The final Privacy Rule mandated by the Health Insurance Portability and Accountability Act of 1996 ("HIPAA")¹, among other things and with certain exceptions, requires each "Covered Entity" to have contracts in place with its "business associates" and imposes liability on such Covered Entity if one of its business associates materially breaches its obligations under such contract. "Covered Entities" include health plans, providers who store or transmit health information electronically or use a third party to do so on its behalf, and clearinghouses (see the Final Rule for complete definitions²). This On the Front Lines article addresses the types of provisions a Covered Entity must have and those it is permitted to have in its business associate contracts.

"Business Associate" is defined as a person "who on behalf of the covered entity perform[s] or assists in the performance of... a function or activity involving the use or disclosure of individually identifiable health information, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management and repricing ... or [p]rovides ... legal, accreditation, or financial services to or for such covered entity where the provision of service involves the disclosure of individually identifiable health information from such covered entity ... to the person." The Final Rule also refers to individually identifiable health information as "Protected Health Information"

Billing Contract. As an example, assume a hospital, call it The Best Hospital, outsources its billing to a company called "Billings R Us." The Final Rule requires The Best Hospital to enter into an agreement with Billings R Us before providing it with protected health information (e.g., patient names, insurance identification numbers, diagnostic and procedural codes, etc.), that Billings R Us needs to perform its services. The Best Hospital would need to include the following provisions in its Business Associate contract:

1. Billings R Us shall not use or disclose Protected Health Information except as provided in this agreement or required by law (The Best Hospital may choose to define this further and limit the use or type of information according to Billings R Us' role, e.g. for purposes of submitting claims to health insurers on behalf of The Best Hospital).

2. Billings R Us shall implement and maintain appropriate safeguards to prevent the use or disclosure of Protected Health Information other than as provided herein. (Note that The Best Hospital can require specific safeguards.)

3. Billings R Us shall report to The Best Hospital any use or disclosure of Protected Health Information in violation of this agreement of which Billings R Us becomes aware. (The Best Hospital can expand on this, e.g., by requiring the notification to be immediate, by asking for Billings R Us to sanction its employees for violations, and by requiring Billings R Us to mitigate damages.)

4. Billings R Us shall ensure that any subcontractors or agents to whom it provides Protected Health Information received from The Best Hospital agree to the same restrictions and conditions that apply to Billings R Us with respect to such information.

5. Billings R Us shall make Protected Health Information available to the individual subjects of such information as required by The Best Hospital. (The Best Hospital may choose to specify time and manner of access in accordance with the patients' right to access under the Privacy Rule³ and The Best Hospital's own policies and procedures.)

6. Billings R Us shall incorporate any amendments or corrections to Protected Health Information when so notified by The Best Hospital.⁴

7. Billings R Us shall provide for an accounting of uses and disclosures of Protected Health Information as requested by The Best Hospital.⁵

8. Billings R Us shall make its internal practices, books and records relating to the use and disclosure of Protected Health Information received from The Best Hospital available to the Secretary of the Department of Health and Human Services (HHS) for purposes of determining The Best Hospital's compliance with the HIPAA Privacy Rule.

9. At termination of this agreement, if feasible, Billings R Us shall return or destroy all Protected Health Information received from The Best Hospital that Billings R Us still maintains in any form and retain no copies of such information. (The Best Hospital might want to expand this by providing a deadline, allowing The Best Hospital to conduct an audit, and addressing de-identified information.)

10. The Best Hospital may terminate this agreement if it determines that Billings R Us has violated a material term of this agreement. (The Best Hospital may want to specify that such termination would be immediate upon provision of notice and include examples of breaches considered "material." Note that The Best Hospital is not required to monitor Billings R Us actively, but if The Best Hospital "knows"⁶ of a material breach, it must take reasonable steps to cure the breach. If these steps are not successful, it must terminate the contract.⁷)

Covered Entities also may permit (but are not required to so permit) the Business Associate to (i) use the Protected Health Information for the Business Associates "proper management and administration," and to carry out legal responsibilities of the Business Associate, and to disclose protected health information for such purposes if "required by law" or if the Business Associate obtains "reasonable assurances" from the person receiving the information that such person will only use and/or disclose such information as required by law or for the purpose disclosed and that such person will notify the Business Associate of breaches; and (ii) use the Protected Health Information for data aggregation services regarding the Covered Entity's operations.

In the description preceding the Final Rule, HHS notes that Covered Entities may rely on their Business Associate's professional judgment regarding the "type and amount" of Protected Health Information that it needs to use and disclose to carry out its role.

Conclusion. The above provisions of are only meant to highlight the specific requirements. Each contract between a Covered Entity and Business Associate typically will be subject to negotiation, within the limits of the Final Rule. The new burdens placed on Business Associates undoubtedly will mean additional expenses for the Business Associate and any economic adjustments to the fees received by the Business Associate would be subject to such negotiation. Because the Final Rule does not regulate Business Associates directly, only Covered Entities (Congress did not provide HHS with such authority in the statute itself), Business Associates have some room to negotiate, depending obviously in part on their competitive situation. If the Business Associate also is a Covered Entity, however, the Business Associate arguably could be sanctioned directly by the government. Whether the additional requirements placed on Business Associates eventually will be considered a "cost of doing business" or not remains to be seen. Covered Entities, after all, will incur their own additional administrative expenses in following the Final Rule.

Keep in mind that the Covered Entities bear the liability vis-à-vis the government for material breaches by its Business Associates. There is no private right of action for individual patients to sue either Covered Entities or Business Associates for breach of privacy under the Privacy Rule, but certain state laws may provide such a right, directly or indirectly, and the Final Rule notes it is not intended to preempt such state laws. State laws that are more "stringent" (i.e. more protective of privacy) are not preempted by HIPAA.

Finally, because the Security Rule under HIPAA has not yet been finalized, this article does not address the specific contractual provisions Covered Entities will need to obtain from Business Associates under that rule, but note that the proposed version of the Security Rule does require certain provisions in "chain of trust agreements" with Business Associates that go beyond the Privacy Rule requirements.

Jackie Huchenski is a partner with Moses & Singer LLP in New York City. She is the chair of the Healthcare Practice and co-chair of the eHealth Practice.

Footnotes:

¹ As of the date of this writing, the Privacy Rule was to become effective on February 26, 2001, but such date was unofficially delayed to April 15, 2001, apparently due to an administrative error in not providing the Rule to Congress following its Dec. 28, 2000 publication in the Federal Register. In addition to this delay, certain healthcare industry associations were appealing to President Bush's new administration to pull back on the effective date of the Final Rule. If the Final Rule remains unchanged, all Covered Entities must comply with the requirements under the Final Rule within two years of its effective date (three years for small health plans with under $5 million in revenue).
² 65 FR 82462, December 28, 2000.
³ See 45 CFR § 164.524 (65 FR page 82823).
⁴ See 45 CFR §164.526 (65 FR page 82824).
⁵ See 45 CFR § 164. 528 (65 FR page 82826).
⁶ "Knowing" means the Covered Entity has "substantial and credible evidence of a violation."
⁷ If termination is not "feasible' then it must report this to the Secretary of HHS. "Not feasible" means it is unduly burdensome on the Business Associate and that the business associate has some or no viable alternatives. It does not include situations when the return or destruction of the Protected Health Information would simply be inconvenient or costly for the Business Associate.