Privacy Officer's Roundtable

Notice of Privacy Practices to Business Associates

  • 1.  Notice of Privacy Practices to Business Associates

    Posted 12-12-2019 01:41 PM
    Is there an requirement somewhere that a Covered Entity must provide each Business Associate with a copy of the CE's Notice of Privacy Practices?  I feel like I saw this in the past, and the subject has come up for me, but I can't find any documentation.

    ------------------------------
    Leigh Wright
    Director of Privacy & Compliance
    Simplified Medical Management
    Tuscaloosa,AL
    ------------------------------
    2020 SCCE Membership


  • 2.  RE: Notice of Privacy Practices to Business Associates

    Posted 12-12-2019 03:46 PM
    As a health plan we have to provide them to all of our subscribers upon enrollment. I'm not aware of any regulation about business associates. I have seen a few BAA documents that request it. But I don't recall any regulation to such.

    ------------------------------
    Carl Russell
    Compliance Analyst, CHPC
    Delta Dental of Idaho
    Boise,ID

    Anything I say is my sole opinion and not of my company.
    ------------------------------

    2020 SCCE Membership


  • 3.  RE: Notice of Privacy Practices to Business Associates

    Posted 12-12-2019 03:58 PM

    The CE has a BAA with the Business Associate which governs the appropriate use of PHI. A NoPP is for informing patients of your processes and their rights. No need to supply it to a BA that I can see.

    Other perspectives?

     

    Best Regards,

    Scot Lovejoy  image006.jpg@01D50B1A.1F2C7480 image007.jpg@01D50B1A.1F2C7480

    Scot Lovejoy RPh. CHC CHPC

    Chief Pharmacy Officer

    Compliance Officer

    Agadia_itself (625x184) (625x184) (100x29)

    9 Campus Drive, 2nd Floor East

    Parisippany, N.J. 07054

    (O) 973-540-8400  x227

    (C) 973-570-3803

    (F) 973-540-8440

     

     

    Confidentiality Notice:  This e-mail is intended only for the person(s) to whom it is addressed and may contain information that is confidential, proprietary, privileged or otherwise protected from disclosure.  If you are not an intended recipient, please (i) do not read, copy or use this communication, or disclose it to others, (ii) notify the sender immediately by replying to the message, and (iii) delete the e-mail from your system.  Thank you.

     

     

     




    2020 SCCE Membership


  • 4.  RE: Notice of Privacy Practices to Business Associates

    Posted 12-13-2019 06:09 AM
    It's typically addressed in the Business Associate Agreement. I would think you'd want to put them on notice as to your practices regardless so everyone is on the same page.

    ------------------------------
    Brenda Manning J.D., C.H.C., C.H.P.C.
    Compliance Director, Privacy
    Carilion Administrative Services Building, Ste. 1201
    213 S. Jefferson Street
    Roanoke, VA 24011
    (540) 224-5757
    Fax: (540) 510-224-5787
    Integrity Help Line Compliance: (844) 732-6232
    bkmanning@carilionclinic.org

    Our Mission: Improve the health of the communities we serve.


    The views expressed herein are my own and do not represent those of my employer. They are not meant to constitute legal advice or create an attorney-client relationship.
    ------------------------------

    2020 SCCE Membership


  • 5.  RE: Notice of Privacy Practices to Business Associates

    Posted 12-17-2019 06:40 PM

    I agree it is not required to include language about a CEs NPP or to provide one but OCR does include such notification as optional in its model BAA.  I see this language pretty often when reviewing BAAs for clients.  In the end it is the responsibly of the CE to inform the BA is there are granted restriction requests, authorization revocations, etc.  If the CE does not inform the BA, the BA will not act on such revocations, granted restriction rights, etc.

     

    Provisions for Covered Entity to Inform Business Associate of Privacy Practices and Restrictions

    (a) [Optional] Covered entity shall notify business associate of any limitation(s) in the notice of privacy practices of covered entity under 45 CFR 164.520, to the extent that such limitation may affect business associate's use or disclosure of protected health information.

    (b) [Optional] Covered entity shall notify business associate of any changes in, or revocation of, the permission by an individual to use or disclose his or her protected health information, to the extent that such changes may affect business associate's use or disclosure of protected health information.

    (c) [Optional] Covered entity shall notify business associate of any restriction on the use or disclosure of protected health information that covered entity has agreed to or is required to abide by under 45 CFR 164.522, to the extent that such restriction may affect business associate's use or disclosure of protected health information.

    The link to the model BAA is:  https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html.

     

    Chris Apgar, CISSP

     

    CEO & President

    (503) 384-2538 (o)

    (503) 816-8555 (c)

    (503) 384-2539 (f)

    capgar@apgarandassoc.com

    www.apgarandassoc.com

     

    Privacy | Information Security | Compliance | Certification Readiness | Security Incident Response

    apgarlogofinal2014

    The information contained in this email message is intended only for the personal and confidential use of the recipient(s) named above. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please notify us immediately by email, and destroy the original message.

     




    2020 SCCE Membership


  • 6.  RE: Notice of Privacy Practices to Business Associates

    Posted 12-12-2019 04:08 PM
    ​Leigh,
    I do not believe we have to provide the NPP to the business associate.  Here is an FAQ from the HHS.gov website related to the NPP and business associates:

    Does the HIPAA Privacy Rule require a business associate to create a notice of privacy practices?

    Answer:

    No. However, a covered entity must ensure through its contract with the business associate that the business associate's uses and disclosures of protected health information and other actions are consistent with the covered entity's privacy policies, as stated in covered entity's notice. Also, a covered entity may use a business associate to distribute its notice to individuals.

    Date Created: 02/17/2003




    ------------------------------
    Sheila Limmroth
    Privacy Officer
    DCH Health System
    Tuscaloosa,AL
    ------------------------------

    2020 SCCE Membership