JULIAN F. KEITH, ADATC
POLICY AND PROCEDURE MANUAL
Procedure Name: Administrative, Business Associates
Effective Date: April 14, 2004
Original EffectiveDate: April 14, 2003
To ensure all individuals or organizations that perform specific functions, activities, or services for Julian F
Keith, ADATC involving the sharing of individually identifiable health information, are appropriately identifie
according to the HIPAA Privacy Rule as a ‘business associate’; and to further ensure that ‘agreements’ ar
developed to support such contractual relationships, as appropriate.
The HIPAA Privacy Rule requires that Julian F. Keith, ADATC identify persons or entities that provide specif
functions, activities, or services that involve the use, creation, or disclosure of individually identifiable healt
information for Julian F. Keith, ADATC, or on their behalf . Such entities are referred to as business associates.
The NC Department of Health and Human services has been determined to be a hybrid entity. Although som
health care components of DHHS are not covered health care components under HIPAA, they do perform
functions, activities, or services that involve the sharing of individually identifiable health information for, or o
behalf of, covered health care components thus creating business associate relationships within DHHS. Suc
persons or entities within DHHS are health care components that are referred to as ‘internal business associate
of Julian F. Keith, ADATC.
Components in other North Carolina state government departments/agencies or external contractors outside o
DHHS that perform functions, activities, or services for, or on behalf of Julian F. Keith, ADATC, and involve th
use, creation, or disclosure of individually identifiable health information are referred to as ‘external busine
associates’ of Julian F. Keith, ADATC.
Functions, activities, and services performed by business associates that involve the use, creation, or disclosure o
individually identifiable health information may include claims processing or administration, data analysi
processing or administration, utilization review, quality assurance, billing, benefit management, practic
management and re-pricing.
Julian F. Keith, ADATC has identified its internal business associates by recognizing all of the oth
divisions/offices (or portions thereof) within the Department of Health and Human Services (DHHS) that perform
specific functions, activities, or services for, or on behalf of, Julian F. Keith, ADATC when such functions o
activities involve the sharing of individually identifiable health information.
Julian F. Keith, ADATC has identified its external business associates by recognizing other North Carolina sta
government departments/agencies and external contractors (public and private) that perform specific function
activities, or services for, or on behalf of Julian F. Keith, ADATC when such functions,activities, or service
involve the sharing of individually identifiable health information.
Incidental access to individually identifiable health information while performing duties that do not typical
involve the use or disclosure of such information generally does not constitute a business associate relationship.
Business Associate Agreements
Julian F. Keith, ADATC shall initiate agreements with its business associates in order to share individual
identifiable health information while performing specific functions, activities, or services for, or on behalf o
Julian F. Keith, ADATC.
It is the responsibility of Julian F. Keith, ADATC to execute agreements with external business associates th
provide satisfactory assurance that the external business associate will appropriately safeguard individuall
identifiable health information. The Business Associate Agreement Addendum template and the Busines
Associate Memorandum of Understanding Addendum template, developed by the North Carolina Office of th
Attorney General, are required to be used when contracts are initiated by Julian F. Keith, ADATC staff. Suc
addenda must be attached to either the department’s standard contract or the department’s standard Memorandum
of Understanding (MOU) as specified in the DHHS Purchasing and Contracts Manual.
External contractors may be considered part of Julian F. Keith, ADATC’s workforce, and therefore will n
require a business associate agreement, if the following criteria apply:
♦ The workstation of the person under contract is on the JFK ADATC’s premises and
♦ The person performs a “substantial proportion” of his/her activities at this location.
Any external contractor who is considered part of Julian F. Keith, ADATC’s workforce must comply with JF
ADATC’s privacy policies and procedures.
applies to all DHHS agencies.
Disclosure of individually identifiable health information from one health care provider to another for treatmen
consultation, or referral does not require a business associate agreement. (Note: For MH/DD/SAS agencies
under which Julian F. Keith, ADATC falls, a business associate agreement would not be required, but thos
agencies would have to initiate either a ‘service provider agreement’, according to N.C. General Statutes, o
would have to secure client authorization to disclose health information to a health care provider outside th
A business associate agreement is also not required when individually identifiable health information is disclose
to a health plan for payment purposes.
Julian F. Keith, ADATC and its internal business associates are required to take reasonable steps to correct an
known material breach or violation of the Business Associate Agreement or Memorandum of Understanding.
such steps are unsuccessful, the agreement must be terminated, if feasible; and if not, the problem must b
reported, to the DHHS Privacy Officer who will determine if further actions are warranted, which could includ
reporting the problem and correction attempts to the United States Department of Health and Human Services.
Should Julian F. Keith, ADATC or an internal business associate of JFK ADATC become a business associate o
an agency external to DHHS, the agreement initiated by the external agency must be approved by the NC Offic
of the Attorney General prior to JFK ADATC signing such an agreement.
