Companies providing services to health care organizations such as doctors, hospitals, labs, pharmacies, insurers, HMOs and others, may soon find themselves being asked to sign new agreements under the Privacy Rule issued by the Department of Health and Human Services pursuant to the Health Insurance Portability and Accountability Act of 1996^*. If your company receives individually identifiable health information from such an organization, that health organization may soon be obliged to obtain such an agreement to ensure that your company follows the elaborate requirements in the Privacy Rule to protect the privacy of its patients or members' health information. If you do not sign such an agreement, your client may be forced to terminate your relationship.

The Privacy Rule, among other things and with certain exceptions, requires all "Covered Entities" to have contracts in place with their "business associates" and imposes liability on a Covered Entity if one of its business associates materially breaches its obligations under such contract.

"Covered Entities" include health plans, providers who store or transmit health information electronically or use a third party to do so on its behalf, and clearinghouses (see the Rule for complete definitions of these).

"Business Associate" is defined as a person "who on behalf of the covered entity perform[s], or assists in the performance of … a function or activity involving the use or disclosure of individually identifiable health information, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management and repricing … or [p]rovides … legal, accreditation, or financial services to or for such covered entity … where the provision of service involves the disclosure of individually identifiable health information from such covered entity … to the person."

The rule also calls individually identifiable health information "Protected Health Information" and to de-identify information requires the removal of any of 18 identifiers (such as name, address, social security number, medical record number, and health plan beneficiary number).

As an example, assume a medical group or physician organization called "Hip Docs", which is a Covered Entity under the Privacy Rule, uses a company called "PDAs R Us" to provide personal digital assistants with wireless technology for scheduling, prescriptions, patient email and other services, which makes it a Business Associate of Hip Docs. Hip Docs will have to enter into an agreement with PDAs R Us before providing it with Protected Health Information (e.g., patient names, insurance identification numbers, diagnostic and procedural codes, etc.), which PDAs R Us needs to perform its services. Hip Docs would need to provide for the following types of provisions in its Business Associate contracts:

1. PDAs R Us shall not use or disclose Protected Health Information except as provided in this agreement or required by law.

2. PDAs R Us shall implement and maintain appropriate safeguards to prevent the use or disclosure of Protected Health Information other than as provided herein.

3. PDAs R Us shall report to Hip Docs any use or disclosure of Protected Health Information in violation of this agreement of which PDAs R Us becomes aware.

4. PDAs R Us shall ensure that any subcontractors or agents to whom it provides Protected Health Information received from Hip Docs agree to the same restrictions and conditions that apply to PDAs R Us with respect to such information.

5. PDAs R Us shall make Protected Health Information available to the individual subjects of such information as required by Hip Docs.

6. PDAs R Us shall incorporate any amendments or corrections to Protected Health Information when so notified by Hip Docs.

7. PDAs R Us shall provide for an accounting of uses and disclosures of Protected Health Information as requested by Hip Docs.

8. PDAs R Us shall make its internal practices, books and records relating to the use and disclosure of Protected Health Information received from Hip Docs available to the Secretary of the Department of Health and Human Services for purposes of determining Hip Docs's compliance with the HIPAA Privacy Rule.

9. At termination of this agreement, if feasible, PDAs R Us shall return or destroy all Protected Health Information received from Hip Docs that PDAs R Us still maintains in any form and retain no copies of such information.

10. Hip Docs may terminate this agreement if it determines that PDAs R Us has violated a material term of this agreement. (Note that Hip Docs is not required to monitor PDAs R Us actively, but if Hip Docs "knows" of a material breach then it must take reasonable steps to cure the breach ("knowing" means the Covered Entity has "substantial and credible evidence of a violation") and if these steps are not successful then it must terminate the contract, unless termination is not "feasible", then it must report such to the Secretary of Health and Human Services. "Not feasible" means it is unduly burdensome on PDAs R Us and that PDAs R Us have some or no viable alternatives. It does not include situations where the return or destruction of the Protected Health Information would simply be inconvenient or costly for PDAs R Us).

Hip Docs may also permit (but are not required to so permit) PDAs R Us to (i) use the Protected Health Information for PDAs R Us' "proper management and administration", and (ii) use the Protected Health Information for data aggregation services regarding Hip Docs's operations.

The Covered Entities bear the liability vis-à-vis the government for material breaches by its Business Associates. If the Business Associate is also a Covered Entity, however, the Business Associate could arguably be directly sanctioned by the government.

Because the Rule does not directly regulate Business Associates, only Covered Entities (Congress did not provide the Department of Health and Human Services with such authority in the statute itself), Business Associates will have some room to negotiate details concerning the above requirements.

Footnotes:

^* As of the date of this writing, the Privacy Rule's effective date was unofficially postponed from February 26, 2001, to sometime mid-April, 2001 and certain healthcare industry associations were appealing to President Bush's new administration to pull back on the Rule. If the Rule remains unchanged, all Covered Entities must comply with the requirements under the Rule within two years of its effective date (three years for small health plans with under $5 million in revenue).