headaches and pitfalls in business associate contract management © 2013 christiansen it law...

Headaches and Pitfalls in Business Associate Contract Management

© 2013 Christiansen IT Law

American Bar Association Health Law Section

eHealth, Privacy & Security Committee Webinar, August 30, 2013

© 2013 Christiansen IT Law Privacy/Security/Complianc

e

2

Presenter CV

John R. Christiansen, J.D. - Christiansen IT Law• Chair, ABA HITECH Megarule/Business Associates Task Force (2009 – pres.); Committees on Healthcare

Privacy, Security and Information Technology (2004 – 06); on Healthcare Informatics (2000 – 04); and PKI Assessment Guidelines Health Information Protection and Security Task Group (2000 – 2003)

• Author, The HITECH Business Associate Contracts Bible (ABA 2013); State and Federal Consent Laws Affecting Health Information Exchange (NGA 2011); Policy Solutions for Advancing Interstate Health Information Exchange (NGA 2009); An Integrated Standard of Care for Healthcare Information Security (AHLA 2005); Electronic Health Information: Security and Privacy Compliance under HIPAA (AHLA 2000)

• Special Assistant Attorney General to Washington State Health Care Authority, health care information issues related to HIPAA, HITECH, and related issues

• Privacy and Security Expert, ONC/OCR Comprehensive Campaign for Communication and Education About the HITECH Act (2010 – 2012); Consultant, ONC State Health Policy Consortium (2010 – pres.); Technical Advisor, ONC Health Information Security and Privacy Collaboration (2005 – 2009)

• Executive Committee/Secretary, Washington State Bar Association Health Law Section (2012 – pres.)

• Adjunct Faculty, University of Washington Information School (2008 – 2012); Oregon Health and Sciences University Division of Medical Informatics and Outcomes Research (2000 – 2003)

http://ow.ly/oq2Rn


e

3

Our Agenda

• We Assume You Know at Least the Fundamentals of the Omnibus Rule– September 23 is Less than Four Weeks Away

• Quick Basics of Terminology– See HITECH Business Associates Task Force

Publications for More Details• Business Associate Contract Pass-Along Problems• A Few Sample Problems

You Think Organic Chemistry is Complicated?


e

4

A Few HITECH BA Chain Variations


e

5

Business Associate:QIO

Covered Entity:Physician Practice

Covered Entity:Hospital










SubK:Analytics

SubK:Hosting

SubK:Consult1

Svcs:Security

Svcs:Legal1

Svcs:ParaLx

Svcs:Legal2

SubK:Consult2

Business Associate:IT Services Provider

SubK:e-Rx

SubK:EHR

SubK:Hosting

SubK:Admin

SubK:Billing


SubK:Coding

Svcs:Audit

Svcs:Legal



SubK:Admin

SubK:Billing

SubK:Coding

Svcs:ParaLx

Svcs:Security

Svcs:Legal

Svcs:Hosting



SubK:Admin

SubK:Billing

SubK:Coding

Covered Entities:Physician Practices, Hospitals, Labs, Plans

Business Associates:IT Svces, Billing, Admin, etc.

SubK:Hosting

SubK:RLS

SubK:HIE

SubK:MPI

Svcs:Security

Svcs:Audit

SubK:Hosting

SubK:Analytics

HIO:Business Associate/Subcontractor

Business Associate Terminology

• “Long Chain” Subcontracting• “Upstream:” CE, or BA delegating

function• “Downstream:” BA to which

function is delegated• “First tier” BA: BA with direct

delegation from CE• “Second tier” BA: BA with direct

delegation from first tier BA (and third, fourth tier, etc.)

