Use or Disclosure of Protected Health Information
and
Electronic Protected Health Information with Business Associates
Statement of Policy
Washington University and its member organizations (collectively, “Washington University” or “WU”) are committed to conducting business in compliance with all applicable laws, regulations and WU policies. As part of this commitment, WU has adopted this Policy to ensure that WU’s Business Associates and their employees comply with applicable federal, state, and local laws, regulations and WU policies.
Scope of Policy
This Policy applies to all Uses and management of Protected Health Information (PHI) and Electronic Protected Health Information (EPHI) by and all Disclosures of PHI and EPHI to Business Associates of WU.
Policy
1) General Rule.
WU and members of its Workforce may Disclose PHI and/or EPHI to a Business Associate and/or permit a Business Associate to create, receive, manage or Use PHI on behalf of WU ONLY IF a Business Associate Agreement, a copy of which is attached as Schedule 1, has been fully executed by WU and the Business Associate. Any amendments or modifications to the Business Associate Agreement must be reviewed and approved by the Privacy Officer.
2) Examples of Business Associates.
Business Associates are persons who are not members of WU’s Workforce, but who are providing services to or on behalf of WU in its role as a Health Care Provider or Health Plan and the provision of those services involves the Use, management or Disclosure of PHI and/or EPHI. Such services might include billing or claims processing; data analysis, processing or administration; data storage, retrieval or destruction; computer system maintenance and repair; utilization review; quality assurance; benefit management; practice management; data aggregation; financial services; actuarial, legal and accounting services; and accreditation. Business Associates may include, among others, management, administrative or clerical personnel (if not WU employees); temporary staffing agencies; transcriptionists (if not WU employees); law firms; accounting firms; benefit management companies; third party administrators; collection agencies; expert witnesses; billing companies; and information systems service providers and service personnel, and other types of consultants.
3) Breach of Business Associate Agreement.
If WU or any member of its Workforce becomes aware of a material breach of the Business Associate Agreement by a Business Associate, the Privacy and Security Officers must be notified of the breach immediately. WU will take reasonable steps to cause the Business Associate to cure the breach or end the violation. If such steps are unsuccessful, WU must: (i) terminate the arrangement with the Business Associate, if feasible; or (ii) if termination is not feasible, report the problem to the Secretary of the Department of Health and Human Services.
4) Exceptions.
a) Treatment.
This Policy does not apply to Disclosures of PHI by WU to one or more Health Care Provider, including without limitation BJH and SLCH, for Treatment of the Individual to whom the PHI or EPHI relates.
b) Medical Staff Membership.
WU faculty as non-employed members of the medical staff of BJC facilities are not by virtue of such status alone considered Business Associates.
5) Responsibility of All WU Workforce
Every member of the WU Workforce is responsible for being aware of, and complying with, this Policy. Questions should be directed to the Privacy Officer.
Creation Date: November 22, 2002
Effective Date: April 14, 2003
Last Revision Date: March 24, 2003
BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement (“Agreement”) is made and entered into as of this________ day of_________ , 20___ by and between Washington University, a benevolent corporation created by special act of the Missouri General Assembly (“Covered Entity”), and________________ (“Business Associate”).
WITNESSETH:
WHEREAS, Covered Entity may Disclose or make available to Business Associate, and Business Associate may Use, Disclose, receive, transmit, maintain or create from or on behalf of Covered Entity, certain information in conjunction with services being provided by Business Associate to or on behalf of Covered Entity; and
WHEREAS, Covered Entity and Business Associate are committed to compliance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and regulations promulgated thereunder; and
WHEREAS, the purpose of this Agreement is to satisfy the obligations of Covered Entity under HIPAA and to ensure the integrity and confidentiality of certain information Disclosed or made available to Business Associate and certain information that Business Associate Uses, Discloses, receives, transmits, maintains or creates, from or on behalf of Covered Entity.
NOW, THEREFORE, in consideration of the foregoing recitals and other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the parties agree as follows:
A. DEFINITIONS
Terms used, but not otherwise defined in this Agreement shall have the same meaning as those terms in the Privacy Rule.
1. Electronic media shall have the same meaning as the term "electronic media" in 42. C.F.R. Part §160.103 of the Security Rule.
2. Electronic Protected Health Information or EPHI shall have the same meaning as the term "electronic protected health information" in 45 C.F.R. §160.103 of the Security Rule to the extent such information " is transmitted in Electronic Media or maintained in Electronic Media by Business Associate from or on behalf of Covered Entity.
