Privacy Officer's Roundtable

Defining business associate

  • 1.  Defining business associate

    Posted 03-14-2019 06:29 PM
    Good afternoon,

    I've encountered an interesting interpretation of what constitutes a business associate and I would like to get some input from others.

    We recently had an outside entity conduct an information security assessment for us.  Relating to @ 164.314(a)(2)(ii)(B) they state that if we release records to fulfill a court order, summons, subpoena, etc. we are required to obtain reasonable assurances from the courts that they will safeguard the PHI.  They recommended that before we release information we ask courts to sign a memorandum of understanding with us stating they understand that the information is protected, etc.  They acknowledge that the court could certainly refuse, but feel that we are obligated to attempt it.

    Now, the basis for this recommendation is that they are considering the courts to be a business associate because we are sharing information with them.

    When I look at the HHS definition of a business associate, it reads:
     A "business associate" is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information.  A "business associate" also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate.

    I'm having difficulty with the idea that the courts would be a business associate of ours.  They are not performing activities or functions on our behalf and are not acting as a subcontractor.

    I welcome your interpretations!


    ------------------------------
    Emily Roberts CCEP
    Compliance/Privacy Manager
    Morrow County Health District
    Hermiston,OR

    The opinions expressed are my own and are not intended to represent the positions, strategies or opinions of my employer.
    ------------------------------
    Protenus May


  • 2.  RE: Defining business associate

    Posted 03-14-2019 06:54 PM
    You're correct in that the courts are not doing a function on your behalf, so they are not a business associate.  I take the satisfactory assurances to be in response to a situation where the patient has not been notified that a subpoena has been issued for their PHI.

    When we get a court-order, we release what the judge says to release.  No questions asked.

    ------------------------------
    David Garrison CHC,CHPC
    Compliance/Privacy Officer
    SEARHC
    Juneau,AK
    ------------------------------

    Protenus May


  • 3.  RE: Defining business associate

    Posted 03-14-2019 07:06 PM
    I've just realized there's a typo in their citation, but I believe they are referring to (B) below.

    @164.314   Organizational requirements.
    (a)(1) Standard: Business associate contracts or other arrangements. The contract or other arrangement required by @164.308(b)(3) must meet the requirements of paragraph (a)(2)(i), (a)(2)(ii), or (a)(2)(iii) of this section, as applicable.
    (2) Implementation specifications (Required)-
    (i) Business associate contracts. The contract must provide that the business associate will-
    (A) Comply with the applicable requirements of this subpart;
    (B) In accordance with @164.308(b)(2), ensure that any subcontractors that create, receive, maintain, or transmit electronic protected health information on behalf of the business associate agree to comply with the applicable requirements of this subpart by entering into a contract or other arrangement that complies with this section; and

    If it's true that the courts are not a business associate, I think it's fair to say that item cannot apply.

    Re: satisfactory assurance - we certainly would get that for non-court ordered subpoenas, but based on my conversation with the company, they don't seem to be referring to that.

    ------------------------------
    Emily Roberts CCEP
    Compliance/Privacy Manager
    Morrow County Health District
    Hermiston,OR

    The opinions expressed are my own and are not intended to represent the positions, strategies or opinions of my employer.
    ------------------------------

    Protenus May


  • 4.  RE: Defining business associate

    Posted 03-15-2019 07:04 AM
    There seems to be a disconnect here. What they appear to be referring to is "Disclosures for Judicial and Administrative Proceedings". 45 CFR 164.512 (e)(1).  In that provision satisfactory assurances are defined as follows.

    (iii) For the purposes of paragraph (e)(1)(ii)(A) of this section, a covered entity receives satisfactory assurances from a party seeking protected health information if the covered entity receives from such party a written statement and accompanying documentation demonstrating that:

    (A) The party requesting such information has made a good faith attempt to provide written notice to the individual (or, if the individual's location is unknown, to mail a notice to the individual's last known address);

    (B) The notice included sufficient information about the litigation or proceeding in which the protected health information is requested to permit the individual to raise an objection to the court or administrative tribunal; and

    (C) The time for the individual to raise objections to the court or administrative tribunal has elapsed, and:

    (1) No objections were filed; or

    (2) All objections filed by the individual have been resolved by the court or the administrative tribunal and the disclosures being sought are consistent with such resolution.



    ------------------------------
    Brenda Manning J.D., C.H.C., C.H.P.C.
    Compliance Director, Privacy
    Carilion Administrative Services Building, Ste. 1201
    213 S. Jefferson Street
    Roanoke, VA 24011
    (540) 224-5757
    Fax: (540) 510-224-5787
    Integrity Help Line Compliance: (844) 732-6232
    bkmanning@carilionclinic.org

    Our Mission: Improve the health of the communities we serve.


    The views expressed herein are my own and do not represent those of my employer. They are not meant to constitute legal advice or create an attorney-client relationship.
    ------------------------------

    Protenus May


  • 5.  RE: Defining business associate

    Posted 03-14-2019 09:56 PM
    Thank you David.  I've come to know that just as anyone can put the description or label of "best practice" on just about anything they may want to some how proclaim is a "good" process....I find many times applications of the rules that are simply wrong under the label of an "interpretation".

    Let's get back to basics.  There are some applications of the rules that people make that are simply wrong.  So be it...we all live and learn.

