Hi, Dee.
Confidentiality agreements are often proposed for a covered
entity's own workforce. The idea is to be responsive to the Privacy Rule's
requirements for reasonable security precautions and for a system for
sanctioning workforce members who violate the Privacy Rule. Among other
things, a confidentiality agreement (which need not be more than a page)
would put a covered entity's workforce members on notice of the consequences of
violating the Privacy Rule.
The idea of extending confidentiality agreements to the
workforce of a business associate would seem to be responsive to the same
considerations.
However, I don't believe that such an agreement is best
structured as one between the covered entity and the business associate's
workforce members. It would make better sense for a covered entity to
require its business associate, as a function of the business associate
contract, to enter into such agreements with its own personnel. It's
hard to see what consideration would be flowing to the business associate's
employee from the covered entity so as to establish consideration for the
promise of confidentiality made directly by the business associate's employee to
the covered entity. The covered entity isn't paying the employee's wages;
and payment on the contract with the covered entity isn't going to the employee
but to the business associate. What would the business associate's
employee be getting out of the deal?
A requirement in the covered entity's contract with the
business associate that the business associate enter into such agreements with
its workforce members, however, would be enforceable against the business
associate by the covered entity and against the business associate's employee by
the business associate.
Such an agreement wouldn't do much if anything to increase the
covered entity's rights and remedies, but it would show that the covered entity
had gone the extra mile. It's conceivable that such a showing might have
some evidentiary value in a case in which a patient, for example, was suing a
provider on State law breach of privacy and negligence grounds for some
egregious act by a business associate with whom the provider had entrusted
the patient's information. Nevertheless, your question as to whether it's
a mile worth going is a valid one.
John
redhipaa.com
--- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org |
- CONFIDENTIALITY STATEMENT Dee Warrington
- John J. D'Amato