• “Lower tier” BAs: BAs below first tier

© 2013 Christiansen IT Law 6



SubK:Admin

SubK:Billing

SubK:Coding

Business Associate Terminology

• “Side Chain” Services Providers• BA retains organization to provide

services to BA– Not a BA/Subcontractor*

• “BA Services Provider” may use, disclose PHI for BA purposes

• BA Services Provider may use other parties to provide support/related services for BA purposes– These parties are also not

BAs

* Note: Same kind of services provider to CE is a BA




SubK:Admin

SubK:Billing

SubK:Coding

Svcs:ParaLx

Svcs:Security

Svcs:Legal

Svcs:Hosting

Business Associate:Legal

Svcs:ParaLx


e

8

Pass-Along Problems

1. PHI Use/Disclosure Limitations for CE Functions, Activities, Services• CE must pass-along to First Tier BA:

– General Privacy Rule limitations – required part of BAC– NOPP limitations (if any) – implied, not required in BAC– Additional restrictions (if any) – implied, not required in BAC– Minimum necessary policies (see below) – implied, not required in BAC

• First Tier BA must pass-along BAC limitations to Second Tier BA– First Tier BA may add “more stringent” limitations to Downstream BAC

• Each Lower Tier BA must pass-along limitations from Upstream BAC– Each BA may add “more stringent” limitations to Downstream BAC


e

9

Pass-Along Problems

2. Individual Access/Accounting Timing and Format• Long-chain relationships must ensure CE can comply with:

– 30 day access response (permitted 60 day extension if PHI not maintained on-site by CE)

• CE review for denial may be necessary– Requests for copies in specified electronic formats– 60 day response for accounting of disclosure (permitted 30 day

extension if CE gives statement of reasons)• BAC response requirements shorten with each link in the chain – permitted

as “More Stringent” requirement


e

10

Pass-Along Problems

3. PHI Use/Disclosure Permissions for BA/Subcontractor Purposes• Optional BAC provisions permitting Business Associates to use/disclose PHI

for Business Associate management, administration, legal responsibilities, if required by law– CE not required to include in BAC– First and Lower Tier BAs not required to include in BAC even if CE

permits (“more stringent”)– If not included, BAs below “cutoff” (BAC not including optional

provisions) may not use/disclose PHI for e.g. legal services, audit, consultants, breach investigation, personnel matters (e.g. Security Rule sanctions enforcement), etc., etc.

Pass-Along Problems

3. PHI Use/Disclosure Permissions for BA/Subcontractor Purposes• First Tier BAC does not permit

use/disclosure for BA purposes• First Tier BA cannot disclose PHI

to law firm• Second Tier BA cannot disclose

PHI to security services provider• Third Tier BA cannot use third

party hosting services• Etc.



SubK:Admin

SubK:Billing

SubK:Coding

Svcs:ParaLx

Svcs:Security

Svcs:Legal

Svcs:Hosting

Business Associate:Legal

Svcs:ParaLx


NO BA USE OR DISCLOSURE

X

X

X


e

12

Pass-Along Problems

4. Minimum Necessary• “A covered entity’s contract with a business associate may not authorize the

business associate to use or further disclose the information in a manner that would violate the HIPAA Privacy Rule if done by the covered entity. See 45 CFR 164.504(e)(2)(i). Thus, a business associate contract must limit the business associate’s uses and disclosures of, as well as requests for, protected health information to be consistent with the covered entity’s minimum necessary policies and procedures. . .”– OCR Health Information Privacy FAQ,

http://www.hhs.gov/ocr/privacy/hipaa/faq/business_associates/252.html

• All BAs have to comply with CE minimum necessary policies • BAs (mostly) don’t have the authority to adopt their own minimum necessary

policies


e

13

Pass-Along Problems

4. Minimum Necessary• Not a specifically required BAC provision• Strongly implied: BA can’t use/disclose PHI in a manner CE can’t, and CE

mostly can’t use/disclose except under minimum necessary policy– OCR BAC Sample “optional” provisions

• Does the CE have minimum necessary policies and procedures?• Are the CE’s minimum necessary policies complete and intelligible?• Do the CE’s minimum necessary policies include purposes, positions, PHI

scope consistent with BA services, functions, activities?– Both for CE purposes, and for BA administrative etc. purposes

– E.g. physician practice outsources all EHR functions, has no need or policy for network administrator

• Note that professional services provider (e.g. law firm) can define minimum necessary in request to CE – but can’t in request to BA


e

14

Pass-Along Problems

5. BAC Termination Problems• How to coordinate termination of lower tiers?• How does CE obtain “return” of PHI from lower tiers?

