The most important part of your e-mail is this one: "I believe we need to be flexible in our language so that we can dictate when we will provide access, make the requested and agreed to amendments and when we will assume the responsibility to provide the accounting and when we will require these things of our business associates."
The Privacy Rule generally allows the CE to treat the BA as its alter ego. Whether you do so or not is dependent on a number of different factors (pricing structure, ability of BA to perform, your budget limitations, amount of data involved, newness of relationship, your confidence in the BA, your bargaining power, etc, etc). [Same considerations approach would also work for entities such as the vendor with a poor bargaining position.] In any event, you are absolutely right - your basic agreement should be a 'template' that is flexible enough for you to tailor your contract to suit your particular situation so as to maximize your client's position. Other important points: 1 Maximum flexibility is usually good for both sides unless it is to your advantage to limit the agreement in some way. 2 CMS 12-3-03 BAA Clarifications confirm that CE can have provision in agreement that allows the CE to bypass its BAs and deal directly with the BA's BA's. This provision is a good one for the CE, its BA and BA's Bas to have in most instances. 3 Where possible, and at the very least at renewal, BAA and other amendments should be incorporated into a single agreement to avoid confusions and interpretation problems. 4 Always "have the pen in your hands, or your lawyer's," when you can, so you are working from your document template, rather than the one used by the other side. It allows you to "bury the bones" and find them when you need them. [Lazy lawyers, or their cheap clients, will always allow you to.] It is more expensive for the client in the short run but will save them money in the long run. 5 A fair contract, even one that gives the other side advantages (where possible, in areas where the other lawyer looks good to his client, but the provision involved is irrelevant or not harmful to you or your client. [A person who has "their back to the wall," feels they have been taken advantage of or is represented by a lawyers who represent themselves more than their clients, are more likely to be "fighters" than "lovers, which only benefits the lawyers more than their clients." 6 Contracts should be drafted so reasonable people can avoid disputes or can resolve them on an amicable basis when they arise. 7 And last, but certainly not least, a contract is no better than the people who sign it. You can never avoid problems through an agreement with an unscrupulous person. They don't care what the contract says because they have no intention of abiding by it. Have a nice day! -----Original Message----- From: Halterman, Anita [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 22, 2003 8:02 PM To: WEDI SNIP Privacy Workgroup List Subject: HIPAA Privacy question regarding business associate agreements I am hopeful that by posting this information to the listserv's I can get input from states about how they are approaching the "access, amendment and accounting" requirements of the HIPAA Privacy rule through their business associate contracts. These are my questions: 1) Are any states delegating the responsibility to provide access, amendment and or accountings through their business associate agreements? 2) If you are, what are the pros and cons that you identified regarding doing this? For example: I know that if we delegate these functions, we may lose control over these functions but on the other hand we often don't maintain the designated record sets where this information is maintained, our business associates do. In some cases we have no control over information contained in our business associates designated record sets. If we proceed with the language in the contract that we are using (similar to the language in the template that HHS gave us) we could potentially create a huge burden to overcome in order to meet the obligations that we are laying out through the development of these agreements. We are often not a point of contact for many of the providers who receive services that we contract to various business associates. We could potentially create an administrative burden for us to track requests for access to designated record sets maintained by our business associates, to make amendments to records we don't own, and to provide an accounting of information our business associates hold on our behalf. Any input that might help us make decisions regarding this, would be greatly appreciated. CMS has presented guidance that addresses this issue and they have identified the fact that covered entities may want to consider imposing the requirement to provide access and to make amendments on their business associates especially if the information in need of access or amendment is maintained by a business associate. The guidance further identifies the fact that an accounting may be imposed on the BA by a covered entity. Because each relationship with business associates will be unique and will vary regarding a covered entities access to information maintained by the business associates, I think we need to carefully consider how we develop these agreements. I believe we need to be flexible in our language so that we can dictate when we will provide access, make the requested and agreed to amendments and when we will assume the responsibility to provide the accounting and when we will require these things of our business associates. The FAQ's from OCR dated December 3, 2002 on BA's has a question and answers directly related to this issue, the last sentence for each answer addresses the ability for covered entities to delegate these functions to our business associates, it reads as follows: "Q: Does the HIPAA Privacy Rule require a business associate to provide individuals with access to their protected health information or an accounting of disclosures, or an opportunity to amend protected health information? A: The Privacy Rule regulates covered entities, not business associates. The Rule requires covered entities to include specific provisions in agreements with business associates to safeguard protected health information, and addresses how covered entities may share this information with business associates. Covered entities are responsible for fulfilling Privacy Rule requirements with respect to individual rights, including the rights of access, amendment, and accounting, as provided for by 45 CFR 164.524, 164.526, and 164.528. With limited exceptions, a covered entity is required to provide an individual access to his or her protected health information in a designated record set. This includes information in a designated record set of a business associate, unless the information held by the business associate merely duplicates the information maintained by the covered entity. Therefore, the Rule requires covered entities to specify in the business associate contract that the business associate must make such protected health information available if and when needed by the covered entity to provide an individual with access to the information. However, the Privacy Rule does not prevent the parties from agreeing through the business associate contract that the business associate will provide access to individuals, as may be appropriate where the business associate is the only holder of the designated record set, or part thereof. Under 45 CFR 164.526, a covered entity must amend protected health information about an individual in a designated record set, including any designated record sets (or copies thereof) held by a business associate. Therefore, the Rule requires covered entities to specify in the business associate contract that the business associate must amend protected health information in such records (or copies) when requested by the covered entity. The covered entity itself is responsible for addressing requests from individuals for amendment and coordinating such requests with its business associate. However, the Privacy Rule also does not prevent the parties from agreeing through the contract that the business associate will receive and address requests for amendment on behalf of the covered entity. Under 45 CFR 164.528, the Privacy Rule requires a covered entity to provide an accounting of certain disclosures, including certain disclosures by its business associate, to the individual upon request. The business associate contract must provide that the business associate will make such information available to the covered entity in order for the covered entity to fulfill its obligation to the individual. As with access and amendment, the parties can agree through the business associate contract that the business associate will provide the accounting to individuals, as may be appropriate given the protected health information held by, and the functions of, the business associate." --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: archive@mail-archive.com To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org