1 Page: 1 of 5 I. PURPOSE: 1 The purpose of this standard is to identify and define the standards for implementing contracting provisions related to those individuals and organizations identified as Business Associates. The Privacy Rule allows covered providers and health plans to disclose protected health information to these Business Associates if the providers or plans obtain satisfactory assurances that the Business Associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity s duties under the Privacy Rule. The satisfactory assurances must be in writing, whether in the form of a contract or other agreement between the covered entity and the Business Associate. II. DEFINITIONS: A. Business Associate or BA means a person or entity (not an employee) who, on behalf of Tenet, 1. Creates, receives, maintains, or transmits protected health information for a function or activity regulated by HIPAA, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities listed at 42 CFR 3.20, billing, benefit management, practice management, and repricing; or 2. Provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or on behalf of Tenet, where the provision of the service involves the disclosure of individually identifiable health information from Tenet. B. Data Use Agreement is an agreement that allows the covered entity to disclose a Limited Data Set to the potential recipient. 164.514 (e) (1) C. Electronic Protected Health Information or ephi means Protected Health Information (PHI) stored or transmitted by electronic means. D. Incidental Disclosure means the possible disclosure of PHI due to exposure to information while performing a service for Tenet that does not directly involve access, use and disclosure of PHI. Examples include, janitorial service, nonpatient care employees/vendors in the patient room or waiting area. E. Information is individually identifiable if it either identifies an individual or contains enough specific information to do so. 1 Replaces and retires Information Privacy Policies 1.1.1, 1.2.5 and Information Security Policy Comp-Sec 2.1.1.
Page: 2 of 5 F. A Limited Data Set is protected health information that can only be used or disclosed for research, public health, or Health Care Operations and excludes the following direct identifiers of the individual or of relatives, employers, or household members of the individual: names; postal address information, other than town or city, state, and zip code; telephone numbers; fax numbers; electronic mail addresses; social security numbers; medical record numbers; health plan beneficiary numbers; account numbers; certificate/license numbers; vehicle identifiers and serial numbers, including license plate numbers; device identifiers and serial numbers; web universal resource locators (URLs); internet protocol (IP) address numbers; biometric identifiers, including finger and voice prints; and full face photographic images and any comparable images. G. Protected Health Information or PHI means individually identifiable health information that is transmitted or maintained in any form or medium and that relates to the past, present or future physical or mental health or condition of a patient, the provision of health care to patient, or the past, present or future payment for the provision of health care by a patient. H. Additional capitalized terms used herein are defined in the Information Privacy and Security Glossary of Definitions. III. STANDARD Prior to disclosing any Protected Health Information (PHI) to a Business Associate of Tenet, Tenet will obtain satisfactory assurances from a Business Associate that the Business Associate will appropriately safeguard the PHI it receives or creates on behalf of Tenet. Tenet will document these satisfactory assurances in writing in the form of a Business Associate Agreement (BAA) with the Business Associate in compliance with the HIPAA regulations. Any disclosures to a Business Associate must be limited to disclosures permitted by the HIPAA regulations and not for the Business Associate s independent use or purposes. A. Determine if PERSON or ENTITY is a Business Associate The Tenet Facility s contract administrator, in conjunction with appropriate business unit owner(s), must evaluate each business relationship for need of a Business Associate Agreement; utilize Attachment A (Prospective Business Associate Third party/vendor Guide) and Attachment B (BAA Decision Tree). A Business Associate: 1. Provides service/activity on behalf of Tenet; 2. Is not employed by Tenet; 3. Involves the access to, use or disclosure of, or creation of PHI.
