Cover Slide Title

1
Business Associate Agreements
A VA Perspective
James (Mickey) Gwyn Business Associate Component
LiaisonVHA Privacy Office VHA Office of
Information
9-10 October 2007
2
AGENDA

• HIPAA 101
• Business Associate Provisions
• VA Standard Operating Procedures
• Available Resources
• Questions

3
The Statutes
HIPAA 101
4
HIPAA 101

• Health Insurance Portability and Accountability
  Act (HIPAA) was passed by Congress in 1996
• Public Law 104-191
• Original objection was the inability to transfer
  health insurance
• Section 262 - Administrative Simplification was
  added at the request of the Healthcare Industry
• Fines of up to 25,000 for incidental violations
• Fines of up to 250,000 for intentional
  violations
• Even up to 10 years in prison for violations with
  criminal intent!

5
HIPAA 101
6
Business Associate Provisions

• 164.502 Uses and disclosures of protected
  health information general rules
• (e)(1) Standard disclosures to business
  associates
• 164.504 Uses and disclosures organizational
  requirements
• (e)(1) Standard business associate contracts
• (2) Implementation specifications business
  associate contracts
• (3) Implementation specifications other
  arrangements
• (4) Implementation specifications other
  requirements for contracts

7
Business Associate Provisions

• Covered Entity (CE)
• A health plan, health care clearinghouse, or
  health care provider who transmits any health
  information in electronic form in connection with
  a transaction. (VHA or its facilities are the
  only Covered Entities in VA)
• Business Associate (BA)
• A person or entity that performs certain
  functions or activities that involve the use or
  disclosure of protected health information on
  behalf of, or as a provision of services to, a
  covered entity.
• Business Associate Agreement (BAA)
• A written agreement, between business associate
  and covered entity, stating mandatory provisions
  regarding the use and disclosure of protected
  health information.
• Protected Health Information Individually
  Identifiable Health
• Information.

8
It Takes Three
Business Associate Provisions

• Covered Entity
• Functions, Activities or Services Provided
  Outside of Covered Entity
• Requires Use of PHI

9
Questions to Ask
VA Standard Operating Procedures

• Does the device/software interface with VistA
  where PHI resides?
• Does the device/software store PHI on an internal
  hard drive or remote server?
• Is there remote access to the device/software?
• How do we handle trade-in of devices and removal
  of sensitive data?
• Are these incidental disclosures?
• However, an incidental use or disclosure that
  occurs as a result of a failure to apply
  reasonable safeguards or the minimum necessary
  standard, where required, is not a permissible
  use or disclosure and, therefore, is a violation
  of the Privacy Rule.

10
National Level BAAs
VA Standard Operating Procedures

• Process approved by Department of Health and
  Human Services
• Negotiated by VHA Privacy Office
• Signature Authority Within Office of Director,
  Health Data Informatics
• Covers every VHA site that has an arrangement
  with the vendor
• Periodic review

11
Unique VA Language
VA Standard Operating Procedures
Ensure any employee of BA, contractor,
subcontractor or agent of BA performing functions
requiring access to PHI receives at least annual
privacy training that conforms to the
requirements of VHA Privacy Training Ensure any
employee of BA, contractor, subcontractor or
agent of BA performing functions requiring access
to PHI receives at least annual security
awareness training that conforms to the
requirements of the Department of Veterans
Affairs Office of Cyber and Information Security
Training
12
Unique VA Language
VA Standard Operating Procedures

• Public Law 109-461, Title IX (Department of
  Veterans Affairs Information Security Enhancement
  Act of 2006) states

• The Secretary shall ensure that the Department
• information security program includes the
  following elements
• Annual security awareness training for all
  Department
• employees, contractors, and all other users of VA
  sensitive
• data and Department information systems that
  identifies the
• information security risks associated with the
  activities of such
• employees, contractors, and users and the
  responsibilities of
• such employees, contractors, and users to comply
  with
• Department policies and procedures designed to
  reduce such
• risks.

13
Unique VA Language
VA Standard Operating Procedures

• Within 24 hours of Business Associate first
  becoming aware of a HIPAA Electronic Transactions
  and Code Sets, Privacy, Security or Standard
  Identifier Incident, or Use or Disclosure of PHI
  not provided for by this BAA, notify the Covered
  Entity and promptly provide a report to Covered
  Entity.

14
Unique VA Language
VA Standard Operating Procedures

• An incident will be considered any attempted
  or successful unauthorized access to, use,
  disclosure, modification, or destruction of, or
  interference with PHI, or an event that causes
  the Covered Entity to be considered non-compliant
  with the Administrative Simplification provisions
  of HIPAA as determined by the Department of
  Health and Human Services.

15
Unique VA Language
VA Standard Operating Procedures

• Utilize only contractors, subcontractors, or
  agents who are physically located within a
  jurisdiction subject to the laws of the United
  States. Business associate will ensure that it
  does not use or disclose PHI received from
  Covered Entity in any way that will remove the
  PHI from such jurisdiction.

16
Unique VA Language
VA Standard Operating Procedures

• Upon completion of the applicable contract(s)
  or agreement(s), the Business Associate shall
  return or destroy the PHI gathered, created,
  received or processed during the performance of
  the contract(s) or agreement(s), and no data will
  be retained by the Business Associate, or any
  agents or subcontractors of the Business
  Associate, unless retention is required by law or
  regulation or expressly permitted herein. The
  Business Associate shall assure that all PHI has
  been returned to the Covered Entity, destroyed by
  Business Associate, or both as deemed
  appropriate by Covered Entity. If immediate
  return or destruction of all data is not
  possible, the Business Associate shall assure
  that all PHI retained will be safeguarded to
  prevent unauthorized Uses or Disclosures. Until
  the Business Associate provides assurance,
  Covered Entity may withhold 15 of the final
  payment of the contract(s) or agreement(s).

17
Available Resources

• Health and Human Services FAQs
• http//answers.hhs.gov/cgi-bin/hhs.cfg/php/enduser
  /std_alp.php
• Health and Human Services BA Guidelines
• http//www.hhs.gov/ocr/hipaa/guidelines/businessas
  sociates.pdf
• Signed National BAAs
• http//vaww1.va.gov/cbo/hipaa/signedbaa1.asp

18
Available Resources
James "Mickey" Gwyn Business Associate Component
Liaison VHA Office of Information(615) 278-3658
Office(615) 278-3702 Faxjames.gwyn_at_va.gov
VHA Privacy Office 202-461-5861
19
Questions