Under HITECH, business associates are treated as covered entities for all provisions of the security rule and the parts of the privacy rule that cover use and disclosure of protected health information, says Lisa Gallagher, senior director of privacy and security at the Healthcare Information and Management Systems Society, Chicago. Whether that means that contracts between covered entities and business associates must be amended remains a matter of debate. "There is a significant amount of confusion around this issue," Gallagher notes.
That's because the enacted legislation says the privacy and security rule changes "shall be incorporated" in business associate contracts. That language could be interpreted differently by covered entities, Gallagher says. "Incorporated" could mean present and future privacy/security rule changes would automatically be incorporated in the contracts. Or, it could mean that covered entities must revisit contracts and amend them as necessary. Or, pending clarification, covered entities could handle business associate contracts as they do other contracts by assessing their business risks and deciding whether to make changes or wait.
Not so Fast
Some observers argue that the new requirements on business associates don't necessarily compel covered entities to take any action. Covered entities should review existing business associate arrangements and ensure that contracts require business associates to comply with the privacy and security rule, says Margret Amatayakul, president of MargretA Consulting, Schaumburg, Ill. Many contracts that she has seen have not been renewed or don't have security rule provisions in them.
But Amatayakul doesn't see the need for wholesale reworking of business associate contracts because of the privacy and security rule changes. "I don't see what has to be reflected in the contracts," she explains. "You don't have to say that business associates now are covered entities. Nobody's going to hold you accountable for someone else breaking the law. Unless there's something in future rulemaking, I don't think it's necessary."
It's important, however, that covered entities make sure they understand which outside organizations are business associates and which are contractors, Amatayakul says.
For instance, an organization conducting an assessment of a covered entity generally would be considered a contractor, and not directly subject to the privacy and security rules. But an organization filing claims for a covered entity, with the covered entity directing patients with queries to the outside organization, would be a business associate.
The bottom line, Amatayakul says, is that it's a good idea, but not a requirement, for covered entities to advise business associates of the privacy/security rule changes. "Ignorance of the law doesn't get you out of complying with the law."
Gallagher takes a somewhat different view. Just because business associates are subject to the rules doesn't eliminate the obligation of covered entities to make sure business associates comply with the rules under a contract, she contends.
And the rule changes are flying under the radar of many business associates, she adds. "The level of awareness is lower than I thought they'd be. Covered entities are generally aware, but business associates are not. We're still in an awareness and education phase with these changes."
Other Concerns
Confusion over the privacy/security changes also reigns in other areas. For instance, an important unknown is how the handling of health information breaches will apply to health information exchanges and regional health information organizations, Gallagher notes.
These organizations should craft a common process among disparate partners on how they will handle breach detection and notification, she advises.
There's also confusion over whether personal health records vendors that contract with covered entities are business associates, Amatayakul says. "Covered entities need to scrutinize their relationship and develop a policy related to how they will interact with PHR vendors."
That policy would be dependent on the degree to which a covered entity and PHR vendor exchange protected health information. A covered entity could, for instance, enable patients to input some of their official electronic health records information into the PHR, or incorporate some of the PHR data into patients' electronic health record.
Be the first to comment on this post using the section below.