– Lower tier BAC probably specifies that PHI will be returned to upstream BA upon termination

• Can lower tier BAC include permission to retain PHI if upstream BAC does not?

• Should CE have notice of lower tier BA retention?


e

15

Pass-Along Problems

6. Breach Notification• BAC required to specify reporting of security incidents, unauthorized

use/disclosure of PHI, breaches– Lower tier BACs probably specify that Downstream BA will notify

Upstream BA – Agreements with Services Providers must include requirement to report

“breach of confidentiality” – not the same as a Breach Notification Rule “breach?”

• Breach Notification Rule independently requires any BA to notify CE of breaches

Pass-Along Problems

6. Breach Notification• First Tier BA has regulatory and

contract requirement to notify CE• Second Tier BA has regulatory

requirement to notify CE, and contract requirement to notify First Tier BA

• Third Tier BA has regulatory requirement to notify CE, and contract requirement to notify Second Tier BA

• Etc.




SubK:Admin

SubK:Billing

SubK:Coding


e

17

Pass-Along Problems

6. Breach Notification• Breach Notification Rule specifies that the CE (or its “designee”) has the

authority to determine if an unauthorized use/disclosure is a “breach”– Even though BAs must report “breaches?”

• Under some conditions both CE and BA may have state law breach notification obligations

• BA must notify CE with no “unreasonable delay,” maximum 60 days from when it knew/should have known of breach

• CE must notify individuals, OCR (if more than 500 affected individuals) with no “unreasonable delay,” maximum 60 days from when it knew/should have known of breach– CE imputed BA knowledge if BA is CE agent under “federal common

law”• State laws typically require maximum 60 days notice• BAC response requirements shorten with each link in the chain


SubK:e-Rx

SubK:EHR

SubK:Hosting

SubK:Admin

SubK:Billing


SubK:Coding

Svcs:Audit

Svcs:Legal

Now Contract to Pass Along in These Variations

Bundled IT Service Provider BA with multiple Subcontractor Chains and Side Chains


e

18


Multi-Services QIO with Multiple CEs Using Various Services Provided through multiple Subcontractor Chains, with Side Chains


e

19

Business Associate:QIO












SubK:Analytics

SubK:Hosting

SubK:Consult1

Svcs:Security

Svcs:Legal1

Svcs:ParaLx

Svcs:Legal2

SubK:Consult2


HIO Providing Multiple Services to Open Community of CEs and BAs Using Various Services Provided through multiple Subcontractor Chains, with Side Chains


e

20

Covered Entities:Physician Practices, Hospitals, Labs, Plans

Business Associates:IT Svces, Billing, Admin, etc.

SubK:Hosting

SubK:RLS

SubK:HIE

SubK:MPI

Svcs:Security

Svcs:Audit

SubK:Hosting

SubK:Analytics

HIO:Business Associate/Subcontractor

How to Solve These Problems


e

21

If That Doesn’t Work . . .


e

22

Questions? Answers? Thanks!


e

23

• SciTech Listeners – Claim Your Complimentary Membership in ABA’s Health Law Section: http://ow.ly/o3VnI.– Then, join the eHealth, Privacy & Security interest group (also

complimentary, after joining the Health Law Section):

http://ow.ly/ncV3R.

• HL Section Listeners – Claim Your Complimentary Membership in ABA’s Science and Technology Section: http://ow.ly/ooTgn

• Remaining Agenda– Discuss upcoming eHealth IG initiatives.– Call for volunteers to work on eHealth IG committees and

initiatives. – Other Hot Topics/open microphone. Collaborate with your peers!

• The HITECH Business Associate Contracts Bible

http://ow.ly/o3VnI

http://ow.ly/o3VnI

http://ow.ly/ncV3R

http://ow.ly/ooTgn

http://ow.ly/ooTgn

http://ow.ly/oq2Rn

http://ow.ly/oq2Rn

headaches and pitfalls in business associate contract management © 2013 christiansen it law...

Documents

health care information

electronic health information

oregon health

hitech act

hitech ba chain variations

information technology

hitech world headaches

cesecond tier ba