I am an independent contractor and the physician I am working for will need to get an updated contract from me (by April 14th I think?), that will include the BA Contract essentials. I am, sad to say, more up-to-date on the HIPAA security issues than my client, so I think I need to take the lead in this matter.

I've seen Carole's post(s) listing the essentials of a BA Contract, but I really wanted to see a good example of how to write these out.

Also, I am currently transcribing from microcasette tapes but have been trying to get my client to go digital. However, my client thinks it might be worse for them HIPAAwise to do this. Is this true? I actually thought I might be able to make the case that digital transcription might be better HIPAAwise because you would have a good security audit trail via passwords, encryption, etc. Am I right here?

If I do go digital, will the physician have to fill out additional forms for "Transactions and Code Sets" or does this only apply to medical insurance companies, etc. I've been confused by the info I've read regarding this on all the HIPAA sites.

My client was also unaware that the HIPAA Privacy Rule applied to non-electronic transactions as well. Am I right in thinking that it applies to all PHI transfers whether they be electronic, written or verbal?

Does anyone have any good information on this or any other sites, especially regarding the publishing of the HIPAA Security Standards Final Rule?

Carole, perhaps you might have some more good information on this since you seem to be very knowledgeable on the subject?

I was wondering if I should join AAMT just because of this issue, but it sure is expensive!

Thanks for all of your help. I really do appreciate this site and I thank all of those knowledgeable individuals in our industry who can and do offer their support and ideas through this forum.

Thanks again!

Courtney

[ 02-22-2003: Message edited by: CourtneyMT ]

I did want to mention I purchased HIPAA for MTs through AAMT (and I'm not a member) and it had a sample of a BA included. VERY informative but for a cost!

However, I did not know you could purchase a HIPAA package from AAMT. I will look into that.

Thanks again!

The HIPAAdvisory site is a great place to go for information. They have administrative simplifications of the regs, frequently asked questions, a decent site search, the whole nine yards. I found the contract above by searching for "business associate sample contract." They have downloadable versions of the final Security Rule also.

As far as whether or digital with encryption is better for HIPAA or not, I don't know that it makes that much of a difference. For example, you can transport tapes and printed files via courier in padlocked bags where only you and someone at the office have the key. Or you can encrypt files and send them through the Internet where only you and someone at the office know the decryption password. Encryption doesn't automatically guarantee an audit trail, just like a locked bag and a courier don't. What it does do is guarantee that a file hasn't been tampered with and can only be viewed by someone with the necessary password.

Another part of HIPAA is that once the patient information is open and available at your place of business you have to take precautions to protect it there as well.

quote:

---

Am I right in thinking that it applies to all PHI transfers whether they be electronic, written or verbal?

---

That is my understanding from reading the regs.

Mike DeTuri

I found that the Chain of Trust needed to be signed if one was going to send information electronically either via e-mail, internet, FTP, Fax, etc.

Thanks!

And this: http://www.hipaadvisory.com/action/LegalQA/law/Legal25.htm

Note that both of these articles are contingent upon the final Security Rule, which states that chain of trust agreements are not necessary.

quote:

---

8. Business Associate Contracts or Other Arrangements (Sec. 164.308(b)(1))

In the proposed rule Sec. 142.308(a)(2) ``Chain of trust'' requirement, we proposed that covered entities be required to enter into a chain of trust partner agreement with their business partners, in which the partners would agree to electronically exchange data and protect the integrity, confidentiality, and availability of the data exchanged. This standard has been modified from the proposed requirement to reflect, in Sec. 164.308(b)(1) ``Business associate contracts and other arrangements,'' the business associate structure put in place by the Privacy Rule.

In this final rule, covered entities must enter into a contract or other arrangement with persons that meet the definition of business associate in Sec. 160.103. The covered entity must obtain satisfactory assurances from the business associate that it will appropriately safeguard the information in accordance with these standards (see Sec. 164.314(a)(1)).

The comments received on the proposed chain of trust partner agreements are discussed in section 2 ``Business associate contracts and other arrangements'' of the discussion of Sec. 164.314 below.

---

I searched a little more and found what the final security rule says about "chain of trust" under H. Organizational Requirements (Section 164.314)

quote:

---

The proposed chain of trust partner agreement has been replaced by the standards for business associate contracts or other arrangements and the standards for group
health plans.

---

For a quick search through the final Security Rule, head over to http://www.hipaadvisory.com/regs/FinalSecurity/finalsecurity.txt and do Ctrl-F to "find on this page." I put chain of trust in the search field and read everything they had on it. If they referred to a specific section of the regs and I wanted more info I popped in the section number and did a search on that.

Quick hint: The above quotes are taken from the comments section about what was changed in the final rule. The actual security rule is at the end of the document I linked to.

Here is what the final rule says in those sections referenced above:

quote:

---

Sec. 164.308(b)(1) Standard: Business associate contracts and other arrangements. A covered entity, in accordance with Sec. 164.306, may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity's behalf only if the covered entity obtains satisfactory assurances, in accordance with Sec. 164.314(a) that the business associate will appropriately safeguard the information.

---

Sec. 164.314 (a) is too big to quote here but it discusses business associate contracts and other agreements in more depth.

Hope this helps.

Mike DeTuri

[ 02-23-2003: Message edited by: Mike ]