HIPAA originally was focused on the portability aspect of the law – ensuring that people, when moving between jobs, could take their health insurance with them. Over time, the law has evolved to focus more on the protection of health information. But as technology has vastly improved the ease with which we are able to move protected health information (PHI), it is becoming imperative to concentrate on both portability and protection.
One such example is moving PHI through health information organizations (HIOs) or health information exchanges (HIEs). These are services created through state agencies or private companies that electronically transmit health information between physicians, insurers, and public health departments.
HIOs are not considered health plans or providers, so their activities do not make them HIPAA-covered entities. But because they deal with PHI, often in mass quantities, providers do typically need to have business associate agreements in place when working with the organizations.
There are a few things to keep in mind when working with HIOs. First, every HIO sponsor will have a long participation agreement that providers will have to sign. A small part of that should be the business associate agreement. Steve Phillips, chair of the technology practice group at Hooper, Lundy & Bookman, PC, recommends visiting the Health and Human Services website where a template of an agreement can be found and used as a checklist to ensure the agreement meets minimum HIPAA requirements.
“If you are going to jump in a pool, you want to make sure other people in there are following the pool rules,” he said.
He recommends paying attention to basic points, including:
- the responsibilities of the operator
- if the HIOs are legal and licensed
- if the HIOs will make their best efforts to prevent breaches
- if the HIOs will work to ensure other participants comply with their agreements
- permitted uses of the data
- who is participating in the exchange (Phillips said he is wary when insurers are included)
Liability is also an area that every business associate agreement should address. Gary Pritts, president of Eagle Consulting Partners, Inc, said to ensure the HIO is the responsible party, should a breach take place. Otherwise, the provider is “on the hook” for breach notification or mitigation. The contract should also spell out who is responsible for the cost of any breach that may occur.
Van Zimmerman, safety officer at Jersey Health Connect, said providers should look at the terms of any agreement with an HIO. Here are a few things he recommends watching out for:
- Does joining the HIO involve executing other agreements, such as third-party agreements with software vendors, and are those terms reasonable?
- Are there legal and technical protections in place for data that the HIO needs to protect over and above run-of-the-mill PHI?
- Does the agreement provide protections with respect to data uses not today contemplated?
Some of this, he said, is based on state-specific laws.
Aside from the business associate agreement, consent from patients to share their PHI should also be considered, advised Lisa Pierce Reisz, a partner in the healthcare group at Vorys, Sater, Seymour and Pease LLP. Providers can use either an opt-out method or an opt-in (theoretically more difficult to get). Laws vary by state as to which needs to be used, but she said many go toward an opt-in for the sake of full transparency.