INTRODUCTION
The Privacy Rule from the Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires that health plans as covered entities obtain satisfactory assurances from their Business Associates to make sure that Protected Health Information (“PHI”) is used only for its intended purposes and is adequately protected in accordance with law.
In general, providers are considered “covered entities” under the HIPAA privacy rule. In some circumstances, participating providers may also be defined as Business Associates of health plans -- for example, when they perform certain additional delegated duties, such as credentialing.
In cases where Medica delegates certain responsibilities to a provider and the provider would be construed as a Business Associate under HIPAA, the provider must comply with the HIPAA Business Associate Requirements, as noted in a provider agreement, or as noted below. If a provider is rendering health care services only and is not performing any activities that would make that provider a Business Associate under HIPAA, the Business Associate Requirements would not apply.
The HIPAA Business Associate Requirements contain provisions that describe how PHI may be used and disclosed and the requirements for protecting it, including appropriate safeguards, security measures, and other required processes. The Business Associate Requirements as noted below are part of Medica’s Administrative Requirements.
BUSINESS ASSOCIATE REQUIREMENTS
To the extent a provider is a Business Associate of Medica* as defined in the HIPAA privacy regulations, 45 CFR Part 160, through a provider participation agreement or any other agreement with Medica (“Agreement”), the provider is bound by the Business Associate Requirements (“Requirements”) set forth below and as required by 45 CFR Part 164. For those providers who have entered into an Agreement and an accompanying Business Associate Agreement with Medica, the Business Associate Agreement and the following Business Associate Requirements will be read consistently to the extent feasible. If there is a conflict between the two, the Business Associate Agreement will prevail to the extent it is in accordance with law.
1. Capitalized Terms. Capitalized terms used, but not otherwise defined, in these Requirements will have the same meaning as those terms in 45 CFR Part 160 and Part 164, Subparts A and E (the “Privacy Rule”) as may be modified or amended from time to time.
2. Obligations and Activities of Business Associate.
(a) Business Associate must not use or further disclose PHI except for the purpose of performing Business Associate’s obligations under the Agreement and as otherwise permitted or required by these Requirements or as Required By Law.
(b) Business Associate must use appropriate safeguards to prevent use or disclosure of PHI other than use or disclosure as permitted by the Agreement and these Requirements.
(c) Business Associate must mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of these Requirements.
(d) Business Associate must report to Medica, within three (3) business days, any use or disclosure of the PHI not provided for by these Requirements of which it knew or should have known.
(e) Business Associate must ensure that any agent, including a subcontractor, to whom it provides PHI received from, or created or received by Business Associate on behalf of Medica, agrees to the same restrictions and conditions that apply through these Requirements to Business Associate with respect to such information.
(f) Business Associate must provide access, at the request of Medica, and in the time and manner determined by Medica, to PHI in a Designated Record Set, to Medica, or as directed by Medica, to an Individual in order to meet the requirements under 45 CFR § 164.524.
(g) Business Associate must make any amendment(s) to PHI in a Designated Record Set that Medica directs or agrees to, pursuant to 45 CFR § 164.526, at the request of Medica or an Individual, within ten (10) business days after request by Medica.
(h) Business Associate must make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of Medica, available to Medica, within ten (10) business days after request by Medica or at the request of Medica to the Secretary, within ten (10) business days after request by Medica or designated by the Secretary, for purposes of the Secretary determining Medica’s compliance with the Privacy Rule.
(i) Business Associate must document such disclosures of PHI and information related to such disclosures as would be required for Medica to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528.
(j) Business Associate must provide to Medica or an Individual, within ten (10) business days after request by Medica, information collected in accordance with Section 2 (i) of these Requirements, to permit Medica to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528.
(k) Business Associate must make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of Medica, available to Medica, for auditing purposes within ten (10) business days of receipt of written notice from Medica.
3. Permitted Uses and Disclosures by Business Associate; General Use and Disclosure Provision. Except as otherwise limited in these Requirements, Business Associate may use or disclose PHI to perform functions, activities, or services for, or on behalf of, Medica as specified in the Agreement, provided that such use or disclosure would not violate the Privacy Rule if done by Medica or in compliance with Medica’s policies and procedures regarding “minimum necessary” usage of PHI.
4. Specific Use and Disclosure Provisions.
(a) Except as otherwise limited in these Requirements, Business Associate may use PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate.
(b) Except as otherwise limited in these Requirements, Business Associate may disclose PHI for the proper management and administration of Business Associate, provided that disclosures are Required By Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances, of which it is aware, in which the confidentiality of the information has been breached.
