Health Information Compliance Alert

Attempting to ease the Health Insurance Portability and Accountability Act transition, the Department of Health and Human Services has published model contract provisions for use in the business associate agreements required by the HIPAA privacy rule but that doesn't mean that drafting such agreements is now just a matter of filling in the blanks.

While the model language along with the one-year extension for existing contracts (see article 6) should provide some relief to providers struggling to meet compliance deadlines, the provisions can still create problems if thoughtlessly adopted. In addition, if your organization hasn't started considering HIPAA business associate language, you may be a little surprised by the detail and extent of the model language.

The first point to notice, suggests Steve Bernstein with McDermott, Will & Emery in Boston, is that the model language is only advisory and not required. Moreover, Bernstein observes, the model provisions do not constitute a contract; they are "just pieces of contract language." At the very least, then, covered entities that want to use the provisions will have to knit them into a coherent whole. But doing that will require close attention to the provisions' details.

"People might just take the wholesale language and throw it in contracts," worries Allison Shuren with Arent Fox Kintner Plotkin & Kahn, "and really have no idea what that actually means to their relationship with the other party."

To avoid this situation, Shuren encourages covered entities to ensure that the model provisions suit their particular situation, and if they don't, to modify them accordingly.

"You really need to make sure that you read [the model language] and tailor it to your relationship with whomever you're entering into that contract with," says Shuren.

HHS itself suggests that "a covered entity may want to add provisions in a business associate contract in order for the covered entity to be able to rely on the business associate to help the covered entity meet its obligations under the Privacy Rule."

Additionally, HHS notes that the privacy rule permits business associates to use or disclose protected health information in circumstances that the model provisions don't address. For example, HHS points out "the Privacy Rule does not preclude a business associate from disclosing protected health information to report unlawful conduct in accordance with Sec. 164.502(j)." However, there are no specific model provisions related to such permissive disclosures. HHS advises that these and other related issues "will need to be worked out between the [contracting] parties."

Another potential modification, suggests Kerry Kearney, an attorney with Reed Smith, is to include a provision that would allow a covered entity to end its relationship with a troublesome business associate without being liable for breach of contract.

"If, for example, there is an inappropriate disclosure by an entity that is your business associate," Kearney tells Eli, "you would want the ability to either terminate the contract or impose some kind of sanctions on the entity."

And while it is not possible to contractually require a business associate to share in any criminal responsibility that might arise from the associate's inappropriate disclosure of protected information, Kearney also suggests that a covered entity might still want to include indemnification provisions that would allow it to recoup fines from the associate.

The model language will help covered entities draft business associate contracts, but some things are still on hold. If the March 27 proposed changes to the privacy rule go forward, then covered entities will have until April 14, 2004 to rewrite their business associate contracts. While more time will help organizations, they still need to make sure business associates are willing to play by the privacy rule. HHS says in the preamble that covered entities will need to ensure that business associates will allow patients access to their protected health information and the ability to amend it. Likewise, the business associate must offer an account of where and how that information has been used.

And what about the security rule? To what extent will security provisions need to be incorporated into business associate contracts? "There doesn't seem to be a full integration of those two concepts yet," responds Bernstein.

Meanwhile, Shuren counsels that providers follow the Golden Rule: "You're safer to have in writing what your expectations are of your business associates."

Editor's Note: To see the model language, go to www.access.gpo.gov/su_docs/fedreg/a020327c.html.