Data use contracts between health care covered entitties and business associates including outsourcers

October 9, 2009 by

Overview.

The final Privacy Rule adopted in August 2002 sets forth specific requirements for contracts between “covered entities” and “business associates” (outsourcers).  For further details, please contact one of our attorneys.

Minimum Provisions.

For the minimum terms of such a contract, the final HIPAA Privacy Rule provides:

A covered entity may use or disclose a limited data set under paragraph (e)(1) of this section only if the covered entity obtains satisfactory assurance, in the form of a data use agreement that meets the requirements of this section, that the limited data set recipient will only use or disclose the protected health information for limited purposes.  (ii) Contents. A data use agreement between the covered entity and the limited data set recipient must:

(A) Establish the permitted uses and disclosures of such information by the limited data set recipient, consistent with paragraph (e)(3) of this section [45 CFR Section 164.514]. The data use agreement may not authorize the limited data set recipient to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity;

(B) Establish who is permitted to use or receive the limited data set; and

(C) Provide that the limited data set recipient will:

(1) Not use or further disclose the information other than as permitted by the data use agreement or as otherwise required by law;
(2) Use appropriate safeguards to prevent use or disclosure of the information other than as provided for by the data use agreement;
(3) Report to the covered entity any use or disclosure of the information not provided for by its data use agreement of which it becomes aware;
(4) Ensure that any agents, including a subcontractor, to whom it provides the limited data set agrees to the same restrictions and conditions that apply to the limited data set recipient with respect to such information; and
(5) Not identify the information or contact the individuals.

Filed under: White Paper
Tagged: , ,

Privacy in Outsourcing of Health Information

October 9, 2009 by

The general Privacy Rule under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) requires anyone to obtain a patient’s prior consent in order to use “individually identifiable health information” for non-medical purposes, such as employer evaluations.   For medical treatment and payment purposes, however, using or sharing medical information “for incidental use or disclosure” is permitted.   For marketing purposes, a pharmacist may use a patient’s medical information to make recommendations to the patient to switch medications.

The final Privacy Rule, published August 14, 2002, preserves the role of outsourcers of medical information.  Certain prior draft provisions were softened.

Prior Draft Regulations.

Prior draft regulations, issued by the administration of former President Bill Clinton, would have prevented hospitals and clinics from  scheduling medical tests or surgery until the patient had read and signed a long, legalistic “privacy notice.”

Impact of Regulations on Outsourcing of Medical Information Processing Services.

The prior draft HIPAA Privacy Rule raised several concerns for those involved in outsourcing of medical information processing services.

Continuation of Outsourcing Services.
The prior draft targeted situations in which covered entities outsource their billing, claims, and reimbursement functions to accounts receivable management companies. These collectors often attempt to recover payments from a patient on behalf of multiple health care providers.  Affected covered entities and their services providers were concerned that the Privacy Rule would prevent these collectors, as business associates of multiple providers, from using a patient’s demographic information received from one provider to facilitate collection for another provider’s payment.  Under the final HIPAA Privacy Rule, outsourcing such services is permitted. .

Continuation of Outsourcing of Records Management and Photocopying.
The prior draft would have had a negative impact on outsourcing of records management and photocopying activities.   It could have effectively eliminated any economic benefits to outsourcing services providers of the cost-based copying fees allowed to be charged to individuals who request a copy of their medical record under the right of access provided by the Privacy Rule. See 45 CFR Section 164.524.  There was a risk of driving the outsourcers out of business.

In acknowledging this, the Department of Health and Human Services made a special clarification to accommodate outsourcing.  Many hospitals and other covered entities currently outsource their records reproduction function for fees that often include administrative costs over and above the costs of copying. In some cases, the fees may be set in accordance with State law. The Privacy Rule, at Sec. 164.524(c)(4), however, permits only reasonable, cost-based copying fees to be charged to individuals seeking to obtain a copy of their medical record under their right of access.   In response to comments that persons seeking copies of all or part of the medical record, such as payers, attorneys, or entities that have the individual’s authorization, would try to claim the limited copying fees provided in Sec. 164.524(c)(4), the final Privacy Rule makes clear that the fee structure in Sec. 164.524(c)(4) applies only to individuals exercising their right of access.

However, the Department of Health and Human Services acknowledged that even this accommodation could put a strain on covered medical-related entities, and that the regulation forced subsidized access to medical records by the individual patients.   HHS argued:

To the extent hospitals and other entities outsource this function because it is less expensive than doing it themselves, the fee limitation for individuals seeking access under [45 CFR] Sec. 164.524 will affect only a portion of this business; and, in these cases, hospitals should still find it economical to outsource these activities, even if they can only pass on a portion of the costs to the individual.

While perhaps onerous on covered entities, the rule does allow outsourcers and their customers to recover more than their costs on non-patients in order to subsidize patients’ access to medical records.

Outsourcing Continues to Require Contracts.
The Department of Health and Human Services final Privacy Rule requires that any relationship between a “covered entity” and a “business associate” (also known as an outsourcer or services provider) must be established and managed by contract.  Some service providers tried, unsuccessfully, to be authorized to “self-certify” their compliance, or have a neutral certification authority.  “With respect to certification by a third party, it is unclear whether such a process would allow for any meaningful enforcement (such as termination of a contract) for the actions of a business associate,” the HHS concluded.

Minimum Standards, not Exclusive Standards.

The final Privacy Rule does not supersede any more stringent privacy protections of any state laws.   The “best practices” approach, therefore, may be to obtain the patient’s consent for certain uses of the medical information, particularly for patients who are likely to change residences from one state to another and the new state of residence has stricter provisions.

Outsourcing Contract Terms.

The final Privacy Rule adopted in August 2002 sets forth specific requirements for contracts between “covered entities” and “business associates” (outsourcers).   For the minimum terms of such a contract, our subscribers can view the terms at hipaa privacy data use contract terms

Definitions.
Key definitions under the final Privacy Rule can be reviewed at hipaa_privacy_definitions

Filed under: White Paper
Tagged: , , , , , ,