|
|
 |
|
|
The Privacy Rule from the Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires that health plans as covered entities obtain satisfactory assurances from their Business Associates to make sure that Protected Health Information (“PHI”) is used only for its intended purposes and is adequately protected in accordance with law.
In general, providers are considered “covered entities” under the HIPAA privacy rule. In some circumstances, participating providers may also be defined as Business Associates of health plans -- for example, when they perform certain additional delegated duties, such as credentialing.
In cases where Medica delegates certain responsibilities to a provider and the provider would be construed as a Business Associate under HIPAA, the provider must comply with the HIPAA Business Associate Requirements, as noted in a provider agreement, or as noted below. If a provider is rendering health care services only and is not performing any activities that would make that provider a Business Associate under HIPAA, the Business Associate Requirements would not apply.
The HIPAA Business Associate Requirements contain provisions that describe how PHI may be used and disclosed and the requirements for protecting it, including appropriate safeguards, security measures, and other required processes. The Business Associate Requirements as noted below are part of Medica’s Administrative Requirements.
To the extent a provider is a Business Associate of Medica* as defined in the HIPAA privacy regulations, 45 CFR Part 160, through a provider participation agreement or any other agreement with Medica (“Agreement”), the provider is bound by the Business Associate Requirements (“Requirements”) set forth below and as required by 45 CFR Part 164. For those providers who have entered into an Agreement and an accompanying Business Associate Agreement with Medica, the Business Associate Agreement and the following Business Associate Requirements will be read consistently to the extent feasible. If there is a conflict between the two, the Business Associate Agreement will prevail to the extent it is in accordance with law.
Capitalized terms used, but not otherwise defined, in these Requirements will have the same meaning as those terms in 45 CFR Part 160 and Part 164, Subparts A and E (the “Privacy Rule”) as may be modified or amended from time to time.
(a) Business Associate must not use or further disclose PHI except for the purpose of performing Business Associate’s obligations under the Agreement and as otherwise permitted or required by these Requirements or as Required By Law.
(b) Business Associate must use appropriate safeguards to prevent use or disclosure of PHI other than use or disclosure as permitted by the Agreement and these Requirements.
(c) Business Associate must mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of these Requirements.
(d) Business Associate must report to Medica, within three (3) business days, any use or disclosure of the PHI not provided for by these Requirements of which it knew or should have known.
(e) Business Associate must ensure that any agent, including a subcontractor, to whom it provides PHI received from, or created or received by Business Associate on behalf of Medica, agrees to the same restrictions and conditions that apply through these Requirements to Business Associate with respect to such information.
(f) Business Associate must provide access, at the request of Medica, and in the time and manner determined by Medica, to PHI in a Designated Record Set, to Medica, or as directed by Medica, to an Individual in order to meet the requirements under 45 CFR § 164.524.
(g) Business Associate must make any amendment(s) to PHI in a Designated Record Set that Medica directs or agrees to, pursuant to 45 CFR § 164.526, at the request of Medica or an Individual, within ten (10) business days after request by Medica.
(h) Business Associate must make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of Medica, available to Medica, within ten (10) business days after request by Medica or at the request of Medica to the Secretary, within ten (10) business days after request by Medica or designated by the Secretary, for purposes of the Secretary determining Medica’s compliance with the Privacy Rule.
(i) Business Associate must document such disclosures of PHI and information related to such disclosures as would be required for Medica to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528.
(j) Business Associate must provide to Medica or an Individual, within ten (10) business days after request by Medica, information collected in accordance with Section 2 (i) of these Requirements, to permit Medica to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528.
(k) Business Associate must make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of Medica, available to Medica, for auditing purposes within ten (10) business days of receipt of written notice from Medica.
2.1 Compliance with ARRA and the HITECH ACT.
(a) Business Associate will comply with each and every obligation imposed on Business Associates under the Health Information Technology for Economic and Clinical Health Act (HITECH Act), Sections 13400 through 13424 of Subtitle D of Title XIII of the American Recovery and Reinvestment Act of 2009 (ARRA) and all implementing rules or regulations issued in the future, and each of those obligations are incorporated by reference into this Addendum, with the understanding that compliance with each of those obligations is required under this Addendum only as of the date upon which compliance with each of those obligations is required under the HITECH Act or its implementing rules or regulations.
(b) Business Associate will comply with the security requirements referenced in Section 13401 of the HITECH Act, including the requirements of 45 CFR Sections 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards) and 164.316 (Policies and procedures and documentation requirements). This Section 2.1 (b) shall be effective February 17, 2010.
(c) Business Associate will notify Medica as soon as possible but no later than 3 business days, following the discovery of an unauthorized access, use or disclosure of unsecured protected health information (Incident). The notice shall include, to the extent known:
(i) a description of how the Incident occurred, including the date of the Incident and the date of discovery of the Incident;
(ii) a description of the protected health information involved in the Incident; and
(iii) the identification of each individual whose unsecured protected health information has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed during such Incident.
The Business Associate will promptly and fully cooperate with Medica to investigate the Inciden, and to take all actions requested by Medica to ensure compliance with the breach analysis and notification requirements under the HITECH Act. This Section 2.1(c) shall apply to all privacy or security Incidents that are discovered on or after September 24, 2009.
