"CMU Bulletin 05-04"
CMU Bulletin 05-04 HIPAA Business Associate Addendum Revision (12-12-05) Purpose Announces revision of DHS’ HIPAA Business Associate Addendum (HIPAA Exhibit) – Standard Risk Announces the availability of an additional HIPAA Business Associate Addendum (HIPAA Exhibit) – High Risk Defines “business associate” Provides criteria for identifying affected agreements Announces requirements for including the revised exhibits in future agreements Supersedes and replaces CMU Bulletin 03-05 Effective date December 15, 2005 and remains in effect until superseded or cancelled. Background The Privacy Rule that implemented the Health Insurance Portability and Accountability Act (HIPAA) is found at 45 Code of Federal Regulations (CFR) Parts 160 and 164. The Privacy Rule governs the use and disclosure of protected health information. Protected health information (PHI) is individually identifiable health information, which includes demographic information and is created or received by a health care provider or health plan. Each written agreement with a “business associate” must contain the terms specified in one of the HIPAA Addenda (Standard or High Risk) requiring the business associate to appropriately safeguard PHI. Visit http://www.dhs.ca.gov/privacyoffice for more information on this topic. Service / grant DHS has many contractual relationships with entities that perform functions on behalf agreements of DHS health plans and/or health providers covered under HIPAA. However, not all impacted by contractors/grantees are considered “business associates” covered by HIPAA. To be this bulletin a business associate, a contractor/grantee will meet the following criteria: Contact DHS’ IF this …. And this …. Or this …. Privacy Officer Performs or assists Performs activities, such as Provides legal, actuarial, for questions in performing a claims processing or accounting, consulting, data about the function or activity administration; data aggregation, management, applicability of that involves the analysis, processing or administrative, accreditation, HIPAA access, use, or administration; utilization or financial services to or for requirements to disclosure of review; quality assurance; a DHS health plan or an individual individually billing benefit management; provider. agreement identifiable health practice management, and information. re-pricing on behalf of a DHS health plan or provider. Page 1 of 5 Required action 1. New service and grant agreements (including renewals) with DHS business Future associates must include one of DHS’ revised HIPAA Addenda (Standard Risk or agreements High Risk). A link to DHS’ revised HIPAA Exhibits is in each contract model. 2. Existing draft and pending final agreements, subject to the HIPAA provisions, Affect on pending previously sent to the Contractor and/or CMU for signature that contain a former agreements DHS HIPAA Addenda need not be altered to replace the HIPAA Exhibit. 3. It is not necessary to amend a previously executed agreement for the sole Amendments purpose of adding a revised HIPAA Addendum. When amending a previously executed agreement to extend its term; add/alter funding, add/modify the scope of work, or any combination of transactions, program personnel are to add the appropriate revised HIPAA Addendum to the amendment. The effective date of the transaction adding the revised HIPAA Addenda can be no earlier than December 15, 2005. 4. IFBs/RFPs/RFAs issued after the release of this bulletin that will result in services impacted by HIPAA provisions must include one of DHS’ revised HIPAA Addenda Procurement (Standard Risk or High Risk). A link to DHS’ revised HIPAA Exhibits is in each documents bid model. Situations NOT The following are not business associates or business associate relationships: impacted by HIPAA 1. Medical providers providing treatment to individuals 2. Government agencies performing enrollment or eligibility determinations involving DHS clients 3. Payment relationships, such as when DHS pays medical providers or other Contact DHS’ entities for services to DHS clients, when the other entity is providing its own Privacy Officer normal services that are not on behalf of DHS for questions about the 4. When the only information being disclosed during performance is information that applicability of is de-identified or not individually identifiable health information HIPAA 5. When performance does not involve the use or disclosure of individually requirements to identifiable health information an individual 6. Grant agreements passing funds to a nonprofit or county agency to provide direct agreement services to the public and billing does not occur on fee-for-service basis 7. Many state agency agreements awarded by non-Medi-Cal programs HIPAA Business This is a brief overview of the content of the DHS HIPAA Addenda. Read each Associate HIPAA Addendum to become familiar with its requirements. Each HIPAA Addendum: Addendum content 1. Establishes the permitted and required uses and disclosures of protected health information (PHI). DHS’ HIPAA 2. Prevents a Contractor from using or further disclosing PHI other than as Addendum was permitted or required by a DHS agreement, or as required by law. revised 12/05 3. Requires a Contractor to use appropriate safeguards to prevent the use or disclosure of PHI. 4. Requires a Contractor to take steps to ensure the security of computerized data systems and imposes specific security requirements on the Contractor. Page 2 of 5 HIPAA Business Each HIPAA Addendum: Associate 1. Requires a Contractor to notify DHS immediately of any actual breach of security Addendum of computerized data or within 24 hours of any security incident, intrusion, or content (Cont’d) unauthorized use or