HIPAA action
HIPAA dvisory
HIPAAdvisory > HIPAAction > Compliance Phoenix Health Systems
news
regs
action
tech
wares
alert
live
latest
online HIPAA training
HIPAAstore
HIPAA help desk
search
contact us
site map

Tips on Contracting for
Health Information Sharing and Processing

by John R. Christiansen - Stoel Rives LLP
Cell: 206.498.2019 - Office: 206.386.7520
Reprinted with permission

Many readers may already be aware that the Privacy Regulations issued pursuant to the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") will require the use of "Business Associate Contracts" between organizations which need to transfer, use or disclose protected health information.  Readers may also be aware that the draft HIPAA Security Regulations require such parties to have "Chain of Trust Agreements" as well.

Some readers may not, however, appreciate that it is already a matter of simple prudence to have a good contract in place before entrusting sensitive information to another party for any purpose, whether or not HIPAA is applied.  My clients have been working with appropriate forms of these kinds of contracts for some time already, and where they are involved in long-term business relationships we are already negotiating toward forms of contract which are likely to be HIPAA-compliant.

Business Associate Contracts and Chain of Trust Agreements.

Conceptually, a Business Associate Contract is an agreement whose terms follow and concern the treatment of sensitive or legally protected information.  Under the draft Privacy Regulations the term refers to an agreement between a health care provider, health plan or health care clearinghouse (HIPAA’s "Covered Entities") and virtually any other organization to which a Covered Entity discloses or transfers protected information.  This form of contract primarily serves to bind the Business Associate to the same privacy obligations with respect to protected information as apply to the Covered Entity. [1]

 A Chain of Trust Agreement, on the other hand, follows and concerns the information systems and communications channels in which information is stored, processed and transferred, creating a "trust relationship" between systems operated by different organizations.  This relationship allows users on each of the two systems to obtain or process information in the other system, [2] including sensitive or legally protected information.  The draft Security Regulations provide no details about the terms required for Chain of Trust Agreements, but generally speaking network "trust management" requires the implementation of policies and procedures which ensure that only properly qualified and authorized users are permitted to have access to protected or sensitive systems or information.

Some have suggested that it is premature to try to develop the above kinds of agreements until at least the HIPAA regulations are final, and even that it might be preferable to wait until Congress has acted to supercede the regulations (or made it clear it will not do so).  This attitude is mistaken for two reasons:

  1. The core concepts, that privacy protections should follow information and that networked systems should be managed in a trustworthy fashion, are fundamental and unlikely to be changed by either modifications to the regulations or by legislation.  Given the lead time necessary to institute major modifications in the contractual relationship between two significant organizations, discussions should be going on already.

  2. HIPAA is not the only source of legal privacy risks and compliance needs.  The Federal Trade Commission ("FTC") recently filed an action against DoubleClick for failure to comply with its published privacy policies, and a private class action based upon comparable allegations has been filed against RealNetworks.  Last year, a private class action was filed against CVS, Glaxo-Wellcome and a number of other companies, alleging breach of privacy through use of prescription information for marketing purposes.  The states are getting into the act in a variety of ways, and any international company needs to be attentive to the implications of the Privacy Directive issued by the European Union.

In order to manage these processes and risks, then, it is not too early to begin examining existing contracts for their adequacy, and negotiating the kinds of terms which will have to be instituted in Business Associate Contracts and Chain of Trust Agreements. [3]   This process, done correctly and with good will, will force the parties to develop policies, practices and procedures to manage and reduce their risks of privacy breaches under all applicable laws, and reduce potential exposure for such parties’ errors or omissions in managing protected or sensitive information.

Suggested Negotiation Areas.

The specific terms which will need to be addressed, and their appropriate resolution will depend upon the specific details of the parties’ relationship and operational needs. In my own practice, negotiations are tending to address primarily the following items:

  1. Privacy policies which describe:

    1. The kinds of protected health information which are the subject of the agreements.

    2. The uses the parties receiving such information may make of it.  For example, a health care clearinghouse receiving information from a health care provider should be limited to processing and transmitting such information as required for claims submission.  

