I am hopeful that by posting this information to the listserv's I can get input from states about how they are approaching the "access, amendment and accounting" requirements of the HIPAA Privacy rule through their business associate contracts.
These are my questions: 1) Are any states delegating the responsibility to provide access, amendment and or accountings through their business associate agreements? 2) If you are, what are the pros and cons that you identified regarding doing this? For example: I know that if we delegate these functions, we may lose control over these functions but on the other hand we often don't maintain the designated record sets where this information is maintained, our business associates do. In some cases we have no control over information contained in our business associates designated record sets. If we proceed with the language in the contract that we are using (similar to the language in the template that HHS gave us) we could potentially create a huge burden to overcome in order to meet the obligations that we are laying out through the development of these agreements. We are often not a point of contact for many of the providers who receive services that we contract to various business associates. We could potentially create an administrative burden for us to track requests for access to designated record sets maintained by our business associates, to make amendments to records we don't own, and to provide an accounting of information our business associates hold on our behalf. Any input that might help us make decisions regarding this, would be greatly appreciated. CMS has presented guidance that addresses this issue and they have identified the fact that covered entities may want to consider imposing the requirement to provide access and to make amendments on their business associates especially if the information in need of access or amendment is maintained by a business associate. The guidance further identifies the fact that an accounting may be imposed on the BA by a covered entity. Because each relationship with business associates will be unique and will vary regarding a covered entities access to information maintained by the business associates, I think we need to carefully consider how we develop these agreements. I believe we need to be flexible in our language so that we can dictate when we will provide access, make the requested and agreed to amendments and when we will assume the responsibility to provide the accounting and when we will require these things of our business associates. The FAQ's from OCR dated December 3, 2002 on BA's has a question and answers directly related to this issue, the last sentence for each answer addresses the ability for covered entities to delegate these functions to our business associates, it reads as follows: "Q: Does the HIPAA Privacy Rule require a business associate to provide individuals with access to their protected health information or an accounting of disclosures, or an opportunity to amend protected health information? A: The Privacy Rule regulates covered entities, not business associates. The Rule requires covered entities to include specific provisions in agreements with business associates to safeguard protected health information, and addresses how covered entities may share this information with business associates. Covered entities are responsible for fulfilling Privacy Rule requirements with respect to individual rights, including the rights of access, amendment, and accounting, as provided for by 45 CFR 164.524, 164.526, and 164.528. With limited exceptions, a covered entity is required to provide an individual access to his or her protected health information in a designated record set. This includes information in a designated record set of a business associate, unless the information held by the business associate merely duplicates the information maintained by the covered entity. Therefore, the Rule requires covered entities to specify in the business associate contract that the business associate must make such protected health information available if and when needed by the covered entity to provide an individual with access to the information. However, the Privacy Rule does not prevent the parties from agreeing through the business associate contract that the business associate will provide access to individuals, as may be appropriate where the business associate is the only holder of the designated record set, or part thereof. Under 45 CFR 164.526, a covered entity must amend protected health information about an individual in a designated record set, including any designated record sets (or copies thereof) held by a business associate. Therefore, the Rule requires covered entities to specify in the business associate contract that the business associate must amend protected health information in such records (or copies) when requested by the covered entity. The covered entity itself is responsible for addressing requests from individuals for amendment and coordinating such requests with its business associate. However, the Privacy Rule also does not prevent the parties from agreeing through the contract that the business associate will receive and address requests for amendment on behalf of the covered entity. Under 45 CFR 164.528, the Privacy Rule requires a covered entity to provide an accounting of certain disclosures, including certain disclosures by its business associate, to the individual upon request. The business associate contract must provide that the business associate will make such information available to the covered entity in order for the covered entity to fulfill its obligation to the individual. As with access and amendment, the parties can agree through the business associate contract that the business associate will provide the accounting to individuals, as may be appropriate given the protected health information held by, and the functions of, the business associate." --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: archive@mail-archive.com To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
