| Effective Date: 7/1/04 |
| Office of Origin: Materiel Management - Campus Purchasing |
I. Purpose
The
This
document is intended for use by the University of California, San Francisco
(UCSF) Campus and
II. Definitions
Accounting of
Disclosures: A required
record, made in response to a patient’s request, of all disclosures of PHI
made to outside entities within the six years prior to the request date
including, but not limited to, disclosures made during a research protocol
pursuant to a Committee on Human Research (CHR)/Internal Review Board (IRB)
approved Waiver of Authorization.
Business Associate
Agreement (BAA): A
written contract between a BA and a covered entity that specifies the permitted
uses and disclosures and the safeguards required for Protected Health
Information (PHI) by a BA in order to perform a function or activity, or to
provide a service on behalf of the covered entity.
Covered Entity (CE):
An entity that must comply with HIPAA. The term covered entity refers to health
care providers, health plans, and health care clearing houses that perform a
covered service and transmit data electronically.
Disclosure:
The act of releasing, transferring, providing access to, or divulging in
any other manner, information outside of the entity holding the information.
Protected Health
Information (PHI): Any
individually identifiable health information collected or created as a
consequence of the provision of health care by a covered entity in any form,
including verbal communications with a staff member, or as the result of
research activities that are not subject to an exemption or waiver.
Records covered by the Family Educational Rights and Privacy Act (FERPA)
are excluded from the definition of PHI.
Provider:
A person or entity that provides medical services and that bills for or
is paid for medical services in the normal course of business.
Research Health
Information (RHI): Personally
identifiable health information of a human subject arising from biomedical or
behavioral research that is neither associated with health care services nor
provided in a setting that bills for care. A researcher engaged in
interventional clinical studies (i.e., research comparing the safety and
effectiveness of a treatment in a setting where services are billed to an
insurer) creates PHI.
Use:
With respect to PHI, the sharing, employment, application, utilization,
examination, or analysis of such information within the entity that maintains
such information.
It is the policy of UCSF that PHI may be disclosed to and used by Business
Associates as necessary to allow the BA to carry out a health care-related
function or activity on behalf of, or to provide services to, UCSF.
A BA must sign a BAA with
either the
If UCSF determines that a
BA has violated a material term or obligation of the BAA, the department that is
party to the agreement and/or the UCSF Privacy Officer shall be notified and
shall seek to remedy the breach or, if that is not possible, to terminate the
agreement. Violations by a BA also may be reported by UCSF to the UC HIPAA
Compliance Office and the Secretary of the U.S. Department of Health & Human
Services (DHHS).
It is the responsibility
of each UCSF Campus or Medical Center department, division, or operating unit
contracting for services with a third party to assure that a valid BAA is in
place before any PHI is released to the BA.
Campus Low Value
Procurements: The BAA
shall be added to or included in all commitment and/or procurement documents
under which PHI will be released to a BA. PHI
shall not be disclosed when using a Request for Delivery/ Purchase Order Release
form under any Departmental Low Value Purchasing Authority (LVPA) .
Any transaction, regardless of value, shall be conducted under a
procurement document issued by Campus Purchasing that clearly identifies
permitted/intended uses of the PHI to be disclosed.
Inclusion of the BAA in a commitment or procurement document may be
accomplished by physical amendment or by reference to a master BAA.
This Policy was written in
March 2003 and revised in May 2004 to meet HIPAA requirements and has been
reviewed by the Office of Legal Affairs, the Business Associates Subcommittee of
the HIPAA Steering Committee, the Executive Medical Board, and Office of the
Senior Vice Chancellor for Finance - Administration.
This policy will be
reviewed every (3) three years or as required by change in law or practice.
Departments providing initial approval must approve any changes to the
policy.
A.
Department /
Division Responsibility: Consistent
with the Low Value Purchasing restriction stated above, it is the responsibility
of each UCSF department, division, or operating unit in collaboration with
Campus or Medical Center Purchasing Departments, when contracting for services
with third parties to whom PHI will be shared, to assure that a valid BAA is
executed before authorizing or receiving services.
If it is not clear whether a contract creates a BA relationship, the
contract should be referred for review to the Director, Medical Center Materiel
Services, or the Campus Purchasing Manager/Associate Director.
UCSF has no obligation to monitor the activities or practices of the BA,
but may request additional information or assurances from the BA, including:
1.
requesting a copy
of the BA’s current security and privacy policies, and including these with
the BAA;
2.
confirmation with
the BA that all subcontractors have executed written agreements to protect the
integrity and confidentiality of PHI received from the BA;
3.
confirmation that
the BA’s employees and subcontractors have been trained to protect the
confidentiality of any PHI accessed pursuant to the contract;
4.
confirmation that
the BA has a contingency plan in place that provides for a (i) one-year data
back-up plan; (ii) disaster recovery plan; and (iii) emergency mode of operation
plan; and/or
5.
confirmation that
the BA has written policies and procedures establishing rules for granting
access to PHI.