    3. The additional parties, if any, to which such information may be disclosed.  It would be desirable to address this in both general and specific terms; for example, the health care clearinghouse in the foregoing example might be permitted to disclose information both to the specific, identified plans who pay the provider’s claims, and in general to law enforcement agencies in response to appropriate process.

    4. Any procedures by which a subject individual may seek to view, and/or request an amendment of or correction to information (where applicable).

    5. An identification of an officer responsible for administering the privacy policies, including contact information.

  2. The party receiving information should warrant to the information source that it will not use or disclose any information received from the organization for any purpose outside the scope of services stated in its contract.

  3. Organizations which share or transmit information by network need to establish a set of security policies and procedures to establish "trusted systems" for the handling of all processes involving protected information.  These security items include but are not necessarily limited to:

    1. Commercially reasonable authentication processes for access to protected information by authorized individuals.

    2. Hardware/software configuration which precludes unauthorized access to or disclosure of protected information.  This analysis should include an assessment of possible weak points, and a description of the way the configuration is integrated with physical and corporate security items.

    3. Physical security, ensuring that unauthorized personnel do not have access to sites or facilities which would permit them to view, process or disclose protected information.

    4. Corporate security, which would include:
      1. Designation of a senior officer or officers with responsibility for security oversight.

      2. Specifications and job descriptions for "trusted" positions (positions which are permitted access to protected information or sensitive systems, including the justification for such access)

      3. A prohibition against all non-trusted personnel having access to protected information or sensitive systems.

      4. Competent background check processes for qualification of trusted personnel.

      5. Disciplinary policies and procedures for enforcement of applicable personnel policies.

      6. Incident response policies and procedures.

      7. Appropriate insurance.

    5. Protected information integrity protection and backup processes.

    6. If either of the parties relies upon third parties to provide material aspects of their services, that party needs to verify that these services also comply with the contractual obligations of security and privacy (to the extent applicable given the kind of service), and will be in place or can be readily substituted throughout the term of the contract.

  4. It is recommended that the parties include provisions for audits of security and privacy practices by an independent third party at least annually, with a provision for additional audits in case of material security or privacy breach incidents.

  5. Any long-term contract will have to include mechanisms allowing for amendment to incorporate policies or procedures needed to address changes in the law and/or newly identified security threats, etc.

Conclusion:  Start Now, Adapt to HIPAA Later.

In order to help manage risks arising under current laws, contracts dealing with at least the above issues should be established and implemented as soon as reasonably possible.  In order to ensure HIPAA compliance, the parties should share a bottom-line commitment to complete implementation no later than the end of 2002. [4]

If there is some question of the competence of one or more of the parties, it might be wise to require an interim audit in 2001 to identify gaps and issues, and perhaps to make the continuation of the contract beyond the actual HIPAA compliance date contingent upon passage of an audit shortly before that date.  In any event, the parties should plan to coordinate revisions to their contracts, policies and procedures over time to ensure that they not only comply with HIPAA, but comply as well with any other applicable laws, and adapt to changing technologies and public expectations.


[1] The Business Associate Contract provisions proposed in the draft Privacy Regulations also include some controversial terms, including required provisions allowing for governmental investigative access to each party’s records, and allowing the individuals who are the subject of the information to sue the parties in case they breach the contract.

[2] According to Newton’s Telecom Dictionary, "[a] trust relationship is the link between two domains (e.g. two servers on a network) that allows a user with an account in one domain to have access to resources on another domain."

[3] There is no reason why the two kinds of contract cannot be folded into a single document, and this may be a better way to address issues and ensure that they are given consistent coverage.  The distinction between the two kinds of agreement in the HIPAA regulations is probably just an artifact of the drafting process.

[4] HIPAA provides that Covered Entities have two years from the date final regulations are issued to come into compliance.  As of the date of this article the official date for issuance of the final Privacy and Security Regulations was officially "unknown."  However, it is the author’s opinion that these regulations will be issued by the Clinton Administration as a "legacy" item.  Since the current Presidential term ends in January 2001, the final regulations should be expected in late 2000.

Disclaimer: This information is general in nature and should not be relied upon as legal advice. Only your attorney is qualified to evaluate your specific situation and provide you with customized advice.

Go to TOP