As I discussed in my December column, beginning in April, many dentists will have to comply with new federal privacy regulations mandated by the Health Insurance Portability and Accountability Act of 1996, or HIPAA. One of the key requirements is that health care providers who must follow the regulations will be obliged to enter written contracts with certain entities that have access to patients’ health information.
The privacy regulations mandate that business associate agreements include certain provisions designed to protect the privacy of patients’ health information.
As I explained in the December 2002 issue of JADA, dentists must first determine whether they are "covered entities" who will be legally required to comply with the privacy regulations. If a dentist transmits certain patient health information in electronic form, either directly, or indirectly through a vendor or billing service, he or she would be a covered entity. The type of electronic transactions that would make a dentist a covered entity include claims submissions and electronic communications regarding referrals, transmitted in a format specified by the U.S. Department of Health and Human Services, or DHHS.
The American Dental Association strongly recommends that all dentists take steps to protect patients’ privacy. However, only those dentists who are covered entities will be required by the HIPAA regulations to enter written agreements with certain "business associates" who will have access to health information about the dentists’ patients. As you may recall, last month I stated that the HIPAA privacy regulations govern the use and disclosure of "protected health information." Protected health information, or PHI, is any information that relates to an individual’s health or health care and specifically identifies that person. The HIPAA requirements apply to any uses or disclosures of PHI, through electronic, written or oral communications. Thus, although a dentist must transmit certain PHI electronically to become a covered entity, once the dentist becomes a covered entity, the HIPAA requirements will apply to all of his or her communications of PHI, not just electronic transactions.
A key point to remember is that dentists who are covered entities will not be required to enter business associate agreements with other health care providers to disclose PHI to those providers for purposes of the treatment of the patient whose PHI is disclosed. Thus, a general dentist who is a covered entity will be able to discuss a patient’s case with a specialist, if the general dentist has referred the patient to that specialist.
However, a covered entity may have to enter business associate agreements with a number of other parties with whom the covered entity has a business relationship, if those other parties have access to, or may need to review, PHI pertaining to the covered entity’s patients. Examples of possible business associates include a dentist’s accountant, business consultant, attorney, answering service, billing service and computer vendor.
If you are a covered entity, you will have to carefully evaluate your existing business relationships. If any of those business relationships involve the use or disclosure of PHI, and the relationship will continue to exist on April 14, then under most circumstances you will need to enter a written business associate agreement with that entity by that date. The HIPAA privacy regulations mandate that such business associate agreements include certain provisions designed to protect the privacy of patients’ health information.
At a minimum, the business associate agreement must establish the permitted and required uses and disclosures of the PHI by the business associate. The contract may not authorize the business associate to use or disclose the PHI in a way that would violate the HIPAA privacy regulations, if the use or disclosure were performed by the covered entity. However, the agreement may authorize the business associate to use and disclose PHI for the proper management and administration of the business associate. The contract also may permit the business associate to provide data aggregation services related to the health care operations of the covered entity.
The business associate agreement also must provide that the business associate will
- – not use or further disclose the information other than as permitted or required by the contract or as required by law;
- – use appropriate safeguards to prevent use or disclosure of the information other than as provided for by its contract;
- – report to the covered entity any use or disclosure of the information not permitted by the contract, if the business associate learns of any unauthorized uses or disclosures;
- – ensure that any agents, including a subcontractor, to whom it provides PHI agrees to the same restrictions and conditions that apply to the business associate with respect to such information;
- – make PHI available in accordance with patients’ rights to review their PHI, to request amendments to their PHI and to obtain an accounting of certain disclosures of their PHI;
- – make its internal practices, books and records relating to the use and disclosure of the PHI available to HHS for purposes of reviewing the covered entity’s compliance with the privacy regulations;
- – at termination of the contract, if feasible, return or destroy all PHI that the business associate still maintains in any form and retain no copies of such information. If such return or destruction is not feasible, the business associate must agree to extend the protections of the contract to the information and limit further uses and disclosures to those purposes that make the return or destruction of the PHI infeasible.
The requirements for business associate agreements apply only to the protection of protected health information that is maintained by or accessible to the business associate.
In addition, the business associate agreement must authorize termination of the contract by the covered entity, if the covered entity determines that the business associate has violated a material term of the contract. Furthermore, the HIPAA privacy regulations state that, if a covered entity is aware of activities by the business associate that constitute a breach of its obligations under the business associate agreement, the covered entity must take reasonable steps to stop the breach. If the covered entity is unable to end the breach, it must terminate the contract, if feasible. If termination is not feasible, the covered entity must report the business associate to DHHS.
The HIPAA requirements for business associate agreements apply only to the protection of PHI that is maintained by or accessible to the business associate. These provisions of an agreement with a business associate would not govern other aspects of your business relationship with a particular associate. For example, the terms of an agreement with your attorney would be very different from the terms of your agreement with your billing service. If you do not presently have a written contract with a business associate who has access to your patients’ PHI, and you are a covered entity, you may want to enter a written agreement that governs only the use and disclosure of PHI. This would be a simpler way to ensure that all necessary business associate agreements are in place by April. You would then have the option of later adding provisions to each business associate contract which specifically address the terms of your business relationship with that person or company.
If you are a covered entity, many of your business associates probably are aware of the requirement to enter a written agreement governing the use and disclosure of PHI by April 14. Some of them already may have approached you with a proposed business associate agreement. If you are reviewing business associate contracts that have been offered to you, or if you are working with your attorney to draft business associate agreements, you will want to ensure that these agreements include the required provisions described in this article.
In addition, the ADA’s HIPAA Privacy Kit contains a form labeled "Addendum to Agreement with Business Associate," which can be modified as appropriate for use in your practice. The document is labeled "addendum" because it contains only the terms pertaining to use and disclosure of PHI by the business associate. These provisions could be added to an existing contract with your business associate. Or, this document could be used as a stand-alone agreement.
The "Addendum to Agreement with Business Associate" contains all of the provisions required by the HIPAA privacy regulations, as well as some additional terms that are advantageous to dentists. One of these terms requires the business associate to report any unauthorized uses or disclosures of PHI to the dentist within 24 hours after the business associate learns of the violation. Another pro-dentist provision requires the business associate to indemnify the dentist for any losses the dentist may incur as a result of an unauthorized use or disclosure of PHI by the business associate, or by any person or entity under the business associate’s control. The model language from the HIPAA Privacy Kit can be used as a basis for a business associate agreement you may draft with your attorney, or it can be used as a tool for comparison and negotiation when reviewing contracts offered by your business associates. If you do not already have a HIPAA Privacy Kit, you can order one by calling 1-800-947-4746.
Whether you are drafting your own business associate contracts, or reviewing agreements offered to you by your business associates, you also may want to take a look at sample contract language drafted by DHHS. These sample provisions can be accessed at "www.hhs.gov/ocr/hipaa/contractprov.html". The DHHS sample terms include all the provisions required by the HIPAA privacy regulations, and could be used as a tool for compromise in negotiations with business associates, since they were not drafted to favor either the covered entity or the business associate. As I mentioned previously, there is an exception to the requirement that business associate agreements be in place by
April 14. If you are a covered entity and already have a written contract with a business associate, you may be eligible for a reprieve. If the existing written agreement is not amended or renewed by April 14, then you are not required to adopt provisions protecting PHI until April 14, 2004, or until the contract is amended or renewed, whichever event occurs first.
You may wish to consult with your attorney with reference to these agreements and to determine whether your agreements are also in compliance with state law.