(c) Except as otherwise limited in these Requirements, Business Associate may use PHI to provide Data Aggregation services to Medica as permitted by 45 CFR § 164.504(e)(2)(i)(B).
(d) Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR § 164.502(j)(1).
5. Security Regulations.
5.1 Applicability. This Section 5 applies only if and to the extent that electronic data will be exchanged between Business Associate and Medica. Business Associate may be considered a Business Associate of Medica under HIPAA, 45 CFR Part 142 (the "Security Regulations"). This Section 5 will govern the terms and conditions under which electronic data is exchanged.
5.2 Security Implementation by Business Associate. In accordance with the Security Regulations, Business Associate must:
(a) Implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the electronic PHI that it creates, maintains or transmits on behalf of Medica;
(b) Ensure that any agent or subcontractor to whom it provides PHI agrees to implement reasonable and appropriate safeguards to protect it;
(c) Report to Medica any Security Incident of which it becomes aware; and
(d) Authorize termination of the Agreement if Medica determines that Business Associate has violated a material term of these Requirements.
6. Obligations of Medica. Provisions for Medica to inform Business Associate of privacy practices and restrictions:
(a) Medica will make available on its Web site the notice of privacy practices that Medica produces in accordance with 45 CFR § 164.520, as well as any changes to the notice.
(b) Medica will provide Business Associate with any changes in, or revocation of, permission by Individual to use or disclose PHI, to the extent that such changes may affect Business Associate’s permitted or required uses and disclosures.
(c) Medica will notify Business Associate of any restriction to the use or disclosure of PHI that Medica has agreed to in accordance with 45 CFR § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
7. Permissible Requests by Medica. Medica will not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by Medica. An exception will be if Business Associate will use or disclose PHI for data aggregation or management and administrative activities of Business Associate.
8. Effective Date and Termination.
(a) Effective Date. These Requirements will be effective as of the Effective Date of the Agreement. Upon termination of the Agreement, Business Associate will return or destroy PHI in accordance with paragraph 8(c) below. Application of these Requirements will terminate when all of the PHI provided by Medica to Business Associate, or created or received by Business Associate on behalf of Medica, is destroyed or returned to Medica, or, if it is infeasible to return or destroy PHI, protections are extended to such information, in accordance with the termination provisions in this section.
(b) Termination for Cause. Upon Medica’s knowledge of material breach of these Requirements by Business Associate, Medica may immediately terminate the Agreement. Medica, in its sole discretion, may provide Business Associate an opportunity to cure the breach within the time specified by Medica. If, for any reason, neither termination nor cure is feasible, Medica will report the violation to the Secretary. This provision will be in addition to and will not limit any rights of termination set forth in the Agreement.
(c) Effect of Termination.
(1) Except as provided below, upon termination of the Agreement for any reason and expiration of these Requirements as they pertain to Business Associate as a result of the Agreement, Business Associate will return or destroy, at Medica’s direction, all PHI received from Medica, or created or received by Business Associate on behalf of Medica. This provision will also apply to PHI that is in the possession of subcontractors or agents of Business Associate. Business Associate will retain no copies of the PHI.
(2) In the event that Business Associate determines that returning or destroying the PHI is infeasible, Business Associate will provide to Medica notification of the conditions that make return or destruction infeasible. Upon the reasonable judgment of the Business Associate and Medica, that return or destruction of PHI is infeasible, Business Associate will extend the protections of these Requirements to such PHI and limit further uses and disclosures of such PHI for so long as Business Associate maintains such PHI.
9. Miscellaneous.
(a) Regulatory References. A reference in these Requirements to a section in the Privacy Rule or Security Regulations means the section as in effect or as amended.
(b) Amendment. These Requirements will be amended from time to time as is necessary for Medica to comply with the requirements of the Privacy Rule, Security Regulations, HIPAA and other applicable laws relating to the security or confidentiality of PHI.
(c) Survival. The respective rights and obligations of Medica and Business Associate under section 8(c) of these Requirements will survive expiration of these Requirements and termination of the Agreement.
(d) Interpretation. Any ambiguity in these Requirements will be resolved to permit Medica to comply with the Privacy Rule, the Security Regulations, and other applicable laws.
* “Medica” includes Medica Health Plans, Medica Insurance Company, Medica Health Plans of Wisconsin, Medica Self-Insured and Medica Health Management, LLC.
January 2008