B.
Responsibilities
of the BA: The BAA sets forth
the actions for which the BA will be responsible, including:
1.
Permitted Uses
of PHI: The BA may only use or
disclose PHI as permitted by the agreement or required by law.
2.
Safeguards:
The BA must use appropriate safeguards to protect the confidentiality of
the information and to prevent use or disclosure other than as provided in the
contract.
3.
Reporting to
the CE: The BA must report to the CE any use or disclosure not permitted by
the contract.
4.
Obligations of
Subcontractors: The BA
must ensure that any subcontractor or agent receiving PHI from the BA agrees to
the same restrictions and conditions that apply to the BA.
5.
Patient Access
to PHI: The BA must make
available to the CE or a patient, upon request, any PHI or other information
necessary for the CE to comply with a patient’s rights to access, amend and
receive an accounting of disclosures of their PHI.
6.
Secretary to
DHHS: The BA must make PHI
available to the Secretary of the DHHS, PHI and the BA’s internal practices,
books and records relating to the use and disclosure of PHI.
7.
Return or
Destroy PHI: Once the contract is
terminated, the BA must return or destroy the PHI received. If it is not
possible to return or destroy the PHI because of other obligations or legal
requirements, the protections of the BAA must remain in effect until the PHI is
returned or destroyed. No other uses
or disclosures of the PHI may be made by the BA other than for the purpose(s)
that originally prevented the return or destruction of the information.
C.
Exceptions
that do not require a BAA: A BAA
is not required in the following circumstances:
(1) disclosures for treatment purposes;
(2) disclosures for financial transactions;
(3) disclosures between group health plans and plan sponsor; (4)
disclosures among the CE’s workforce members for TPO;
(5) disclosures of PHI where any access to PHI would be incidental, if at
all, and could not reasonably be prevented;
(6) disclosures to couriers where the person is a conduit of or carrier
for PHI (including both private couriers and their electronic equivalents;
(7) software vendors, provided the contract does not require the
individual or entity to access PHI in order to provide the vendor service or to
verify/validate; (8) disclosures among CEs who participate in an organized
health care arrangement (OCHA); (9) disclosures of PHI to researchers for
research purposes, provided that appropriate consent and Waiver or Authorization
have been obtained from the patient subjects; and (10) disclosures of PHI
between UCSF and affiliated training institutions as necessary to carry out
training and educational programs, as well as to meet the accreditation
requirements of each institution.
D.
Exceptions for
Data Aggregation Services: Generally,
a BA is prohibited from using or disclosing PHI in a manner that would be
prohibited if done by the CE. A BA
is permitted to provide data aggregation services relating to the CE’s
operations. Data aggregation means
the combining by a BA of PHI received as a BA of one CE with PHI received as a
BA of another CE, to create a collective aggregate database to facilitate and to
permit data analyses relating to the health care operations of the respective
covered entities, (e.g., contracting with a quality assurance organization for
bench-marking and comparative data reports).
E.
Effective
Dates and Transition Period: CEs
must have implemented a BAA with new agreements signed after October 16,
2002 by April 14, 2003. CEs may have
operated under existing contracts with BAs for up to one year beyond April 14,
2003, if the contract was not renewed or modified between the effective date of
the final rule, October 15, 2002, and April 14, 2003.
A CE’s contract with a BA will be in compliance with the privacy
standard until the sooner of: (1) the date that the contract was renewed or
modified after April 14, 2003; or (2) April 14, 2004.
F.
Questions and
Communications: Communication
regarding confidentiality and privacy policies and monitoring shall be directed
to the Privacy Officer,
G.
Accounting for
Disclosures: Disclosures of PHI for non-permitted uses must be logged and
provided to the patient upon request. An Accounting of Disclosures must be
provided to a patient at the patient’s request.
Exceptions to the requirement for an Accounting of Disclosures are listed
in UCSF
Medical Center Policy 5.02.01, Confidentiality of and Access to Patient
Information.
H.
Reporting
Violations: All known or
suspected violations of this policy shall be reported to the Privacy Officer or
to the Compliance Officer.
·
·
Confidentiality
of and Access to Patient Information, UCSF Medical Center Policy 5.02.01
·
HIPAA
Business Associates, UCSF Medical Center Policy 1.02.15
·
DHHS – Health
Insurance Portability and Accountability Act (HIPAA) Privacy & Security Laws
[45 CFR § 164.502; 164.504]
·
·
UC Business
Associate Amendment (Vendor as BA)
·
UC Business
Associate Amendment (Reverse Form, UCSF as BA)
·
Review Pathway
for Business Associate Agreements
·
Letter Template:
Request for Information from Business Associate
·
Letter Template:
Determination – No Business Associate Relationship
·
Form Template:
Request for Contract Review for BAA
·
Form Template:
Accounting of Disclosures