 |
 |
 |
 |
 |
 |
 |
 |
 |
|
|
|||||||||||
| ||||||||||||
________________________________________________________________________________________________________________________
Section VIII: |
Privacy and Security |
Title: |
Privacy Manual |
Chapter: |
Administrative Policies, Business Associates (Internal/External) |
Current Effective Date: |
5/1/05 |
Revision History: |
6/6/03 |
Original Effective Date: |
4/14/03 |
To ensure all individuals or organizations that perform specific functions, activities, or services for the North Carolina Department of Health and Human Services (NC DHHS) agencies involving the sharing of individually identifiable health information are appropriately identified according to The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule as a “business associate”; and to further ensure that “agreements” are developed to support such contractual relationships, as appropriate.
This policy shall apply to the following DHHS agencies:
DHHS workgroups that must comply with the HIPAA Privacy Rule are referred to as "covered health care components". The HIPAA Privacy Rule requires covered health care components to identify persons or entities that provide specific functions, activities, or services that involve the use, creation, or disclosure of individually identifiable health information for, or on their behalf. Such entities are referred to as business associates.
Because this department has been determined to be a hybrid entity, each DHHS division and office was required to identify components that are covered by this HIPAA requirement. Although some components were determined not to be covered health care components under HIPAA, they do perform functions, activities, or services that involve the sharing of individually identifiable health information for, or on behalf of, covered health care components thus creating business associate relationships within this department. Such persons or entities within DHHS are health care components that are referred to as "internal business associates".
Components in other NC state government departments/agencies or external contractors outside of DHHS that perform functions, activities, or services for, or on behalf of, a DHHS covered health care component, and involve the use, creation, or disclosure of individually identifiable health information are referred to as "external business associates".
Functions, activities, and services performed by business associates that involve the use, creation, or disclosure of individually identifiable health information may include claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and re-pricing.
DHHS covered health care components are required to identify their internal business associates by recognizing all of the other divisions/offices (or portions thereof) within the Department that perform specific functions, activities, or services for, or on behalf of, the covered component when such functions or activities involve the sharing of individually identifiable health information.
DHHS internal business associates must also identify their internal business associates by recognizing any other health care component(s) within DHHS, that perform such functions, activities, or services for, or on behalf of, the internal business associate that involves the sharing of individually identifiable health information.
DHHS covered health care components and internal business associates must identify their external business associates by recognizing other NC state government departments/agencies and external contractors (public and private) that perform specific functions, activities, or services for, or on behalf of, the covered component or the internal business associate when such functions, activities, or services involve the sharing of individually identifiable health information.
Incidental access to individually identifiable health information while performing duties that do not typically involve the use or disclosure of such information generally does not constitute a business associate relationship.
DHHS covered health care components and internal business associates must initiate agreements with their external business associates in order to share individually identifiable health information while performing specific functions, activities, or services for, or on behalf of, the covered health care component or the internal business associate.
It is the responsibility of covered health care components and internal business associates to execute agreements with external business associates that provide satisfactory assurance that the business associate will appropriately safeguard individually identifiable health information.
The Business Associate Addendum to Contract template and the Business Associate Addendum to Memorandum of Understanding template, developed by the NC Office of the Attorney General, are required when contracts are initiated by DHHS staff. Such addenda must be attached to either the department's standard contract or the department's standard Memorandum of Understanding (MOU) as specified in the DHHS Purchasing and Contracts Manual.
Whenever another department/agency in state government has been identified as an external business associate of a DHHS covered health care component, and there is no agreement in place between the two (2) departments, a Business Associate MOU that stands alone must be developed using the Business Associate MOU template developed by the NC Office of the Attorney General.
Certain external contractors may be considered part of the HIPAA covered component's workforce, and therefore will not require a business associate agreement if the following criteria apply:
Any external contractor who is considered part of the covered health care component's workforce must comply with that component's privacy policies and procedures.
Written agreements are not required between agencies within DHHS since the DHHS Privacy Policy Manual applies to all DHHS agencies.
Disclosure of individually identifiable health information from one health care provider to another for treatment, consultation, or referral does not require a business associate agreement. (Note: For MH/DD/SAS agencies, a business associate agreement would not be required, but those agencies would have to initiate either a `service provider agreement', according to N.C. General Statutes, or would have to secure client authorization to disclose health information to a health care provider outside the agency.)
A business associate agreement is also not required when individually identifiable health information is disclosed to a health plan for payment purposes.
DHHS covered health care components and internal business associates are required to take reasonable steps to correct any known material breach or violation of any business associate agreement. If such steps are unsuccessful, the agreement must be terminated, if feasible; and if not, the problem must be reported to the DHHS Privacy Officer who will determine if further actions are warranted, which could include reporting the problem and correction attempts to the United States Department of Health and Human Services.
