Health Information Compliance Alert

Business Associates JCAHO RELEASES NEW AND IMPROVED BA MODEL

If at first you don’t succeed … revise, revise again. That’s the reasoning behind the release of JCAHO’s new business associate agreement that aims to make BA contracts workable, efficient and HIPAA-compliant.

In an effort to formalize and standardize its accreditation survey for business associates, the Joint Commission on Accreditation of Healthcare Organizations’ in January unveiled its addendum to its model BA agreement.

Health care organizations wishing to obtain accreditation from must submit protected health information to JCAHO as part of the organization’s survey process. As soon as that data is transmitted to JCAHO, the dispatcher magically transforms into a business associate under the Health Insurance Portability and Accountability Act’s privacy rule.

The new BA agreement is a revised version of a similar document released in December 2002 that reportedly failed to address some covered entities’ concerns, most notably among hospitals. The new agreement “appropriately addresses hospitals’ concerns,” according to an American Hospital Association release. The AHA said it worked with JCAHO to “resolve some remaining concerns” with the agreement and added that JCAHO doesn’t expect to make further emendations to the agreement.

Under the agreement JCAHO is permitted to: use PHI to fulfill JCAHO’s legal responsibilities and for management and administration purposes; disclose PHI to a third party for the same purposes, provided that the disclosures are required by law or the organization has written assurances from the third party that such data will be held confidentially and that the third party notifies JCAHO of any instances when confidentiality is breached; collect an organization’s PHI together with other surveyed organizations to provide the applicant with a data analysis pertaining to the applicant’s health care operations, but  JCAHO cannot disclose PHI from one surveyed organization to another without first obtaining written authorization from both parties; and de-identify PHI created or received by JCAHO pursuant to the requirements of the privacy rule.

Anthony Tirone, director of federal relations for JCAHO, tells Eli the revisions to the earlier agreement are “very minor.” He says JCAHO simply deleted a few phrases both JCAHO and other health care  groups considered redundant. Tirone says JCAHO has begun sending the revisions to its accredited organizations, starting with those that’ll be surveyed April 14, 2003. Surveyed organizations must agree that they have done the following:

  • included in the applicant’s notice of privacy practices that the applicant may disclose PHI for health care operations purposes;
  • obtained individual consents, authorizations and other permissions required for JCAHO to fulfill its obligations under the addendum; and
  • notified JCAHO in writing of any changes in permission by an individual to use or disclose PHI if the changes may alter JCAHO’s ability to perform the survey.

The agreement also specifies that JCAHO and the applicant will agree to amend the addendum as needed in order for the applicant to comply with the privacy rule requirements.

A typical JCAHO survey includes two or three surveyors on site for three days. If there are areas of improvement that need to be made, an entity is given a time frame for coming into correction, depending on the nature of the non-compliance. Organizations that are either unable or unwilling to correct their compliance needs would lose accreditation. But, as Tirone notes, “it would be an unusual circumstance for an organization that hired us to be unwilling to make those corrections.”