by Pamela T. Haines, RHIA
If you are writing business associate agreements for a healthcare provider these days, you have probably discovered there are often no magic words or formulas that will produce an agreement. Although sample forms available from various sources may be helpful, generally no two business associates are alike.
If you treat patients whose information is subject to more stringent privacy protections under federal law (such as the drug and alcohol confidentiality law), you can plan to throw a qualified service organization agreement into the mix. Then there are the noncovered entities who may want to write your business associate agreement for you. These noncovered entities may have hundreds or thousands of other covered entity customers that also need an agreement.
Whatever the case, if you are the covered entity who is asking another person or company to perform a service for you or on your behalf, and they need protected health information to perform that service, you will need to ensure that no matter who writes the agreement, it conforms with your legal responsibilities.
First Things First—Defining Business Associate Agreements
The first step is determining whether the person or company that the covered entity wants to enter into a business associate agreement with does in fact meet the criteria of the privacy rule for a business associate agreement. Is the person or entity not a member of your work force? Is the person or entity going to perform or assist in performing legal, actuarial, accounting, consulting, data processing, accreditation, or other financial, management, or administrative services for your organization? Do any of these services involve the use or disclosure of protected health information?
Can this person or other entity provide you with satisfactory assurances that they will appropriately safeguard your company’s protected health information? If not, then you cannot enter into a business associate agreement with that person or other entity. Keep in mind that a business associate agreement cannot be applied to another healthcare provider concerning the treatment of an individual, nor to a health plan as delineated in 164.504 of the rule. (See the text of the privacy rule, 45 CFR, Part 160.103, 164.502, and 164.504, for additional important details.)
The Privacy Rule and the Business Associate Agreement
Once you are sure a business associate agreement is appropriate, it may be helpful to start out with a sample business associate agreement form that generally addresses your needs, such as the one available on the Office for Civil Rights (OCR) Web page at www.hhs.gov/ocr/hipaa. If you do not have patients who are protected by other federal or state laws that are more stringent in protecting their privacy rights, you may be able to follow the OCR agreement and fill in the blanks.
The OCR sample business associate agreement consists of:
- Obligations and activities of the business associate
- Permitted uses and disclosures by the business associate (general and specific uses)
- Obligations of the covered entity
- Permissible requests by the covered entity
- Term and termination of the agreement with the business associate
Regarding permissible requests, the covered entity is prohibited from asking the business associate to do anything that would not be permissible under the privacy rule if likewise performed by the covered entity. An exception may be permitted if the business associate will use or disclose protected health information for (and the agreement includes provision for) data aggregation or management and administrative activities of the business associate. Sections 164.502(e) and 164.504(e) of the privacy rule should be read along with the sample agreement.
The Federal Drug and Alcohol Confidentiality Law and State Law
If you work for a covered entity that is federally assisted in some way and renders substance abuse services that meet the criteria of a program under the drug and alcohol confidentiality law—in other words, the covered entity “holds itself out as providing, and provides, alcohol or drug abuse diagnosis, treatment or referral for treatment (42 CFR, Part 2, 2.11)”1— then you must take this federal law into account as you write your business associate agreements. This can be done by inserting the qualified service organization agreement into the business associate agreement and ensuring that the business associate agreement aspects do not contradict the terms of the qualified service organization agreement. This agreement is very brief but comprehensive and reads as follows:
- [the qualified service organization] acknowledges that in receiving, storing, processing, or otherwise dealing with any patient records [note: “records” refers to any information whether recorded or not] from the program, it is fully bound by these regulations; and
- if necessary, will resist in judicial proceedings any efforts to obtain access to patient records except as permitted by these regulations.2
If you are familiar with the federal drug and alcohol confidentiality law, you will immediately realize the complexity of combining a qualified service organization and a business associate agreement. Aside from carrying out the services that they are providing to the program that has engaged them in the agreement, a qualified service organization/business associate is prohibited from redisclosing protected health information.
A qualified service organization agreement excludes disclosure of protected health information by the qualified service organ-ization/business associate for the proper management and administration of the qualified service organization/business associate or to carry out its legal responsibilities because “any redisclosure of patient identifying information, even to an agent or subcontractor of the qualified service organization/business associate, remains strictly prohibited by 42 CFR, Part 2, unless the qualified service organization/business associate obtains written patient consent.”3
All potential agreements must be reviewed to determine whether a qualified service organization/business associate agreement is permitted by 42 CFR, Part 2. For example, agreements cannot be signed with law enforcement departments or with other drug or alcohol treatment programs that provide the same services to patients as the drug and alcohol treatment program initiating the agreement. Business associate agreements for treatment, payment, and operation purposes are unnecessary under the privacy rule.
However, since substance abuse treatment programs cannot disclose protected health information for treatment, payment, and operation purposes without authorization, a qualified service organization agreement may only be permissible with a mental health provider as an alternative to patient authorization. On the other hand, the privacy rule permits a business associate agreement with accrediting organizations as an alternative to an authorization, while a qualified service organization agreement is not required to perform audit and evaluation activities—although the activities are strictly regulated by the law (2.53) and must be reflected in this business associate agreement.
In some instances state law may be more protective of the privacy rights of drug and alcohol, mental health, and other patients (e.g., HIV and AIDS patients) than the HIPAA privacy rule and 42 CFR, Part 2. If this is the case, the more restrictive law will generally take precedence and will need to be reflected in decisions related to engaging in business associate and qualified service organization agreements.
This article has illustrated just a few of the complications HIM professionals face in writing business associate agreements and qualified service organization/business associate agreements in compliance with the applicable laws that govern the protected health information of patients. There will be times when the HIM professional will need to consult an attorney familiar with both state and federal laws to clarify issues and concerns. At the same time, a wealth of professional expertise is also available for AHIMA members online in the AHIMA HIPAA-related Communities of Practice at www.ahima.org.
Although there is no magic bullet, careful planning and research can help you navigate this complicated process.
- Public Health Service, Department of Health and Human Services. “Confidentiality of Alcohol and Drug Abuse Patient Records.” Code of Federal Regulations, 2002. 42 CFR, Part 2. Available online at www.access.gpo.gov/nara/cfr/waisidx_02/42cfr2_02.html.
- Ibid., 2.11.
- The Legal Action Center specializes in legal and policy issues concerning people in treatment and recovery from alcohol and drug problems, people with HIV and AIDS, and people with histories of criminal justice system involvement. Its 2003 revision of Confidentiality and Communication, A Guide to the Federal Drug and Alcohol Confidentiality Law and HIPAA includes a sample qualified service organization/business associate agreement.
Pamela T. Haines (email@example.com) is the administrator of medical records and privacy officer at Operation PAR, Inc.
Haines, Pamela T. "Special Considerations for Business Associate Agreements: Substance Abuse Treatment, Federal Law Present Challenges." Journal of AHIMA 75, no.4 (April 2004): 50-53.