Should a covered health care component or internal business associate become a business associate of an agency external to DHHS, the agreement initiated by the external agency must be approved by the NC Office of the Attorney General prior to signing such an agreement.
Each agency that has at least one covered health care component or internal business associate must evaluate specific functions, activities, and services that are provided for, or on behalf of, that component/business associate to identify all internal and external business associates as follows:
Each agency must develop a process that identifies internal business associate relationships with other programs/units within the same division or with another division within DHHS. Components must maintain documentation of its internal business associates and update such information as internal business associates are added or deleted.
Each agency must also develop a process that identifies external business associate relationships at the time the agency initially creates a contract with the external contractor, or develops an MOU with another department. Renewal of a contract or MOU that has a Business Associate Addendum requires a review of the Business Associate Agreement as well, for renewal purposes. Covered components must identify all business associate relationships to standard contracts when entering contract information into the DHHS purchase and contracts database that monitors contract costs.
The department has developed the HIPAA Guidance to Identifying Business Associates document and Business Associate Questionnaire worksheets for classifying business associates for DHHS agencies to use in making such determinations.
There are no contractual documentation requirements for services provided by internal business associates, other than the agency's general documentation requirements.
Documentation of services provided by other NC State government departments/agencies is accomplished through a MOU.
Documentation of services provided by external contractors is accomplished through a DHHS standard contract. Documentation of business associate requirements is accomplished in an addendum to the MOU or contract. Business Associate agreements must be maintained for at least six (6) years from the date of creation.
The DHHS Business Associate Addendum to Contract, the DHHS Business Associate Addendum to Memorandum of Understanding and the stand alone DHHS Business Associate Memorandum of Understanding templates have been developed by the NC Attorney General's Office and must be used when service providers outside of DHHS are identified as business associates. These documents include all of the HIPAA requirements to which their contractors must agree before covered health care components are allowed to share individually identifiable health information.
Beginning October 15, 2002, all new or amended DHHS contracts or MOUs must be evaluated to determine whether a business associate relationship exists. If a business associate relationship does exist, the business associate agreement developed by the NC Office of the Attorney General must be attached to the new or amended DHHS contract or MOU before April 14, 2003. All contracts and MOUs that are initiated or amended during fiscal year 2003-2004 must have the business associate agreements attached if contractors are also business associates. By April 14, 2004, all existing contracts and MOUs that also exhibit a business associate relationship must be amended to include a business associate agreement (even if the contract period goes beyond April 14, 2004). By April 14, 2004, ALL business associate agreements MUST be in place.
Should a DHHS covered health care component or internal business associate become aware of a pattern of activity, or practice of an internal business associate that constitutes a material breach or violation of the internal business associate's obligation with respect to privacy of individually identifiable health information in its possession, such information shall be forwarded to the DHHS Privacy Officer for resolution.
Should a DHHS covered health care component or internal business associate become aware of a pattern of activity or practice of an external business associate that constitutes a material breach or violation of the external business associate's obligations with respect to individually identifiable health information specified in a contract or other arrangement, reasonable steps should be taken to cure each breach, end the violation, and/or mitigate the consequences.
If such steps are unsuccessful, the covered health care component or internal business associate may, at its discretion:
Each agency is required to track their internal business associates by maintaining current documentation of their internal business associates throughout the year on the Business Associate Questionnaire worksheets. At the end of the state fiscal year, each covered component is required to send a copy of the "Division Business Associates" and "DHHS Business Associates" worksheets from the Business Associate Questionnaire to the DHHS Privacy Officer.
DHHS agencies shall track their external business associates through the contracts that are entered into the Department database for purchasing and contracts by checking the business associate field as appropriate.
DHHS covered health care components and internal business associates are not required to provide privacy training to their external business associates; nor are they required to monitor the privacy protections for individually identifiable health information that are instituted by their external business associates.
Reference:
DHHS Directive Number III-11; 45 CFR 160.103, 164.502(e), 164.504(e), 164.514(e), NCGS 122C-55(f)
For Relevant Documents:
Business Associate Addendum to Contract
Business Associate Addendum to Memorandum
of Understanding
Business Associate Memorandum of Understanding
HIPAA Guidance to
Identifying Business Associates
Business Associate Questionnaire
For questions or clarification on any of the information contained in this policy, please contact DHHS Privacy Officer. For general questions about department-wide policies and procedures, contact the DHHS Policy Coordinator. |
|
|
|
|
|
|
|
|
|
|
|