**only title edited by Annie

[ 04-06-2003: Message edited by: Annie ]

If I were you, I would try to explain to them that to your knowledge the kind of insurance they want you to have doesn't even exist, but even if it did, HIPAA doesn't impose penalties on covered entities for actions of business associates anyway, nor does it impose penalties on business associates. So you having insurance would not benefit or protect them in any way. (Another example of the legal mind at work--bet they haven't even READ the HIPAA regulations.)

Jay

As for DCURTIS3,the agreement I received is five pages long, with a "Background Statement" page, sections on the Physician's right to audit and inspect my compliance with the agreement and my business practices, use and disclosure of PHI, etc. There are 10 sections altogether and the form I was asked to sign must be witnessed.

Needless to say, the physician eliminated the whole clause from the agreement.

[ 04-04-2003: Message edited by: Gaile Stevens, RHIT ]

From the Final Privacy Rule:

164.504(e)…

(1) Standard: Business associate contracts.

(i) The contract or other arrangement between the covered entity and the business associate required by § 164.502(e)(2) must meet the requirements of paragraph (e)(2) or (e)(3) of this section, as applicable.

(ii) A covered entity is not in compliance with the standards in § 164.502(e) and paragraph (e) of this section, if the covered entity knew of a pattern of activity or practice of the business associate that constituted a material breach or violation of the business associate’s obligation under the contract or other arrangement, unless the covered entity took reasonable steps to cure the breach or end the violation, as applicable, and, if such steps were unsuccessful:

(A) Terminated the contract or arrangement, if feasible; or

(B) If termination is not feasible, reported the problem to the Secretary.

(2) Implementation specifications: Business associate contracts. A contract between the covered entity and a business associate must:

(i) Establish the permitted and required uses and disclosures of such information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that:

(A) The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section; and

(B) The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity.

(ii) Provide that the business associate will:

(A) Not use or further disclose the information other than as permitted or required by the contract or as required by law;

(B) Use appropriate safeguards to prevent use or disclosure of the information other than as provided for by its contract;

(C) Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware;

(D) Ensure that any agents, including a subcontractor, to whom it provides protected health information received from, or created or received by the business associate on behalf of, the covered entity agrees to the same restrictions and conditions that apply to the business associate with respect to such information;

(E) Make available protected health information in accordance with § 164.524;

(F) Make available protected health information for amendment and incorporate any amendments to protected health information in accordance with § 164.526;

(G) Make available the information required to provide an accounting of disclosures in accordance with § 164.528;

(H) Make its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, the covered entity available to the Secretary for purposes of determining the covered entity’s compliance with this subpart; and

(I) At termination of the contract, if feasible, return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity that the business associate still maintains in any form and retain no copies of such information or, if such return or destruction is not feasible, extend the protections of the contract to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible.

(iii) Authorize termination of the contract by the covered entity, if the covered entity determines that the business associate has violated a material term of the contract.

I didn't quote (e)(3) because it deals with government entities.

Mike DeTuri

[ 04-04-2003: Message edited by: Mike ]

Mike DeTuri

The covered entity remains responsible for safeguarding the patient information. What they do not have to do is police their business associates, but make reasonable efforts to assure that the business associate is protecting information (which they do with the BA contract, not by policing actions). However, if there is a material breech by a business associate, the covered entity is responsible for being sure that things which led to that are corrected. It is indeed possible for there to be a penalty to the covered entity whose business associate has a breech that is not corrected.

At the same time, I don't know that this is why they are asking for liability insurance. The liability insurance we are seeing is indeed an errors and omissions policy. The last customer we signed up for requested proof of a $2 million policy which named their board as "additional insured." Our boarad made the decision before this request that having this liability insurance was simply a good business practice. What we found as we sought this coverage is that the liability insurance offered by AAMT to its members was the best policy and the most reasonably priced so that's how we went.

I think the thing that covered entities are doing to cover themselves related to HIPAA is putting stringent indemnification clauses in their contracts. I've seen every extreme as we reviewed these documents this year. Some are quite fair in that they provide mutual indemnification, some are very one sided. We all have to make decisions and choices about what we can live with in our own business practices and this will determine what clients we choose to work with in the future, I believe.

Okay, my two cents' worth plus. Enough!

Thanks for clarifying that, Kathy, what I meant to say but didn't quite say it was that as long as the covered entity can show it took "reasonable" steps to correct the breach and ensure that the breach does not reoccur, they are not subject to a penalty. If, for instance, a BA committed a material breach and did not inform the CE, the CE would not be penalized for the action of BA, since HIPAA does not require CEs to "police" their BAs, only to have a contract that requires BAs to report material breaches to the CE. Once the material breach was reported, or once the CE discovered the breach some other way, then it would be a different story, of course.

Jay

[ 04-06-2003: Message edited by: Jay Vance ]