3. Individual shall have the same meaning as the term “individual” in 45 C.F.R. §164.501 of the Privacy Rule and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. §164.502(g) of the Privacy Rule.
4. Privacy Rule shall mean the Standards for Privacy of Individually Identifiable Information at 45 C.F.R. Part 160 and Part 164, Subparts A and E, as amended from time to time.
5. Protected Health Information or PHI shall have the same meaning as the term “protected health information” in 45 C.F.R. §164.501 of the Privacy Rule, to the extent such information is created or received by Business Associate from or on behalf of Covered Entity.
6. Required by Law shall have the same meaning as the term “required by law” in 45 C.F.R. §164.501 of the Privacy Rule.
7. Security Rule shall mean the Health Insurance Reform: Security Standards at 45 C.F.R. Part 160 and Part 164, Subparts A and C, as amended from time to time.
8. Security Incident shall have the same meaning as the term "security incident" in 45 C.F.R. §160.304 of the Security Rule.
B. SCOPE AND PURPOSE
1. This Agreement applies to all past, present and future agreements and relationships, whether written, oral or implied, between Covered Entity and Business Associate, pursuant to which Covered Entity provides PHI or EPHI to Business Associate in any form or medium. As of the Effective Date, this Agreement automatically extends to and amends all existing agreements between Covered Entity and Business Associate involving the Use or Disclosure of PHI or EPHI. This Agreement shall automatically be incorporated into all subsequent agreements between Covered Entity and Business Associate involving the Use or Disclosure of PHI or EPHI, whether or not expressed referenced therein.
2. This Agreement sets forth the terms and conditions pursuant to which PHI that is Used, Disclosed, received, transmitted, maintained or created by Business Associate from or on behalf of Covered Entity will be handled by Business Associate. Except as otherwise specified herein, Business Associate may make all Uses and Disclosures of PHI and EPHI necessary to perform its obligations to Covered Entity under any written agreement with Covered Entity or pursuant to Covered Entity’s written instruction, provided that such Use or Disclosure would not violate the Privacy Rule or Security Rule if done by Covered Entity. All other Uses and Disclosures not Required by Law, authorized by this Agreement or authorized by any other written agreement with Covered Entity or Covered Entity’s written instructions are prohibited. Moreover, Business Associate may Disclose PHI and EPHI for the purposes authorized by this Agreement or such other written agreement or instruction only: (i) to its employees, subcontractors and agents, in accordance with section C.1. below; (ii) as directed by Covered Entity; or (iii) as otherwise permitted by the terms of this Agreement or as Required by Law.
C. PRIVACY OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE
1. Business Associate agrees to not Use or Disclose PHI other than as permitted or required by this Agreement or as Required by Law. Notwithstanding anything contained in this Agreement or in any other agreement or understanding between Covered Entity and Business Associate to the contrary, Business Associate shall not further Disclose PHI to any third party for purposes other than Treatment, Payment or Health Care Operations without the prior, written consent of Covered Entity. To the extent Covered Entity’s written consent is given to make Disclosures, Business Associate shall maintain records of each such Disclosure, containing at a minimum, the date of the Disclosure, the name of the entity or person who received the PHI and, if known, the address of such entity or person, a brief description of the PHI Disclosed, and a brief statement of the purpose of the Disclosure. Upon request and as directed by Covered Entity, Business Associate shall provide to Covered Entity or to the individual to whom the PHI relates an accounting of all such Disclosures in accordance with 45 C.F.R. §164.528.
2. Business Associate agrees to Use appropriate safeguards to prevent Use or Disclosure of the PHI other than as provided for by this Agreement.
3. Business Associate agrees to report to Covered Entity any Use or Disclosure of PHI not provided for by this Agreement of which it becomes aware, including without limitation, any Disclosure of PHI to an unauthorized subcontractor, within ten (10) days of its discovery.
4. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of an unauthorized or prohibited Use or Disclosure of PHI of which it becomes aware.
5. Business Associate agrees to ensure that any agent, including a subcontractor, to whom it provides PHI received from or created or received by Business Associate on behalf of Covered Entity agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information.
6. Business Associate agrees to provide access, at the request of Covered Entity, and in the time and manner designated by Covered Entity, to PHI in a Designated Record Set, to Covered Entity or as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. §164.524.
7. Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that Covered Entity directs or agrees to pursuant to 45 C.F.R. §164.526 at the request of Covered Entity or an Individual, and in the time and manner designated by Covered Entity.
