If you just fill in the blanks using the model business associate contract language for HIPAA supplied by the Department of Health and Human Services, you'll be left holding the bag if the associate violates the privacy rules. The Health Insurance Portability and Accountability Act requires companies that do business with covered entities to comply with HIPAA as well. Your organization ultimately could be held liable if these business associates consultants, vendors, software providers, billing services mishandle protected health information (PHI). When you begin crafting new or revised business associate contracts, remember you can use your own contract language and provisions the model language HHS published is advisory and not required, explains attorney Steve Bernstein with McDermott, Will & Emery in Boston. Moreover, the model provisions do not constitute a contract, he says, but are "just pieces of contract language." Shuren encourages providers to be sure the model provisions suit their particular situations, and if they don't, to modify them accordingly. "You really need to read [the model language] and tailor it to your relationship with whomever you're entering into that contract with," says Shuren. HHS itself suggests providers may want to add provisions in a business associate contract so the provider will "be able to rely on the business associate to help the covered entity meet its obligations under the privacy rule." Providers also may want to include a provision allowing them to end their relationship with a troublesome business associate without being liable for breach of contract, suggests attorney Kathy Kearney with Reed Smith in Washington. "If, for example, there is an inappropriate disclosure by an entity that is your business associate, you would want the ability to either terminate the contract or impose some kind of sanctions on the entity," she tells Eli. And while it is not possible to contractually require a business associate to share in any criminal responsibility that might arise from the associate's inappropriate disclosure of PHI, a provider can include indemnification provisions that would allow it to recoup fines from the associate, Kearney counsels. HHS' March 27 proposed changes to HIPAA privacy rules allow providers to continue operating under existing business associate contracts until April 14, 2004 a one-year extension from the current requirement. To qualify for the extension, the contract between the provider and business associate must meet two qualifications. First, it must have been in effect prior to the proposed modifications' effective date. While that date is not yet known, the statute requires any revisions to the privacy rule to become effective by Oct. 13, 2002. Second, it must not be renewed or modified between the effective date and the privacy rule's original compliance date of April 14, 2003. Any contract meeting these two basic requirements will be deemed to be in compliance with the privacy rule until the earlier of the April 14, 2004 extension date or until it is renewed or modified, the proposed extension instructs.
Providers that want to use the provisions will have to fashion them into a coherent whole, paying close attention to the provisions' details, experts advise. "People might just take the wholesale language and throw it in contracts and really have no idea what that actually means to their relationship with the other party," worries attorney AllisonShuren with Arent Fox Kintner Plotkin & Kahn in Washington.
For example, HHS points out that the privacy rule allows business associates to disclose PHI "to report unlawful conduct in accordance with Sec. 164.502(j)." The model provision language does not address this area, and it "will need to be worked out between the [contracting] parties," HHS advises.