(d) Business Associate may use and disclose protected health information only if such use
or disclosure, is in compliance with each applicable requirement of 45 CFR Section 164.504(e) (Uses and disclosures: Organizational requirements: Business associate contracts) and the privacy requirements referenced in Section 13404 of the HITECH Act. This Section 2.1(d) shall be effective February 17, 2010.
Except as otherwise limited in these Requirements, Business Associate may use or disclose PHI to perform functions, activities, or services for, or on behalf of, Medica as specified in the Agreement, provided that such use or disclosure would not violate the Privacy Rule if done by Medica or in compliance with Medica’s policies and procedures regarding “minimum necessary” usage of PHI.
(a) Except as otherwise limited in these Requirements, Business Associate may use PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate.
(b) Except as otherwise limited in these Requirements, Business Associate may disclose PHI for the proper management and administration of Business Associate, provided that disclosures are Required By Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances, of which it is aware, in which the confidentiality of the information has been breached.
(c) Except as otherwise limited in these Requirements, Business Associate may use PHI to provide Data Aggregation services to
Medica as permitted by 45 CFR § 164.504(e)(2)(i)(B).
(d) Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR § 164.502(j)(1).
5.1 Applicability. This Section 5 applies only if and to the extent that electronic data will be exchanged between Business Associate and Medica. Business Associate may be considered a Business Associate of Medica under HIPAA, 45 CFR Part 142 (the "Security Regulations"). This Section 5 will govern the terms and conditions under which electronic data is exchanged.
5.2 Security Implementation by Business Associate. In accordance with the Security Regulations, Business Associate must:
(a) Implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the electronic PHI that it creates, maintains or transmits on behalf of Medica;
(b) Ensure that any agent or subcontractor to whom it provides PHI agrees to implement reasonable and appropriate safeguards to protect it;
(c) Report to Medica any Security Incident of which it becomes aware; and
(d) Authorize termination of the Agreement if Medica determines that Business Associate has violated a material term of these Requirements.
Provisions for Medica to inform Business Associate of privacy practices and restrictions:
(a) Medica will make available on its Web site the notice of privacy practices that Medica produces in accordance with 45 CFR § 164.520, as well as any changes to the notice.
(b) Medica will provide Business Associate with any changes in, or revocation of, permission by Individual to use or disclose PHI, to the extent that such changes may affect Business Associate’s permitted or required uses and disclosures.
(c) Medica will notify Business Associate of any restriction to the use or disclosure of PHI that Medica has agreed to in accordance with 45 CFR § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI. Medica will not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by Medica. An exception will be if Business Associate will use or disclose PHI for data aggregation or management and administrative activities of Business Associate.
(a) Effective Date. These Requirements will be effective as of the Effective Date of the Agreement. Upon termination of the Agreement, Business Associate will return or destroy PHI in accordance with paragraph 8(c) below. Application of these Requirements will terminate when all of the PHI provided by Medica to Business Associate, or created or received by Business Associate on behalf of Medica, is destroyed or returned to Medica, or, if it is infeasible to return or destroy PHI, protections are extended to such information, in accordance with the termination provisions in this section.
(b) Termination for Cause. Upon Medica’s knowledge of material breach of these Requirements by Business Associate, Medica may immediately terminate the Agreement. Medica, in its sole discretion, may provide Business Associate an opportunity to cure the breach within the time specified by Medica. If, for any reason, neither termination nor cure is feasible, Medica will report the violation to the Secretary. This provision will be in addition to and will not limit any rights of termination set forth in the Agreement.
(c) Effect of Termination.
(1) Except as provided below, upon termination of the Agreement for any reason and expiration of these Requirements as they pertain to Business Associate as a result of the Agreement, Business Associate will return or destroy, at Medica’s direction, all PHI received from Medica, or created or received by Business Associate on behalf of Medica. This provision will also apply to PHI that is in the possession of subcontractors or agents of Business Associate. Business Associate will retain no copies of the PHI.
(2) In the event that Business Associate determines that returning or destroying the PHI is infeasible, Business Associate will provide to Medica notification of the conditions that make return or destruction infeasible. Upon the reasonable judgment of the Business Associate and Medica, that return or destruction of PHI is infeasible, Business Associate will extend the protections of these Requirements to such PHI and limit further uses and disclosures of such PHI for so long as Business Associate maintains such PHI.
(a) Regulatory References. A reference in these Requirements to a section in the Privacy Rule or Security Regulations means the section as in effect or as amended.
(b) Amendment. These Requirements will be amended from time to time as is necessary for Medica to comply with the requirements of the Privacy Rule, Security Regulations, HIPAA and other applicable laws relating to the security or confidentiality of PHI.
(c) Survival. The respective rights and obligations of Medica and Business Associate under section 8(c) of these Requirements will survive expiration of these Requirements and termination of the Agreement.
(d) Interpretation. Any ambiguity in these Requirements will be resolved to permit Medica to comply with the Privacy Rule, the Security Regulations, and other applicable laws.
* “Medica” includes Medica Health Plans, Medica Insurance Company, Medica Health Plans of Wisconsin, Medica Self-Insured and Medica Health Management, LLC.
January 2008
Return to previous page.
|
|
|
|
|
|
|
|
|