Looming HIPAA rule highlights healthcare business associates

Jonathan S. Batchelor
Feb 10, 2003

SAN DIEGO - While the Ides of March proved ominous for Julius Caesar, the Ides of April may hold equally dark clouds for U.S. radiology administrators. April, of course, is when soothsayers predict the final privacy rule of the Health Insurance Portability and Accountability Act (HIPAA) will take effect. Among the HIPAA compliance measures healthcare administrators are expected to have in place on April 14, 2003, are business associate agreements for protected health information.

The penalties for not having these agreements are stiff and serious, said attorney Diane McKenzie in a presentation Monday at the Healthcare Information and Management Systems Society (HIMSS) conference.

"A firm faces substantial fines and criminal prosecution for not following the HIPAA privacy requirements," said McKenzie, who is a senior partner with the Internet law firm of Gordon and Glickson in Chicago. McKenzie shared her thoughts on drafting business associate agreements with professionals and service groups, starting with a definition of protected health information.

"Protected health information is all medical records and all other individually identifiable health information created or received by a covered entity in any form, whether electronically, on paper, oral, or otherwise. This includes information transmitted by electronic media, maintained in electronic media, or transmitted in any other form or medium," she explained.

Associating associates

"A business associate is a person or entity that on behalf of a covered entity performs or assists in the performance of a function or activity that involves the use or disclosure of protected health information, or provides certain services to or for a covered entity (your practice), where the provision of the service involves disclosure of protected health information," McKenzie stated.

Firms that qualify as business associates include claims processing, claims administration, utilization review, quality assurance, billing, benefit management, practice management, data analysis, legal, actuarial, accounting, consulting, data aggregation, financial, staffing, and accreditation services.

Similarly, attorneys, actuaries, accountants, business consultants, management consultants, tax advisors, financial advisors, medical equipment suppliers, software and hardware vendors, software developers, information technology consultants, technology support, and maintenance service providers are among the professionals with whom a practice will want to have business associate agreements.

There are some businesses that are exempt from associate agreements. These are conduits for transport or transmission such as a delivery service or telephone company; financial institutions such as a bank or credit card company; and participants in an organized healthcare agreement where the function or activity is being performed as part of that agreement.

"Our recommendation is that when you’re in doubt as to whether or not someone or something is a business associate, then you should get a business associate agreement," advised McKenzie.

Structure

Even if the firm has business agreements in place with an associate, McKenzie recommends segregating HIPAA terms and conditions into a separate written agreement.

"It supplements your primary contract containing the terms on which you do business, it’s flexible and permits an adaptable approach. (It’s) good in case final HIPAA security rules require changes to the agreement, it compartmentalizes issues and negotiations, and it’s helpful for compliance purposes. You only have to show this document to HHS if they are investigating the business associate agreement," she noted.

Required provisions

There are several provisions that must be in all business associate agreements, which:

  • Must establish permitted and required uses and disclosures of protected health information.

  • May not authorize use or disclosure that would violate regulations if performed by the covered entity.

  • Use and disclosure only as permitted or required.

  • Use appropriate safeguards.

  • Report of unauthorized uses and disclosure.

  • Ensure that agents and subcontractors agree to similar restrictions.

  • Accommodate individual rights, such as the right of access to inspect or obtain a copy of protected health information.

  • Make internal practices, books, and records available.

  • Return or destruction of protected health information.

  • Have the ability to terminate.

"In addition, a firm may also want to include additional provisions permitted by the regulations, such as permitting the business associate to use and disclose, if necessary, protected health information for proper management and administration or as required by law; or allowing a business associate to combine protected health information of one covered entity with that of another covered entity for data aggregation services," McKenzie said.

Tilting agreements

Although the required provisions for each agreement may seem thorough, there are several additional items a firm should try to negotiate into its business associate agreements.

"The most highly recommended provision for a covered entity to have in its business associate agreements is a provision for mitigation," said McKenzie.

A mitigation provision holds that a business associate must promptly cure any breach or violation and take all necessary and appropriate steps, at its expense, to mitigate any harm caused, she said.

Other provisions that her firm recommends its clients try to obtain are:

  • Intervention, which grants the covered entity the right to intervene and effectuate a cure of a breach or violation, and stipulates that any breach or violation would cause irreparable harm entitling the covered entity to injunctive relief.

  • Compliance with all applicable laws and regulations, including future and modified HIPAA regulations.

  • Indemnification against claims or damages resulting from a breach or violation of a business associate’s duties.

  • Requiring a business associate to carry insurance coverage for claims and damages resulting from a breach of its duties.

  • Limit protected health information to the minimum necessary to accomplish the intended purpose of use and disclosure.

  • Document uses and disclosures as well as develop, maintain, and retain privacy polices and procedures.

  • Require a business associate to train its staff on privacy policies and procedures.

  • Define a business associate’s access, identification, and authentication processes for protected health information.

  • Notify the covered entity in the event of a subpoena or discovery request.

