Health Information Compliance Alert

Published on Fri Jan 04, 2013 PDF

The Department of Health and Human Services’ model business associate contracts offer entities some guidance on how to proceed with one of the biggest mandates of the HIPAA privacy reg, but there's still a lot of work to do to get contracts up and running before the HIPAA starting gun goes off.

While the model language -- along with the one-year extension for existing contracts -- should provide some relief to CEs struggling to meet compliance deadlines, the provisions can still create problems if thoughtlessly adopted.

The language is helpful and any type of provider can use most of the pieces, opines Steve Bernstein with McDermott Will & Emery in Boston. But physicians should note that the model language is only  advisory and not required. Moreover, Bernstein observes, the model provisions do not constitute a contract; they are “just pieces of contract language.” At the very least, then, covered entities that want to use the provisions will have to knit them into a coherent whole.

"People might just take the wholesale language and throw it in contracts, and really have no idea what that actually means to their relationship with the other party," worries Allison Shuren with Arent Fox Kintner Plotkin & Kahn in Washington.

To avoid this situation, Shuren encourages covered entities to ensure that the model provisions suit their particular situations, and if they don’t, to modify them accordingly.

“You really need to make sure that you read [the model language] and tailor it to your relationship with whoever you’re entering into that contract with,” says Shuren.

HHS itself, for example, suggests that “a covered entity may want to add provisions in a business associate contract in order for the covered entity to be able to rely on the business associate to help the covered entity meet its obligations under the Privacy Rule.”

Additionally, HHS notes that the privacy rule permits business associates to use or disclose protected health information in circumstances that the model provisions don’t address. For example, HHS points out, “the Privacy Rule does not preclude a business associate from disclosing protected health information to report unlawful conduct in accordance with Sec. 164.502(j).”

However, there are no specific model provisions related to such permissive disclosures. HHS advises that these and other related issues “will need to be worked out between the [contracting] parties.”

Practices may also want to add in a provision that allows a covered entity to end its relationship with a troublesome business associate without being liable for breach of contract, suggests Pittsburgh-based attorney Kerry Kearney with Reed Smith.

“If, for example, there is an inappropriate disclosure by an entity that is your business associate,” says Kearney, “you would want the ability to either terminate the contract or impose some kind
of sanctions on the entity.”

And while it is not possible to contractually require a business associate to share in any criminal responsibility that might arise from the associate’s inappropriate disclosure of protected information, Kearney also suggests that a covered entity might still want to include indemnification provisions that would allow it to recoup fines from the associate.

The bottom line is that you should “have in writing what your expectations are of your business associates,” Shuren asserts.

Editor’s Note: To see a copy of the model language, go to www.access.gpo.gov/su_docs/fedreg/a020327c.html.