This policy applies to all Department of Elder Affairs (DOEA) employees, volunteers, agents and Business Associates that perform duties in conjunction with the access, distribution, dissemination, modification, and management of Protected Health Information (PHI). It is DOEA’s policy to ensure compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule by including HIPAA compliance requirements in contracts, agreements and purchase orders with Business Associates to whom DOEA discloses PHI.
A Business Associate is a person or entity that is not a member of the work force and who, on behalf of DOEA through legal agreement, performs or assists in the performance of a function or activity involving the use of individually identifiable health information.
Business Associate Contract
A contract or agreement between DOEA and the Business Associate must establish the permitted uses and disclosures of such information by the Business Associate. The contract or agreement must prohibit the Business Associate from using or disclosing the information in a manner that would violate the Privacy Rule. The contract or agreement must also authorize termination of the contract or agreement by DOEA, if DOEA determines that the Business Associate has violated a material term of the agreement.
They must also provide that the Business Associate will:
- Not further use or disclose the information other than as permitted or required by the contract or agreement or as required by law;
- Use appropriate safeguards to prevent use or disclosure of the information other than as provided for by its contract;
- Report to DOEA any use or disclosure of the information not provided for by its agreement, of which it becomes aware;
- Ensure that any agents, including subcontractors, to whom it provides PHI received from, or created or received by the Business Associate on behalf of DOEA agrees to the same restrictions and conditions that apply to the Business Associate with respect to such information;
- Make PHI available in accordance with the Right of Access (See 45 CFR 164.524).
- Make PHI available for amendment and incorporate any amendments to PHI in accordance with the Right to Amend (See 45 CFR 164.526).
- Make available the information required to provide an accounting of disclosures in accordance with the Right to an Accounting of Disclosures (See 45 CFR 164.528).
- Make its internal practices, books and records of PHI received from, or created or received by the Business Associate on behalf of DOEA available to the Secretary of HHS for the purpose of determining DOEA’s compliance with the Privacy Rule; and
- At the termination of the contract, if feasible, return or destroy all PHI received from, or created or received by the Business Associate on behalf of DOEA that the Business Associate still maintains in any form and retain no copies of such information or, if such return or destruction is not feasible, extend the protections of the contract or agreement to the information, and limit further uses and disclosures to those purposes that make the return or the destruction of the information infeasible.
Noncompliance by a Business Associate
DOEA is in violation of the Privacy Rule if DOEA knew of a pattern of activity or practice of the Business Associate that constituted a material breach or violation of the Business Associate’s obligation under the contract or agreement or other arrangement, unless DOEA takes reasonable steps to cure the breach or end the violation, and if unsuccessful has either:
- Terminated the contract or agreement or arrangement, if feasible; or
- If termination is not feasible, reported the problem to the Secretary of HHS.
For each Business Associate with whom DOEA shares PHI, DOEA shall ensure that there is a contract or agreement in place between DOEA and the Business Associate, in which the associate agrees to comply with the requirements of the Privacy Rule. The contract or agreement shall provide that the Business Associate must receive written approval from DOEA before the Business Associate may share the information with any other entity.
All employees shall verify that there is a contract or agreement in place with the Business Associate before disclosing any PHI to the associate. Ask Contract Administration if you are uncertain whether there is a contract or agreement in place.
If any employee receives information or otherwise becomes aware that a Business Associate is failing to adequately safeguard PHI that is provided to the associate by DOEA, the employee should notify his or her supervisor and DOEA Privacy Officer, Office of the General Counsel.
If DOEA accepts an amendment to a client’s PHI, DOEA must make a reasonable effort to inform Business Associates it knows have the PHI that is the subject of the amendment and which may have relied on the information to the detriment of the client.
If DOEA accepts restrictions on the use or disclosure of an individual’s PHI, DOEA’s Business Associates must honor the restriction.
Disclosures to Business Associates are subject to minimum necessary requirements.
Business Associates are included in policy updates, provided by DOEA or a vendor for stakeholders, and compliance audits, by the HIPAA Administrator through the Contract Administration unit.
DOEA ensures all Business Associates uphold consistent privacy practices and training Programs for employees. DOEA might include a training requirement in Business Associate contracts as means of protecting the PHI provided to them. DOEA is including HIPAA compliance in the monitoring process of the agency.
DOEA must be sure those responsible for administering policy and maintaining contracts are aware of all Business Associate relationships and have a mechanism to be notified of the changes to those relationships. New contracts and agreements must be reviewed by the General Counsel for HIPAA compliance.
DOEA is not considered to have violated Privacy Rule requirements if a Business Associate discloses PHI as a whistleblower.
DOEA must mitigate as best it can harmful effects from uses and disclosures by its Business Associates that violate DOEA privacy policies and procedures.
Violations must be reported to DOEA Privacy Officer, the General Counsel.
45 CFR §164.502(e)
45 CFR §164.524
45 CFR §164.504(e)