September 27, 2002HIPAA COW BA Agreement Template1INTRODUCINGTHE HIPAA COW BUSINESS ASSOCIATE AGREEMENT TEMPLATECarol RubinCo-Chair, HIPAA Privacy TaskforceSeptember 27, 2002HIPAA COW BA Agreement Template2CREATION OF HIPAA COW BAC TEMPLATEDrafted by Contracting Workgroup of the HIPAA COW Privacy Taskforce over many monthsMembers:•Janice Ahlstrom--BORN•Sue Bevsek--Covenant Health Care•Wendy Bergh--Group Health Cooperative•Tracey Klein--Reinhart Boerner Von Deuren SC•Nancy LeMarbre—ProHealth Care•Roger Rego--Beaver Dam Community Hospital•Carol Rubin--WEA Trust Had a variety of different BA templates to consider, including DHHS model Wanted to add value by injecting our pragmatic insight of how a variety of BA relationships actually functionBiggest issues should be referenced in footnotesDozens of smaller decisions embodied in the provisionsMust be customized and reviewed by your attorneySeptember 27, 2002HIPAA COW BA Agreement Template3BAC FORMATSAddendumSections to incorporate into a brand new contractStand-alone HIPAA Privacy Agreement?September 27, 2002HIPAA COW BA Agreement Template4LESSONS LEARNEDDo not just insert provisions from the HIPAA statute or regulationsMinimize HIPAA definitions; do not need to define:•Covered Entity•Business Associate•Designated Record SetWhere a definition is essential to contract, reword or combine definitions to make it intelligible to BAAs much as possible, exclude all references to federal code which:•Could frighten unsophisticated BA’s•Force them to secure legal advice where they otherwise wouldn’t need toBAC should help educate BAs, not force them to secure legal advice to understand totality of HIPAA lawSeptember 27, 2002HIPAA COW BA Agreement Template5ISSUES/CHALLENGESUse of PHISecurity IssuesRelationship of BAC and TPAReporting of Unauthorized DisclosuresAccounting of DisclosuresTerm and TerminationPlus othersSeptember 27, 2002HIPAA COW BA Agreement Template6USE OF PHIHow to harmonize:•The general prohibition on BA’s use•The BA use expressly permitted by contract, and •The use for BA’s “proper management and administration, or . . . . legal responsibilities. . .”See Provisions 2, 3, and 4September 27, 2002HIPAA COW BA Agreement Template7HOW TO ADDRESS SECURITY ISSUES WHEN THE SECURITY RULE IS NOT FINALImpose general security obligation to safeguard PHI on BA, Provision 5If CE wants to review BA’s security safeguards, see Footnote 4Plus, Provision 7 references conformance with more specific HIPAA security requirements once those regulations are effective if this BA receives PHI in electronic formSeptember 27, 2002HIPAA COW BA Agreement Template8RELATIONSHIP OF BAC AND TRADING PARTNER AGREEMENTProvision 8: We inserted a very minimal TPA provision, to use if desiredAnother HIPPA COW EDI taskforce is working on a TPADelete if BA does not conduct any Standard Transaction for youYes, a BA and a TPA, and a Chain of Trust agreement can be combinedBut many Trading Partner relationships will not have an underlying BAC, for example, between a provider and a payer where provider only submits claimsSeptember 27, 2002HIPAA COW BA Agreement Template9REPORTING OF UNAUTHORIZED DISCLOSURES OR MISUSESee Provision 11Establish and spell out the procedure now, not after the misuseHelpful if all CEs used the same or similar procedureSeptember 27, 2002HIPAA COW BA Agreement Template10BA’s TRACKING AND ACCOUNTING OF DISCLOSURES: PROVISION 13Many legal concepts to fit into one provision, many of which might not be relevant to a particular BAMay appear intimidating to a BAExceptions at subsection (b) very significant, might eliminate all or most of the obligations of subsection (a)September 27, 2002HIPAA COW BA Agreement Template11TERM AND TERMINATION: PROVISION 15 AND FOOTNOTE 12CD’s unilateral right to terminate will trouble BAs, but is legally requiredProvision 15 is as explicit and non-threatening as possibleAdded requirements of notice, reasonableness, good faith, and material breach, none of which are expressly referenced in HIPAA regulations (greatest expansion on HIPAA requirements)September 27, 2002HIPAA COW BA Agreement Template12MISCELLANEOUS:PROVISIONS 17 AND FOOTNOTES 14-17Indemnification Automatic amendment (lifted from DHSS model)Response to subpoenasOwnership of data and informationSeptember 27, 2002HIPAA COW BA Agreement Template13DISCUSSION/QUESTIONS?