Op10.04-21 Business Associates
It is the policy of Missouri State University and its Health Care Components (HCC) to obtain satisfactory assurances from business associates who will use the information only for the purpose for which it was engaged by the HCC, will safeguard the information from misuse and will help the HCC comply with its duties under HIPAA to help carry out its health care functions. 45 CFR 502(e), .504(e).
- Patient: Any individual who has received or is receiving services from HCC.
- Protected Health Information (PHI): Individually identifiable health information as defined at HIPAA Procedure 1.005, 1.b. and c
- Business Associate: A person or entity who performs functions or activities that involve the use or disclosure of PHI on behalf of, or provide services to, a HCC, including claims processing or administration, data analysis, processing or administrative utilization review, quality assurance, billing, benefit management, practice management, and other services involving disclosure of PHI. A member of the University HCC workforce is not a business associate.
- General Provision. HIPAA requires that a HCC obtain satisfactory assurances from its
business associate that the business associate will appropriately safeguard the protected
health information it receives or creates on behalf of the covered entity. The satisfactory
assurances must be in writing, whether in the form of a contract or other agreement
between the covered entity and the business associate.
- Business associate functions and activities include: Claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing.
- Business associate services are: Legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial.
- Examples of Business Associates.
- A third party administrator that assists a health plan with claims processing.
- A CPA firm whose accounting services to a health care provider involve access to protected health information.
- An attorney whose legal services to a health plan involve access to protected health information.
- A consultant that performs utilization reviews for a hospital.
- A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer.
- An independent medical transcriptionist that provides transcription services to a physician.
- A pharmacy benefits manager that manages a health plan's pharmacist network.
- Business Associate Contracts. A HCC’s contract or other written arrangement with its
business associate must contain the elements specified at 45 CFR 164.504(e). For example,
the contract must:
- Describe the permitted and required uses of protected health information by the business associate;
- Provide that the business associate will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law; and
- Require the business associate to use appropriate safeguards to prevent a use or disclosure of the protected health information other than as provided for by the contract.
- Where a covered entity knows of a material breach or violation by the business associate of the contract or agreement, the covered entity is required to take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, to terminate the contract or arrangement. If termination of the contract or agreement is not feasible, a covered entity is required to report the problem to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR).
- Sample business associate contract language is available as HIPAA Procedure 1.160, Form 1
- Transition Provisions for Existing Contracts. HCCs that have an existing contract (or other written agreement) with a business associate prior to October 15, 2002, are permitted to continue to operate under that contract for up to one additional year beyond the April 14, 2003, compliance date, provided that the contract is not renewed or modified prior to April 14, 2003. This transition period applies only to written contracts or other written arrangements. Covered entities with contracts that qualify are permitted to continue to operate under those contracts with their business associates until April 14, 2004, or until the contract is renewed or modified, whichever is sooner, regardless of whether the contract meets the Rule's applicable contract requirements at 45 CFR 164.502(e) and 164.504(e). A covered entity must otherwise comply with HIPAA, such as making only permissible disclosures to the business associate and permitting individuals to exercise their rights under HIPAA.
- Exceptions to the Business Associate Standard. In these situations, a HCC is not required
to have a business associate contract or other written agreement in place before protected
health information may be disclosed to the person or entity.
- Disclosures by a HCC to a health care provider for treatment of the individual.
- Disclosures to a health plan sponsor, such as an employer, by a group health plan, provided that the group health plan's documents have been amended to limit the disclosures or one of the exceptions at 45 CFR 164.504(f) have been met.
- The collection and sharing of protected health information by a health plan that is a public benefits program, such as Medicare, and another agency to determine eligibility or enrollment.
- Other Situations in Which a Business Associate Contract Is NOT Required.
- When a health care provider discloses protected health information to a health plan for payment purposes. A HCC that submits a claim to a health plan and a health plan that assesses and pays the claim are each acting on its own behalf as a covered entity, and not as the "business associate" of the other.
- With persons or organizations (e.g., janitorial service or electrician) whose functions or services do not involve the use or disclosure of protected health information, and where any access to protected health information by such persons would be incidental, if at all.
- With a person or organization that acts merely as a conduit for protected health information, for example, the US Postal Service, certain private couriers, and their electronic equivalents.
- Among covered entities who participate in an organized health care arrangement (OHCA) to make disclosures that relate to the joint health care activities of the OHCA.
- Where a group health plan purchases insurance from a health insurance issuer or HMO.
- Where one covered entity purchases a health plan product or other insurance, for example, reinsurance, from an insurer.
- To disclose protected health information to a researcher for research purposes, either with patient authorization, pursuant to a waiver under 45 CFR 164.512(i), or as a limited data set pursuant to 45 CFR 164.514(e). See HIPAA Procedure 1.055.
- When a financial institution processes consumer-conducted financial transactions by debit, credit, or other payment card, clears checks, initiates or processes electronic funds transfers, or conducts any other activity that directly facilitates or effects the transfer of funds for payment for health care or health plan premiums.
- General Provision. HIPAA requires that a HCC obtain satisfactory assurances from its business associate that the business associate will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity. The satisfactory assurances must be in writing, whether in the form of a contract or other agreement between the covered entity and the business associate.
- Review Process. The University Privacy Officer will collect information from the Unit Privacy Officers during the month of April each year beginning in 2004 for the purpose of providing feedback to the HIPAA Management Team as to compliance with the procedure and any proposed modification or recommendation that additional training be implemented.
- Sanctions. Failure to comply or assure compliance with the policy may result in disciplinary action, up to and including dismissal.
HISTORY: Effective March 21, 2003