Title
a. Approve the revised Business Associate Agreement (“BAA”) template to be utilized by Natividad Medical Center (“NMC”) in conjunction with contracts with Business Associates (“BAs”) performing specified services involving the use or disclosure of protected health information (“PHI”).
b. Authorize the NMC Chief Executive Officer or Contracts/Purchasing Officer to execute the revised BAA Template in conjunction with contracts with BAs performing specified services involving the use or disclosure of PHI.
c. Authorize NMC to implement future changes to the BAA template and to execute further revised BAAs , all subject to review and approval by County Counsel; delegation of authority limited to June 30, 2021.
Report
RECOMMENDATION:
It is recommended that the Board of Supervisors:
a. Approve the revised Business Associate Agreement (“BAA”) template to be utilized by Natividad Medical Center (“NMC”) in conjunction with contracts with Business Associates (“BAs”) performing specified services involving the use or disclosure of protected health information (“PHI”).
b. Authorize the NMC Chief Executive Officer or Contracts/Purchasing Officer to execute the revised BAA Template in conjunction with contracts with BAs performing specified services involving the use or disclosure of PHI.
c. Authorize NMC to implement future changes to the BAA template and to execute further revised BAAs , all subject to review and approval by County Counsel; delegation of authority limited to June 30, 2021.
SUMMARY/DISCUSSION:
Background
By law, the HIPAA Privacy Rule applies only to covered entities. However, most health care providers do not carry out all of their health care activities and functions by themselves. Instead, they often use the services of a variety of other persons or businesses. The Privacy Rule allows covered providers and health plans to disclose protected health information to these “business associates” if the providers or plans obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the Privacy Rule. Covered entities may disclose protected health information to an entity in its role as a business associate only to help the covered entity carry out its health care functions - not for the business associate’s independent use or purposes, except as needed for the proper management and administration of the business associate.
General Provision
A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of a covered entity.
The Privacy Rule requires that a covered entity obtain satisfactory assurances from its business associate that the business associate will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity. The satisfactory assurances must be in writing, whether in the form of a contract or other agreement between the covered entity and the business associate.
A covered entity’s contract or other written arrangement with its business associate must contain the elements specified at 45 CFR 164.504(e). The contract must:
• Describe the permitted and required uses of protected health information by the business associate;
• Provide that the business associate will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law; and
• Require the business associate to use appropriate safeguards to prevent a use or disclosure of the protected health information other than as provided for by the contract.
Overview of Revised Business Associate Agreement template
The attached Business Associate Agreement (“BAA”) template is a written contract between the County, doing business as Natividad Medical Center, a covered entity, and the County’s vendor that meets the definition of a “business associate.” The Agreement: establishes the permitted and required uses and disclosures of protected health information by the business associate; provides that the business associate will not use or further disclose the information other than as permitted or required by the contract or as required by law; requires the business associate to implement appropriate safeguards to prevent unauthorized use or disclosure of the information, including implementing requirements of the HIPAA Security Rule with regard to electronic protected health information; and requires the business associate to report to the covered entity any use or disclosure of the information not provided for by its contract, including incidents that constitute breaches of unsecured protected health information.
The revisions include editing for conciseness and to eliminate any duplicative provisions. Also revised are several provisions to specify compliance with the California Confidentiality Laws (rather than applicable laws, generally), including the State breach notification laws. In addition, the timeline for access and amendment to PHI in consideration of the California Patient Access to Health Records Law was modified.
OTHER AGENCY INVOLVEMENT:
County Counsel has reviewed and approved the revised BAA template for legal form and legality. The NMC BAA template was reviewed and approved by NMC’s Finance Committee on February 25, 2016 and by its Board of Trustees on March 4, 2016.
FINANCING:
There is no cost associated with this request.
Prepared by: Teri Ransbury, MSN, BSN, RN, L-SS, Compliance Officer, 783-2559
Approved by: Gary R. Gray, DO, Chief Executive Officer
Attachments:
Revised BAA template for use by Natividad Medical Center