COM - Community Occupational Medicine, LLC










Link in with COM Connect

Health Information Privacy Protection Act

Health Information Privacy Protection Act

“Business Associate” Contract

May 24, 2010

POLICY TITLE:            Health Information Privacy Protection Act
                                 Identified “BUSINESS ASSOCIATE” Relationships             

PURPOSE:            To ensure compliance with federal regulations regarding the use or disclosure of protected health information to Business Associates of Community Occupational Medicine(COM) within the context of a contractual relationship.

DEFINITION: “Business Associate”, is a person or organization who on behalf of COM or an organized health care arrangement in which COM participates,  performs or assists in the performance of a function or activity involving the use or disclosure of a individually identifiable health information including:

  • claims processing or administration
  • data analysis
  • processing or administration
  • utilization review
  • quality assurance
  • billing
  • benefit management
  • practice management
  • repricing
  • consulting services
  • data aggregation
  • management
  • administrative
  • accreditation
  • financial services for COM

 

Members of the workforce of COM which includes employees, physicians, volunteers and students are not considered Business Associates under the Privacy Regulations.

POLICY:

COM may disclose protected health information to a Business Associate provided COM obtains satisfactory assurance that the Business Associate will appropriately safeguard the information.  Such assurance must be documented through a written agreement with the Business Associate.
           
This requirement does not apply with respect to disclosures by COM to health care provider concerning the treatment of the individual.

If COM knows of a practice of the Business Associate that constitutes a material breach or violation of the Business Associate’s obligation under the contract or other arrangements, COM will take reasonable steps to cure the breach or end the violation.  If such actions are unsuccessful, the contract or arrangement will be terminated, if feasible without major disruption to business operations.  Alternatively, the problem must be reported to the Secretary of Health and Human Services.
Pertinent protected health information collected prior to the compliance date is not subject to these regulatory requirements.

CONTRACT REQUIREMENTS

 

A contract between COM and the Business Associate:

  • Must establish permitted and required uses and disclosures of protected health information by the Business Associate.
  • May permit the Business Associate to use and disclose protected health information for the proper management and administration of the Business Associate or permit the Business Associate to provide data aggregation services relating to the health care operations of COM.
  • A standard Business Associate contract addendum meeting these requirements can be found on the P Drive Shared/ HIPAA Business/ Associate Addendum.

The contract must also provide that the Business Associate will:

  • Not use or further disclose the information other than as permitted or required by the contract or as required by law;
  • Use appropriate safeguards to prevent uses or disclosures of the information other than as provided for by its contract;
  • Report to COM any uses or disclosures of the information not provided for by its contract of which it becomes aware;
  • Ensure that any agents, including a subcontractor, to whom it provides protected health information, received from, or created or received by, the Business Associate on behalf of COM agrees to the same restrictions and conditions that apply to the Business Associate with respect to such information;
  • Make available protected health information in accordance with the Privacy Regulations;
  • Make available protected health information for amendment and incorporate any amendments to protected health information in accordance with the Privacy Regulations;
  • Make available the information required to provide an accounting of disclosures in accordance with the Privacy Regulations;
  • Make available protected health information in accordance with the Privacy Regulations;
  • Make available protected health information for amendment and incorporate any amendments to protected health information in accordance with the Privacy Regulations;
  • Make available the information required to provide an accounting of disclosures in accordance with the Privacy Regulations;
  • Make available the information required to provide an accounting of disclosures in accordance with the Privacy Regulations;
  • Make its internal practices, books, and records relating to the use and disclosure of protected health information received from, created or received by the COM available to the Secretary of Health and Human Services for purposes of determining the COM compliance with the Privacy Regulations;
  • At the termination of the contract, if feasible, return or destroy all protected health information, and copies received from, created or received by the Business Associate on behalf of COM that the Business Associates still maintains.  If such return or destruction is not feasible, extend the protections of the contract to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information not feasible;

The contract must authorize termination of the contract by COM if COM representatives determine that the Business Associate has violated a material term of the contract.

OTHER REQUIREMENTS FOR CONTRACTS AND OTHER ARRANGEMENTS

 

Contract or other arrangement between COM and the business Associate may permit the use of the information received by the Business Associate:

  • Carry out the legal responsibilities of the Business Associate for purposes of proper management or administration be released;
  • I f the disclosure is required by law; or
  • The Business Associate obtains reasonable assurances from the person to whom the information is disclosed only as required by law or for the purpose for which it was disclosed to the person; AND
  • The person notifies the Business Associate of any instances of which it is aware in which the confidentially of has been breached.

 

OTHER ARRANGEMENTS

If the Business Associate is required by law to perform a function, activity or service described in the definition of Business Associate for COM, COM may disclose protected health information to the Business Associate to the extent necessary to comply with the legal mandate without the requirements of the Privacy Regulations.  COM must attempt in good faith to obtain satisfactory assurances as required by the Privacy Regulations.  If the attempt fails, the reason for the failure and the fact that assurances could be obtained must be documented.

 

References:
In accordance with 45 CFR 164.502(E) (1) and 164.504(E)

As an identified “Business Associate” I agree to uphold the Health Information Privacy Protection Act in accordance with Community Occupational Medicine’s HIPAA policy. I will also inform COM of any changes where as this agreement has been breached. I will also inform COM of any terminations or other changes in my position or “designated company individuals” affiliation as a “Business Associate” with in 2 business days. 

I have read the following and agree to uphold the HIPAA policy

© 2010 Community Occupational Medicine
Elkhart: 574.389.1231 | Goshen: 574.534.1231