Page: 3 of 5 4. If unclear whether a relationship requires a BAA, contact the Tenet Facility Compliance Officer for assistance. B. Accounts Payable New Vendor (Business Associate) Setup New vendor setup procedures managed by Tenet s Accounts Payable Department shall be followed to identify future vendors that qualify as Business Associates. A copy of the vendor setup request form is located under Forms on the Accounts Payable etenet website. 1. Tenet Facilities must ensure a process is created to ensure the New Vendor Form is processed. 2. Audit Services will perform periodic reviews of New Vendor Forms to ensure that written contracts are in place and the Business Associate process described above are being followed. C. Data Use Agreement (DUA) Limited Data Set Section 164.514(e) of the Privacy Rule states a Business Associate Agreement is not required when the only PHI an entity receives is a Limited Data Set. A Limited Data Set may be used and disclosed for research, health care operations, and public health purposes, provided the recipient enters into a Data Use Agreement (DUA) promising specified safeguards for the PHI within the limited data set. The DUA satisfies the Privacy Rule s requirements that the covered entity obtain satisfactory assurances from its third parties/vendors to protect patients right to privacy consistent with obligations under federal and state law and Tenet s information privacy policies. D. Business Associate Agreement (BAA) Section 164.504(e) of the Privacy Rule requires that business associate agreements must specify the uses and disclosures of PHI that Tenet requires of the Business Associate. The agreement will state that the Business Associate must comply with all applicable HIPAA and HITECH Regulations and conduct its business as a covered entity. Tenet s Business Associate Agreements are maintained on the Law Department s Contractual Arrangements Manual (CAM). E. Refer third party/vendor expressing concerns or indicating that negotiation is needed to the Tenet Facility Compliance Officer for consultation and agreement recommendations. F. It is recommended that Tenet only enter into a Business Associate or Data Use Agreement located on the CAM, however, the Tenet Facility Compliance Officer
Page: 4 of 5 must review and approve any Business Associate or Data Use Agreements submitted to Tenet from outside organizations prior to execution. G. Upon receipt of signed Business Associate Agreement or Data Use Agreement from the third party/vendor: 1. Maintain the original signed BAA or DUA per Tenet Facility policy. 2. Upload a copy into the ecats system (see Law Department policy L-15 Electronic Contract Approval Term Sheet (ecats) and its Frequently Asked Questions). IV. IMPLEMENTATION: A. Tenet Facility 1. The Tenet Facility Compliance Officer and Tenet Facility Management are responsible for distribution and oversight of Information Privacy and Standards at the facility level. 2. Tenet Facility must B. Corporate a. Adopt this standard and where necessary develop specific written procedures in order for the Tenet Facility to operationalize this standard; b. Develop appropriate methods to monitor adherence to the written procedures; and c. Report monitoring activity to the Tenet Facility Compliance Officer. 1. Tenet s Information Privacy/Security Office will work with the Tenet Facility Compliance Officer and Tenet Facility Management to develop, maintain, and update procedures and standards for protecting the privacy of PHI and affording patients their rights with respect to their PHI. 2. Tenet Corporate and Tenet Regional Offices must incorporate these standards into their specific policies and procedures where necessary.
Page: 5 of 5 V. REFERENCES: - Information Privacy & Security Glossary of Definitions - EC.PS.01.00 Information Privacy and Security Administration Policy - Law Department s Contractual Arrangements Manual (CAM) - Law Department policy L-15 Electronic Contract Approval Term Sheet (ecats) and its Frequently Asked Questions - 45 C.F.R. Parts 160 and 164 VI. ATTACHMENTS: - Attachment A: Aid for Evaluating Third Parties for Determination of Need for Business Associate Contract(s) - Attachment B: Business Associate Flowchart
Attachment A Business Associate And Data Use Agreement Standard Page 1 of 1 Aid for Evaluating Third Parties for Determination of Need for Business Associate Contract(s) Checklist of arrangements with third parties that may need to be documented with business associate contracts. This list is provided for illustration only and is not a complete list of all arrangements that are subject to the business associate rules. Third party professionals Consultants Accountants Attorneys Actuaries Patient Safety Organizations Risk management Information technology Billing and coding Management Service Providers Coding providers Waste disposal and recycling companies (if PHI included in waste) Transcription services Microfilm and optical disk conversion providers Clearinghouses Billing companies Insurance brokers Records management companies (including storage and reproduction) Temporary staffing agencies (if personnel will have access to PHI) Software and hardware providers (for installation, maintenance and other services that may have access to PHI) Other agreements Joint ventures IPA/HMO/other payer contracts (under which Covered Entity is buying managed care contracting services and/or billing/collection services that involve the use or disclosure of PHI) Shared service arrangements Research services Management agreements 09-16-13
Attachment B EC.PS.01.04 Business Associate And Data Use Agreement Standard Page 1 of 1 Business Associate Flowchart 09-16-13