disclosure of PHI, or potential loss of data. 2. Requires a Contractor to pass applicable HIPAA requirements on to its agents DHS’ HIPAA and/or subcontractors. Addendum was revised 12/05 3. Requires a Contractor to make its internal practices, books, and records relating to the use and disclosure of PHI available to DHS and to the federal government to determine compliance with the Privacy Rule. 4. Requires a Contractor at termination of an agreement, if feasible, to return or destroy all PHI that it still maintains in any form and prevents a Contractor from keeping copies. If not feasible, Contractor must continue to protect the PHI. 5. Outlines conditions for agreement termination by DHS, if DHS determines there is a violation of a material term of the HIPAA Addendum. When to use the This table provides general guidelines for using each of DHS’ HIPAA Addenda. Both Standard Risk Addenda are similar and the only difference between the two Addenda is the vs. the High presence of additional security standards in the High Risk version. Version Risk HIPAA differentiation e.g., High vs. Standard appears on page one and in the footer area of Addendum each exhibit. STANDARD Risk …. HIGH Risk …. Unless the contractor’s name or Agreements with the following named service type appears in the High contractors, their respective services and any Risk column, include the Standard contractor chosen to replace them or assume Risk HIPAA Addendum in each their functions must include the High Risk new, renewed, and amended HIPAA Addendum: agreement that is subject to the Medstat (MIS/DSS-Medi-Cal issued) HIPAA provisions. Maximus (HCO-Medi-Cal issued) Fiscal Intermediaries including EDS and It is not necessary to initiate an Delta Dental (Medi-Cal issued) amendment to a contract or grant HHSDC for the sole purpose of adding the Agreements with other California state revised Standard Risk HIPAA agencies Addendum. UC campus agreements or The Regents of the University of California In addition to including the High Risk HIPAA Addendum in the agreements listed above, programs may, at their discretion, upon entering a new agreement or renewing/ amending an existing agreement, currently subject to HIPAA provisions, add the revised High Risk HIPAA Addendum. It is prudent to include the High Risk HIPAA Addendum in any contractual situation in which a higher level of data security is needed e.g., where there is an extensive use and/or disclosure of confidential health information. Page 3 of 5 HIPAA No changes or modifications (including format and content) are to be made to any Addendum HIPAA Addendum by DHS program staff or a Contractor without the express changes / approval of Roberta Ward (DHS-OLS), DHS’ Privacy Officer or her designee. Direct questions questions about the contents of the HIPAA Addendum and any requests for language alterations or interpretations to Roberta Ward at (916) 440-7750. Program In addition to ensuring the appropriate HIPAA Addendum is added to applicable responsibilities agreements at initiation or via amendment, program staff are to familiarize themselves with the Scope of Work or Statement of Work and the contents of the applicable HIPAA Addendum to ensure they monitor the Contractor’s compliance to those requirements. Specifically, program staff must: 1. Respond to inquiries from Contractors regarding allowable or non-allowable use and disclosure of PHI and other HIPAA Contractor responsibilities, in consultation with house counsel or the DHS Privacy Officer. 2. Review Contractor policies and practices to ensure adequacy of PHI safeguards and for security. 3. If the program now requires prior approval of subcontracts, ensure adequate HIPAA terms and conditions appear in subcontracts. Use of DHS’ HIPAA Addendum is not required. 4. Report to DHS’ Privacy Officer any reported unauthorized use or disclosure of PHI as this information becomes available. 5. Provide Contractors with any amended Notice of Privacy Practices adopted by DHS in accordance with 45 CFR 164.520. 6. Provide Contractors with any changes in or revocation of permission by an Individual to use or disclose PHI, if such changes affect a Contractor’s permitted or required uses and disclosures. 7. Notify Contractors of any restriction to the use or disclosure of PHI that DHS has agreed to in accordance with 45 CFR 164.522, to the extent that such restriction may affect a Contractor’s use or disclosure of PHI. 8. Not request a Contractor to use or disclose PHI in any manner that would not be permissible under the HIPAA regulations if done by DHS. 9. If there is a complaint or concern about compliance with the HIPAA Addendum or during routine audits and inspections if program desires, inspect the Contractor’s facilities, systems, books, and records to monitor compliance with the HIPAA Addendum. 10. Collect written evidence regarding the Contractor’s processes and policies for safeguarding PHI. Page 4 of 5 HIPAA If DHS program staff knows of a Contractor’s pattern of activity or practice that violations constitutes a material breach or violation of a HIPAA Addenda, staff must: 1. In consultation with DHS’ Privacy Officer, ensure the Contractor takes reasonable steps to cure the breach or end the violation, including working with and providing consultation to the Contractor; 2. Terminate the contract, if such steps are unsuccessful; 3. If termination is not feasible, report the problem to the U.S. Department of Health and Human Services through DHS’ Privacy Officer. Questions Contact Roberta Ward at (916) 440-7750 for questions about: DHS’ revised HIPAA Addenda and their content Whether or not a specific contract or service is affected by HIPAA A Contract Manager’s role and responsibilities for HIPAA compliance Page 5 of 5