Identifying Internal and External Business Associates
Julian F. Keith, ADATC has evaluated specific functions, activities, and services that are provided for JF
ADATC, or on behalf of JFK ADATC in order to identify all internal and external business associate
Documentation of internal and external business associates is maintained by the JFK ADATC Business Manage
and updated as Business Associates are added or deleted.
Julian F. Keith, ADATC identifies external business associates at the time when JFK ADATC initially creates
contract with the external contractor, or develops an Memorandum of Understanding (MOU) with anoth
department. Renewal of a contract or MOU that has a Business Associate Addendum requires a review of th
Business Associate Agreement as well, for renewal purposes. Julian F. Keith, ADATC must identify all busine
associate relationships to standard contracts when entering contract information into the DHHS purchase an
contracts database that monitors contract costs.
The Department has developed the HIPAA Guidance to Identifying Business Associates document and Business
Associate Questionnaire worksheets for classifying business associates for DHHS agencies to use in making suc
Contractual Documentation Requirements
There are no contractual documentation requirements for services provided by internal business associates, oth
than the agency’s general documentation requirements.
Documentation of services provided by other NC State government departments/agencies is accomplishe
through a Memorandum of Understanding. Documentation of services provided by external contractors
accomplished through a DHHS standard contract. Documentation of business associate requirements
accomplished in an addendum to the MOU or contract. Business Associate agreements must be maintained for
least six years from the date of creation.
The DHHS Business Associate Addendum to Contract, the DHHS Business Associate Addendum to Memorandu
of Understanding and the stand alone DHHS Business Associate Memorandum of Understanding templates hav
been developed by the N.C. Attorney General’s Office and must be used when service providers outside of DHH
are identified as business associates. These documents include all of the HIPAA requirements to which Julian F
Keith, ADATC’s contractors must agree before JFK ADATC can share individually identifiable healt
Beginning October 15, 2002, all new or amended DHHS contracts or MOUs must be evaluated to determin
whether a business associate relationship exists. If a business associate relationship does exist, the busine
associate agreement developed by the N.C. Office of the Attorney General must be attached to the new o
amended DHHS contract or MOU before April 14, 2003. All contracts and MOUs that are initiated or amende
during fiscal year 2003-2004 must have the business associate agreements attached if contractors are als
business associates. By April 14, 2004, all existing contracts and MOUs that also exhibit a business associa
relationship must be amended to include a business associate agreement (even if the contract period goes beyon
April 14, 2004). By April 14,2004, ALL business associate agreements MUST be in place.
Termination of Business Associate Relationship
Should Julian F. Keith, ADATC or an internal business associate become aware of a pattern of activity, o
practice of an internal business associate that constitutes a material breach or violation of the internal busine
associate’s obligation with respect to privacy of individually identifiable health information in its possession, suc
information shall be forwarded to the DHHS Privacy Officer for resolution.
Should Julian F. Keith, ADATC become aware of a pattern of activity or practice of an external busine
associate that constitutes a material breach or violation of the external business associate’s obligations wit
respect to individually identifiable health information specified in a contract or other arrangement, reasonab
steps should be taken to cure each breach, end the violation, and/or mitigate the consequences.
If such steps are unsuccessful at the sole discretion of Julian F. Keith, ADATC or internal business associate, it
♦ Terminate the contract or arrangement, if feasible; or
♦ If termination is not feasible, the JFK ADATC Privacy Official is responsible for reporting the breach to th
DHHS Privacy Officer. The DHHS Privacy Officer is responsible for resolution, which may includ
reporting the problem to the US DHHS Secretary at:
Office for Civil Rights
U.S. Department of Health & Human Services
Atlanta Federal Center, Suite 3B70
61 Forsyth Street, S.W.
Atlanta, Georgia 30303-8909
Phone: (404) 562-7886
Fax: (404) 562-7881
Tracking of Business Associates
Julian F. Keith, ADATC is required to track their internal business associates by maintaining curren
documentation of their internal business associates throughout the year on the Business Associate Questionnair
worksheets. At the end of the state fiscal year, Julian F. Keith, ADATC is required to send a copy of the “Divisio
Business Associates” and “DHHS Business Associates” worksheets from the Business Associate Questionnaire t
the DHHS Privacy Officer.
The Business Office of Julian F. Keith, ADATC shall track its external business associates through the contrac
that are entered into the Department database for purchasing and contracts by checking the business associa
field as appropriate.
Julian F. Keith, ADATC and internal business associates are not required to provide privacy training to the
external business associates; nor are they required to monitor the privacy protections for individually identifiab
health information that are instituted by their external business associates.
Reference: DHHS Directive Number III-11; 45 CFR 160.103, 164.502(e), 164.504(e), 164.514(e),
For Relevant Documents:
Business Associate Addendum to Contract
Business Associate Addendum to Memorandum of Understanding
Business Associate Memorandum of Understanding
HIPAA Guidance to Identifying Business Associates
Business Associate Questionnaire