Business associate contracts
Q: I know that HIPAA requires contracts with some of the people and companies who work for me, but I'm not sure which ones.
A: Generally, any person or company that works for you and receives protected health information from you must be given a business associate contract. So you wouldn't need one with a janitorial service, but you would with a billing service. You don't need contracts with members of your staff, nor do you need one with another physician.
Q:What is the date I need to have these contracts in place?
A: The deadline was April 14, 2003. The required language in your business associate contracts should spell out what the associate can and can't do with protected information, his obligation to safeguard data and report unauthorized uses and disclosures, and so forth. If your contracts don't contain the required language (sometimes referred to as the "set of mandatory terms"), you should assign the task of making your contracts HIPAA-compliant to a qualified person now.
Q:I understand that there is a possible one-year delay for existing contracts. Is that true?
A: Yes, but the rules are tricky and, in fact, undermine the delay altogether.
For a contract to qualify, it must have been in writing and effective prior to Oct. 15, 2002. Such contracts aren't required to contain all of the mandatory language until they are modified or renewed (other than automatically) or by April 14, 2004, whichever comes first.
But even contracts that qualify for the delay may have to be amended to include at least some of the mandatory terms. For example, if you have a billing company that has access to your billing records, your contract with them must spell out the right of a patient to access her medical record and her right to amend it, if necessary. Existing contracts that already contain this language may still qualify for the delay. But if you modify your existing contract to reflect this language, that modification terminates the delay period and makes your contract subject to the other mandatory business associate language.
Also, as of April 14, you're responsible for mitigating any damages resulting from a business associate's privacy violations. For this reason, you may want to amend your existing contracts to require business associates to assume that responsibility.
Q:What are the penalties if my contracts aren't in compliance?
A: If a business associate contract is required but not in place, any disclosures of protected health information to that associate violate HIPAA and can subject you to civil monetary fines, criminal fines, and imprisonment.
The HHS Office for Civil Rights enforces HIPAA compliance and imposes civil penalties. For now, OCR has said that its enforcement actions will be largely complaint-driven. Expect OCR to seek voluntary compliance, rather than to impose fines.
This may not be the case with the US Department of Justice, which is responsible for enforcing the criminal provisions of HIPAA. The DOJ has never publicly stated that it would give alleged violators a second chance to comply.
Keep in mind: Many believe private lawsuits will be the biggest HIPAA liability threat for doctors.
Robyn A. Meinhardt is a partner in the Denver office of Foley & Lardner. She can be reached at email@example.com. This department answers common HIPAA-related questions. It isn't intended to provide specific legal advice. If you have a question, please submit it via e-mail to firstname.lastname@example.org, or by regular mail to Medical Economics, 5 Paragon Drive, Montvale, NJ 07645. ATTN: HIPAA CONSULT. If we select your query, we'll address it in an upcoming issue. Your name will not be used.
Robyn Meinhardt. HIPAA Consult: Answers to your questions about . . ..
Sep. 5, 2003;80:25.