8. Business Associate agrees to make internal practices, books and records including policies and procedures relating to the Use and Disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to Covered Entity, or to the Secretary of the Department of Health and Human Services (the “Secretary”), in a time and manner designated by Covered Entity or the Secretary, for purposes of the Secretary determining Covered Entity’s compliance with the Privacy Rule, subject to the attorney-client and other privileges.
9. Business Associate shall make available, upon prior request and during normal business hours, all records, books, agreements, policies and procedures relating to the Use and Disclosure of PHI to Covered Entity for purposes of enabling Covered Entity to determine Business Associate’s compliance with the terms of this Agreement.
D. SECURITY OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE
1. Business Associate shall, and shall require its agents and subcontractors to, develop, implement, maintain and use, at its own expense, such appropriate administrative, technical and physical safeguards as may be required from time to time to reasonably and appropriately protect the confidentiality, integrity and availability of EPHI that it creates, receives, maintains and transmits on behalf of the Covered Entity. Business Associate shall, and shall require its agents and subcontractors to, document such safeguards in written policies, procedures or guidelines and make such materials available to Covered Entity upon Covered Entity's request. Business Associate shall report to the Covered Entity any Security Incident of which it becomes aware, within ten (10) days of its discovery.
2. If Business Associate conducts Standard Transactions, as that term is defined in 45 C.F.R. Part 162, for or on behalf of Covered Entity, Business Associate will comply and will require each subcontractor or agent involved with such Standard Transactions to comply with each applicable requirement of 45 C.F.R. Part 162. Business Associate will not enter into, or permit its subcontractors or agents to enter into, any agreement in connection with the Standard Transactions conducted for or on behalf of Covered Entity that (i) changes the definition, data condition or Use of a data element or segment in a Standard Transaction; (ii)
adds any data elements or segments to the maximum defined data set; (iii) Uses any code or data element that is marked "not used" in the Standard Transaction's implementation specification or is not in the Standard Transaction's implementation specification; or (iv) changes the meaning or intent of the Standard Transaction's implementation specification. Business Associate agrees to demonstrate compliance with the foregoing requirements by a mutually agreed upon date and shall, upon Covered Entity's request, demonstrate compliance by allowing Covered Entity to test such compliance.
E. PERMITTED USES AND DISCLOSURES OF PHI BY BUSINESS ASSOCIATE1. Except as otherwise limited in this Agreement, Business Associate may Use or Disclose PHI and EPHI to perform functions, activities or services for, or on behalf of, Covered Entity as described in this Agreement, provided that such Use or Disclosure would not violate the Privacy Regulations if done by Covered Entity or the minimum necessary policies and procedures of Covered Entity.
2. Except as otherwise limited in this Agreement, Business Associate may Use PHI and EPHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate.
3. Except as otherwise limited in this Agreement, Business Associate may Disclose PHI and EPHI for the proper management and administration of Business Associate, provided that Disclosures are Required by Law, or Business Associate obtains reasonable assurances, as evidenced by a written contract, from the person to whom the information is Disclosed that it will remain confidential and Used or further Disclosed only as Required by Law or for the purpose for which it was Disclosed to the person and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
4. Except as otherwise limited in this Agreement, Business Associate may aggregate PHI and EPHI in its possession to provide data aggregation services to Covered Entity as described in 42 C.F.R. §164.504(e)(2)(i)(B).
5. Business Associate may Use PHI and EPHI to report violations of law to appropriate federal and state authorities consistent with the 42 C.F.R. §164.502(j)(1).
F. OBLIGATIONS OF COVERED ENTITY1. Covered Entity shall provide Business Associate with the Notice of Privacy Practices that it produces in accordance with 45 C.F.R. §164.520 as well as any changes in said Notice to the extent that such changes may affect Business Associate’s Use or Disclosure of PHI.
2. Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by an Individual to Use or Disclose PHI to the extent such changes may affect Business Associate’s Use and Disclosure of PHI.
3. Covered Entity shall notify Business Associate of any restriction to the Use or Disclosure of PHI Covered Entity has agreed to in accordance with 45 C.F.R. §164.522, to the extent that such restriction may affect Business Associate’s Use or Disclosure of PHI.
4. Covered Entity shall not request that Business Associate Use or Disclose PHI in any manner that would not be permissible under the Privacy Rule if done by Covered Entity, except as otherwise described in this Agreement.
G. TERM AND TERMINATION
1. The provisions of this Agreement shall be effective as of the earlier of Effective Date or April 14, 2003 and shall terminate when all of the PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy PHI, protections are extended to such information, in accordance with the termination provisions in this Section.
