegrity Solutions Group 9
of this Agreement, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR 164.528. 11. Contractor shall maintain a comprehensive security program appropriate to the size and complexity of the Contractor s operations and the nature and scope of its activities as defined in the Security Rule. 12. Contractor and its agents and subcontractor are prohibited from directly or indirectly receiving any remuneration in exchange for an individual s protected health information unless the individual provides a valid authorization. 13. Contractor shall contact the Covered Entity immediately in the event that a breach of data has been discovered for unprotected health information. 13.1 The notification should include the identification of each individual whose unsecured protected health information has been, or is reasonably believed to have been accessed, acquired or disclosed during such breach. 13.2 Notification to individuals must be made within 60 days from discovering the breach. Notification must be coordinated with and approved by the Covered Entity. 13.3 Covered Entity will coordinate with Contractor in the determination of additional specific actions that will be required of the Contractor for mitigation of the breach. 13.4 If the Contractor is a vendor of personal health records, notification of the breach will need to be made with the Federal Trade Commission. 14. Contractor shall be responsible for any and all costs associated with the notification and mitigation of a data breach that has occurred because of the negligence of the Contractor. 15. Contractor shall be subject to prosecution by the Department of Justice for criminal violations of HIPAA if the Contractor obtains or discloses individually identifiable health information without authorization, and shall be responsible for any an all costs associated with prosecution. C. Permitted Uses and Disclosures by Contractor General Use and Disclosure Provisions Except as otherwise limited in this Agreement, Contractor may use or disclose Protected Health Information to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in [Insert Name of Services Agreement], provided that such 2009 N-Tegrity Solutions Group 10
use or disclosure would not violate the Privacy Rule if done by Covered Entity or the minimum necessary policies and procedures of the Covered Entity. Specific Use and Disclosure Provisions [only necessary if parties wish to allow Contractor to engage in such activities] 1. Except as otherwise limited in this Agreement, Contractor may use Protected Health Information for the proper management and administration of the Contractor or to carry out the legal responsibilities of the Contractor. To the extent practical, the information should be in a limited data set or if necessary to the minimum necessary information. 2. Except as otherwise limited in this Agreement, Contractor may disclose Protected Health Information for the proper management and administration of the Contractor, provided that disclosures are Required By Law, or Contractor obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies the Contractor of any instances of which it is aware in which the confidentiality of the information has been breached. 3. Except as otherwise limited in this Agreement, Contractor may use Protected Health Information to provide Data Aggregation services to Covered Entity as permitted by 42 CFR 164.504(e)(2)(i)(B). 4. Contractor may use Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with 164.502(j)(1). 5. Contractor is required to comply with an individual s restriction request, except as otherwise required by law, if it is to a health plan for payment or health care operation and pertains to a health care item or service for which the health care provider was paid in full out of pocket. Reporting Improper Use or Disclosure 1. Contractor shall report to Covered Entity any use or disclosure of Protected Health Information not provided for by the Agreement immediately from the time becomes aware of such use or disclosure. Contractor shall report to Covered Entity any Security Incident and/or breach immediately from the time it becomes aware of such incident. D. Obligations of Covered Entity Provisions for Covered Entity to Inform Contractor of Privacy Practices and Restrictions [provisions dependent on business arrangement] 1. Covered Entity shall notify Contractor of any limitation(s) in its notice of privacy practices of Covered Entity in accordance with 45 CFR 164.520, to the extent that 2009 N-Tegrity Solutions Group 11
such limitation may affect Contractor's use or disclosure of Protected Health Information. 2. Covered Entity shall notify Contractor of any changes in, or revocation of, permission by Individual to use or disclose Protected Health Information, to the extent that such changes may affect Contractor's use or disclosure of Protected Health Information. 3. Covered Entity shall notify Contractor of any restriction to the use or disclosure of Protected Health Information that Covered Entity has agreed to in accordance with 45 CFR 164.522, to the extent that such restriction may affect Contractor's use or disclosure of Protected Health Information. Permissible Requests by Covered Entity Covered Entity shall not request Contractor to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule if done by Covered Entity. E. Term and Termination 1. Term. The Term of this Agreement shall be effective as of [Insert Effective Date]. The term of this Agreement shall terminate when all of the Protected Health Information provided by Covered Entity to Contractor, or created or received by Contractor on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy Protected Health Information, protections are extended to such information, in accordance with the termination provisions in this Section. E. 2. Termination for Cause. Upon Covered Entity's knowledge of a material breach by Contractor, Covered Entity shall either: a. Provide an opportunity for Contractor to cure the breach or end the violation and terminate this Agreement if Contractor does not cure the breach or end the violation within the time specified by Covered Entity; b. Immediately terminate this Agreement if Contractor has breached a material term of this Agreement and cure is not possible; or c. If neither termination nor cure is feasible, Covered Entity shall report the violation to the Secretary. 3. Effect of Termination. a. Except as provided in paragraph (b) of this section, upon termination of this Agreement, for any reason, Contractor shall return or destroy all Protected Health Information received from Covered Entity, or created or received by Contractor on behalf of Covered Entity. This provision shall apply to Protected Health Information that is in the possession of subcontractors or agents of Contractor. Contractor shall retain no copies of the Protected Health Information. 2009 N-Tegrity Solutions Group 12
b. In the event that Contractor determines that returning or destroying the Protected Health Information is infeasible, Contractor shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Upon determination by Covered Entity that return or destruction of Protected Health Information is infeasible, Contractor shall extend the protections of this Agreement to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the return or destruction infeasible, for so long as Contractor maintains such Protected Health Information. F. Indemnification. Indemnification. Each party will indemnify and hold harmless the other party to this Agreement from and against all claims, losses, liabilities, costs and other expenses incurred as a result of, or arising directly or indirectly out of or in conjunction with: a. any misrepresentation, breach of warranty or non-fulfillment of any undertaking on the part of the party under this Agreement; and b. any claims, demands, awards, judgments, actions and proceedings made by any person or organization arising out of or in any way connected with the party s performance under this Agreement. G. Miscellaneous 1. Regulatory References. A reference in this Agreement to a section in the Privacy or Security Rule or HITECH Act and its associated regulations means the section as in effect or as amended. 2. Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Covered Entity to comply with the requirements of the Privacy or Security Rule and the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191 or the HITECH Act from the American Recovery and Reinvestment Act of 2009 and its associated regulations. 3. Survival. The respective rights and obligations of Contractor under Section 3 of this Agreement shall survive the termination of this Agreement. 4. Interpretation. Any ambiguity in this Agreement shall be resolved to permit Covered Entity to comply with the Privacy and Security Rule or HITECH Act and its associated regulations. 5. Notices. Any notice required to be given pursuant to the terms and provisions of this Agreement shall be in writing and may be either personally delivered or sent by registered or certified mail in the United States Postal Service, Return Receipt Requested, postage prepaid, addressed to each party at the addresses which follow or to such other addresses as the parties may hereinafter designate in writing: 2009 N-Tegrity Solutions Group 13
Company: Contractor: Any such notice shall be deemed to have been given, if mailed as provided herein, as of the date mailed. IN WITNESS WHEREOF, the parties hereto have duly executed this agreement to be effective as of (effective date of the agreement). COMPANY CONTRACTOR By: Printed Name: Title: Date: By: Printed Name: Title: Date: 2009 N-Tegrity Solutions Group 14