Guest Article

(From the Employer's Guide to HIPAA Privacy Requirements, Thompson Publishing Group)

Despite Proposed Extension, HIPAA Covered Entities Should Address Business Associate Contracts Soon, Attorney Says

The recently proposed one-year extension for revising contracts with business associates should not be cause for delay in addressing these agreements, because of their importance in complying with HIPAA's privacy rules and related requirements, according to an attorney who spoke at a recent conference.

"Don't get too excited about that extension because you're going to want to get as many business associate contracts as you can amended prior to that," according to Chris Petersen, an attorney with Morris, Manning & Martin in Washington, D.C.

One reason to finalize contracts sooner is to ensure that information held by the business associate is available to meet the rules' individual access requirements, for which an extension from the April 14, 2003, compliance date has not been proposed, he said. Another reason is the plethora of other rules that are taking effect, including HIPAA's transaction and security rules, and state rules based on the National Association of Insurance Commissioners (NAIC) model for privacy and security.

The transaction rules, for example, require covered entities to enter into "trading partner agreements" with business associates before an associate can conduct standard transactions on the covered entity's behalf, Petersen said. These agreements must require that the business associate comply with the transaction rules and ensure that its agents and subcontractors do the same, he said. This provision of the rules enables the U.S. Department of Health and Human Services (HHS) "to sweep in entities not subject to the regulation" so covered entities and their direct business associates could not avoid the transaction rules by contracting out their transaction operations, he explained.

Also of concern are the NAIC model rules, which are designed to implement the federal Gramm-Leach-Bliley (GLB) Act for insurers. Section 14 of the NAIC model GLB regulation requires insurers' contracts with service providers, or with financial institutions for joint marketing, to prohibit the disclosure of individual information except to fulfill the contract, Petersen said.

NAIC's draft model security rule, which governs contracts with service providers, requires insurers to protect against unauthorized access to or use of information that could harm or even "inconvenience" an individual, which is "one of the more interesting standards I've seen in a long time," Petersen said. NAIC may finalize the rule as early as September, with state implementation expected soon thereafter, he said.

Contract Negotiation

In negotiating business associate contracts, covered entities should try to address these compliance issues together with any other contractual issues that occur between the parties, Petersen said. "Some of the things your lawyers want to put in contracts, your vendors and customers are not going to want to sign."

Among the issues the parties must consider are whether the business associate must get the covered entity's authorization to subcontract out its duties, and which party is responsible for providing individuals with the access, accounting and other rights guaranteed by HIPAA's privacy rules, Petersen said. Covered entities generally will prefer that individuals contact them directly, he said. "I don't think you want irate individuals talking your business associate."

Another issue likely to be problematic is the business associate's obligation to return or destroy protected health information (PHI) upon termination of the contract "if feasible," Petersen said. Law firms, for example, "are not going to return or destroy information," and vendors may demand a sizable sum to cover the costs of doing so, he said. "By definition it's the end of the contract and in many instances the vendor will not be happy about that."

The model business associate contract that HHS released along with its proposed privacy rule modifications should be "a useful tool," Petersen said. "One of the good things about the model contract" is that it seems to validate the current practice of simply "parroting" the relevant provisions of the rules, he said. "If the Gramm-Leach-Bliley notices are any indication, a lot of people are going to go verbatim."

Petersen spoke April 2 in Chicago at a HIPAA Symposium organized by the Health Insurance Association of America.

Reprinted with permission from the May 2002 newsletter of the Employer's Guide to HIPAA Privacy Requirements, © Thompson Publishing Group, Inc., 2002. All rights reserved.

BenefitsLink is an independent national employee benefits information provider, not formally affiliated with the firms and companies who kindly provide much of the content and advertisements published on this Web site, including the article shown above.