    ------------------------------
    ► Study Session Link for CI ◄
    https://www.surveymonkey.com/r/GJSW959
    --------Frank Ruelas---------
    ------------------------------

    Protenus May


  • 6.  RE: Defining business associate

    Posted 03-15-2019 09:09 AM
    Good advice, Frank.  I may have mentioned this before, but whenever I hear or see the phrase "best practice" my radar goes up.  Though in many cases not intended, experience has shown me that often that term is used to encourage cooperation with what is often a "bad idea".

    Jim Parks

    ------------------------------
    Jim Parks CHPC
    Director of Compliance
    Summit Medical Group
    Knoxville,TN
    ------------------------------

    Protenus May


  • 7.  RE: Defining business associate

    Posted 03-15-2019 09:15 AM
    Quick story...which I think for me highlights how the idea of "best practice" can be used, overused...even abused.

    I was sitting in a meeting a few years ago where a work flow and process was getting defined (by the way...not one person actually involved in performing the tasks in this process was involved in the planning...RED FLAG...but no one seemed to care) in response to a Sentinel Event.

    When the process was being discussed, someone adjusted a few "squares" on the proposed workflow process and the person leading the meeting...probably in an attempt to build consensus and a sense of validation of this group's work...instantly said something to the effect, "Now that change makes a lot of sense and is no doubt a best practice."

    So a proclamation of a "best practice"...in a design...on a process...that is not even off of the drawing board...with no input from people directly involved...C'mon Man!

    ------------------------------
    ► Study Session Link for CI ◄
    https://www.surveymonkey.com/r/GJSW959
    --------Frank Ruelas---------
    ------------------------------

    Protenus May


  • 8.  RE: Defining business associate

    Posted 03-18-2019 09:09 AM

    Good example, Frank. Unfortunately, in my many years as a healthcare professional I have seen this way too many times.

     

    Thank you,

    Sharon Taylor, RN, MS, CIC, CPHRM, CHC, CHPC        

    Director Risk Management/ Accreditation Services

    Burgess Health Center

    1600 Diamond Street

    Onawa, IA 51040

    Tel: 712-423-9248

    Fax: 712-423-9322

    E-mail: staylor@burgesshc.org

    Website: www.burgesshc.org

     

     

    image017.jpg@01CD7F97.28704CD0

     

    Quality Care You Can Believe In

    Electronic Mail Confidentiality Notice:

    This electronic mail message and all attachments may contain confidential information belonging to the sender or the intended recipient. This information is intended ONLY for the use of the individual or entity named above. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution (electronic or otherwise), forwarding or taking any action in reliance on the contents of this information is strictly prohibited. If you have received this electronic transmission in error, please immediately notify the sender by telephone, facsimile, or email to arrange for the return of the electronic mail, attachments, or documents.

     




    Protenus May


  • 9.  RE: Defining business associate

    Posted 03-18-2019 12:14 PM
    ​Frank, I think you hit the nail on the head there. In my experience, many folks who say that something is a "best practice," are really using it as a tool to get their point across or to sell their process suggestion.

    ------------------------------
    David Rothery, CHC
    Compliance Officer
    Marin County, CA


    These are my personal opinions and not those of the County of Marin
    ------------------------------

    Protenus May


  • 10.  RE: Defining business associate

    Posted 03-15-2019 11:36 AM
    ​Exactly Jim. prior to the "Enlightenment" phase of humanity, "best practice" for most ills was application of leeches for bloodletting. I don't think too many folks would recommend that now.

    ------------------------------
    David Rothery, CHC
    Compliance Officer
    Marin County, CA


    These are my personal opinions and not those of the County of Marin
    ------------------------------

    Protenus May


  • 11.  RE: Defining business associate

    Posted 03-15-2019 11:52 AM
    ​re, requesting the court to provide assurances or sign a BAA;  Records requested by a court order signed by a judge or a grand jury request are released as requested.  I would be curious if anyone has a different understanding.  If the request is by an attorney, we ensure the attorney provides us with the patient's release citing it is okay to release.  If the opposing attorney does not provide that release, we contact the patient or the patient's counsel provide us with a medical records release according to HIPAA and Privacy policy.

    ------------------------------
    Charlann Staab , CNP, MSN, CFRN, CEN CHC, CHPC
    Privacy Official
    PHI Air Medical
    Phoenix, AZ
    ------------------------------

    Protenus May


  • 12.  RE: Defining business associate

    Posted 03-14-2019 09:51 PM
    Briefly...no CE → BA relationship exists based on your description...so no BAA.

    I mean this with all objectivity and genuine curiosity and by no means am I inferring anything positive or negative.  Given this interpretation, I would be very, very curious to see the job they did doing this risk assessment (or do you mean a risk analysis?) you had them do.

    Very curious indeed.

    My takeaway for you...whenever they state or communicate a "requirement"...you probably should make sure you have the specific citation they are referring to...and then get a second check on their interpretation(s) before investing time and energy in addressing any "findings".

    Many, many thanks for sharing.  Wow!


    ------------------------------
    ► Study Session Link for CI ◄
    https://www.surveymonkey.com/r/GJSW959
    --------Frank Ruelas---------
    ------------------------------

    Protenus May


  • 13.  RE: Defining business associate

    Posted 03-15-2019 11:02 AM
    Thanks, all - I knew I could count on a lively discussion about this!

    I'm planning to contact the organization again to try to clarify and resolve the issue, but I wanted to make certain I wasn't missing some precedent or obscure regulation before I try again.

    ------------------------------
    Emily Roberts CCEP
    Compliance/Privacy Manager
    Morrow County Health District
    Hermiston,OR

    The opinions expressed are my own and are not intended to represent the positions, strategies or opinions of my employer.
    ------------------------------

    Protenus May