  • Provide methods and procedures for disposal or destruction of protected health information.

As the deadline for implementation of business associate agreements is only two months away, radiology administrators have to be sure that their firms are in compliance with the regulations.

"If a business associate doesn’t want to sign an agreement with your firm, and you don’t want to be a guest of Club Fed (i.e., prison), then you had better find another associate with whom to conduct business -- and get a signed agreement in place before you do," McKenzie advised.

By Jonathan S. Batchelor
AuntMinnie.com staff writer
February 11, 2003

Related Reading

Due diligence builds imaging center muscle, December 19, 2002

HIPAA-related courses and seminars: Worth the time, every time?, November 11, 2002

Privacy specialist offers a methodical approach to HIPAA compliance, August 30, 2002

Copyright © 2003 AuntMinnie.com

Latest in PACS/VNA
Business Deal Handshake
InsiteOne acquires Brit Systems
November 30, 2023
Cyber Informatics 400
What are the benefits of using an AI server downstream of PACS?
November 28, 2023
Amy Thompson of Signify Research.
Enterprise imaging: What is the market opportunity beyond radiology?
October 18, 2023
Gamingmouse
How to hack a gaming mouse for PACS: Group offers guide for rads
October 6, 2023
Related Stories
2003 02 03 17 06 07 706
PACS/VNA
Medical system migration, Part II: New target-architecture design
2003 02 01 16 28 43 706
PACS/VNA
Medical system migration: Developing a new software architecture
2003 01 20 16 41 46 706
PACS/VNA
Offsite ASP archive fulfills disaster-recovery, backup requirements
2003 01 06 18 18 20 706
PACS/VNA
AuntMinnie's IMV MarketStat #18: Distribution of radiology information systems
More in PACS/VNA
InsiteOne acquires Brit Systems
By AuntMinnie.com staff writers
Cloud-based clinical image management company InsiteOne will acquire BRIT Systems.
November 30, 2023
Business Deal Handshake
What are the benefits of using an AI server downstream of PACS?
By Liz Carey
Funneling image studies through a private AI server creates opportunities for big data research and speeds AI analysis time to reporting.
November 28, 2023
Cyber Informatics 400
Enterprise imaging: What is the market opportunity beyond radiology?
By Amy Thompson
Amy Thompson of Signify Research assesses the future prospects for the enterprise imaging market.
October 18, 2023
Amy Thompson of Signify Research.
How to hack a gaming mouse for PACS: Group offers guide for rads
By Will Morton
High-performance gaming mice offer radiologists multiple custom buttons and superior tracking features that can streamline radiology tasks.
October 6, 2023
Gamingmouse
Sectra posts growth in net sales, revenue in Q1
By AuntMinnie.com staff writers
Enterprise imaging firm Sectra reported strong net sales and revenue growth in the first quarter of 2023, citing deployment of it cloud services for diagnostic imaging.
September 4, 2023
2020 02 20 17 57 8385 Sectra Rsna 2019 400
Rad AI to launch its Omni Reporting software
By AuntMinnie.com staff writers
Rad AI plans to formally launch its Omni Reporting software on September 27.
August 21, 2023
2018 08 01 23 13 1733 Artificial Intelligence Ai 400
Qure.ai and xWave establish strategic partnership
By AuntMinnie.com staff writers
Radiology AI software developer Qure.ai and xWave Technologies have established a strategic partnership focused on improving radiology workflows.
August 15, 2023
2022 06 28 17 16 2885 Hands Shaking3 20230509203239
Sectra inks $227M deal with U.S.-based health system
By AuntMinnie.com staff writers
Enterprise imaging firm Sectra said it has inked a deal valued at $227 million to provide its Sectra One Cloud subscription service for diagnostic imaging to a large U.S.-based health system.
August 15, 2023
2020 02 20 17 57 8385 Sectra Rsna 2019 400
US Radiology Specialists begins recruiting for Connexia
By AuntMinnie.com staff writers
US Radiology Specialists is beginning recruitment for US Radiology Connexia, the company's new teleradiology organization.
August 14, 2023
2022 07 06 17 35 0405 Computer Doctor Patient Video 400
Segmed platform passed 100M studies
By AuntMinnie.com staff writers
Data management vendor Segmed said its Insight cloud-based platform has now surpassed 100 million imaging studies
August 13, 2023
2020 01 28 20 45 5229 Cloud Computing Laptop 400
Radsource deploys 10 new ProtonPACS
By AuntMinnie.com staff writers
Radsource completed 10 installations of its ProtonPACS software for new customers in the second quarter of 2023, the company said.
August 9, 2023
2016 08 24 09 43 13 537 Hands Shaking V3 400
Amazon Web Services releases imaging data platform
By AuntMinnie.com staff writers
Amazon Web Services has launched an imaging data platform for storing, accessing, and analyzing medical images at petabyte scale.
July 25, 2023
2020 01 28 20 45 5229 Cloud Computing Laptop 400
Page 1 of 775
Next Page