2. Upon Covered Entity’s knowledge of a material breach by Business Associate, Covered Entity shall either (i) provide an opportunity for Business Associate to cure the breach or end the violation and terminate this Agreement along with any other agreements between the Covered Entity and Business Associate which relate to the act or omission constituting the material breach if Business Associate does not cure the breach or end the violation within the time specified by Covered Entity, (ii) immediately terminate this Agreement (and the agreement(s) to which this Agreement relates) if Business Associate has breached a material term of this Agreement and cure is not possible; or (iii) if neither termination nor cure is feasible, Covered Entity shall report the violation to the Secretary.
3. Upon termination of this Agreement, for any reason, Business Associate shall return to Covered Entity or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. This provision shall apply to PHI that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of such PHI. Business Associate shall complete such return or destruction as promptly as possible but no later than forty-five (45) days after the effective date of termination of this Agreement.
4. In the event that Business Associate determines that returning or destroying the PHI is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. If Covered Entity concurs that return or destruction of the PHI is infeasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further Uses and Disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.
H. MISCELLANEOUS
1. A reference in this Agreement to a section in the Privacy Rule or Security Rule means the section as amended or as renumbered.
2. The parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Covered Entity to comply with the requirements of the Privacy Rule, Security Rule and HIPAA.
3. The respective rights and obligations of Business Associate outlined in Section G. of this Agreement shall survive termination of this Agreement.
4. Any ambiguity in this Agreement shall be resolved to permit Covered Entity to comply with the Privacy Rule and the Security Rule.
5. There are no intended third party beneficiaries to this Agreement. Without in any way limiting the foregoing, it is the parties' specific intent that nothing contained in this Agreement gives rise to any right or cause of action, contractual or otherwise, in or on behalf of the individuals whose PHI or EPHI is Used or Disclosed pursuant to this Agreement.
6. No provision of this Agreement may be waived except by an agreement in writing signed by the waiving party. A waiver of any term or provision shall not be construed as a waiver of any other term or provision.
7. The persons signing below have the right and authority to execute this Agreement for their respective entities and no further approvals are necessary to create a binding agreement.
8. In the event of any conflict between the terms and conditions stated within this Agreement and those contained within any other agreement or understanding between the parties, written, oral or implied, the terms of this Agreement shall govern. Without limiting the foregoing, no provision of any other agreement or understanding between the parties limiting the liability of Business Associate to Covered Entity shall apply to the breach of any covenant in this Agreement by Business Associate.
9. The headings of sections are inserted solely for purposes of convenience and shall not alter the meaning of this Agreement.
10. This Agreement shall be construed in accordance with and governed by the laws of the State of Missouri.
11. Business Associate will indemnify, defend and hold harmless Covered Entity and any of Covered Entity's affiliates, and their respective trustees, officers, directors, employees and agents ("Indemnitees") from and against any claim, cause of action, liability, damage, cost or expense (including, without limitation, reasonable attorney's fees and courts costs) arising out of or in connection with any unauthorized or prohibited Use or Disclosure of PHI or EPHI or any other breach of this Agreement by Business Associate or any subcontractor, agent or person under Business Associate's control. In the event a claim is made against an Indemnitee for any such claim, cause of action, liability, damage, cost or expense, Covered Entity may, at its sole option: (i) tender the defense to Business Associate, who shall provide qualified and competent counsel to represent the Indemnitee's interest at Business Associate's expense: or (ii) undertake its own defense, utilizing such professionals as it deems reasonably necessary, holding Business Associates responsible for all reasonable for all reasonable costs thereof. In any event, Covered Entity shall have the sole right to control and approve any settlement or other compromise of any claim brought against it that is covered by this Section.
12. Business Associate acknowledges that the restrictions contained in this Agreement are reasonable and necessary to protect the legitimate professional and business interests of Covered Entity and to ensure Covered Entity's compliance with the Privacy Rule and Security Rule. Business Associate further acknowledges and agrees that a breach of the covenants contained in this Agreement will cause irreparable harm to Covered Entity and that damages arising from any breach may be difficult to ascertain and no adequate legal remedy exists. Accordingly, Covered Entity shall be entitled to receive injunctive relief and/or specific performance and damages, as well as any and all legal and equitable remedies to which it may be entitled.
IN WITNESS WHEREOF, the parties have executed this Agreement effective upon the Effective Date set forth above.
COVERED ENTITY BUSINESS ASSOCIATE
WASHINGTON UNIVERSITY _________________________By____________________________ By: _______________________
Its:____________________________ Its: _______________________
Revised: March 24, 2004