HIPAA action
HIPAA dvisory
HIPAAdvisory > HIPAAction > Privacy Phoenix Health Systems
news
regs
action
tech
wares
alert
live
latest
online HIPAA training
HIPAAstore
HIPAA help desk
search
contact us
site map

Shaping Up Your Business Associates --
A Case Study on Compliance and Better Relationship Management

by DeDee Birdsall
February 2002

Do you know who your Business Associates are? According to HIPAA, a Business Associate is "a person who performs a function or activity on behalf of a covered entity." Examples are lawyers, auditors, consultants, third-party administrators, health care clearinghouses, data processing firms and billing firms. Your Business Associate can also be a covered entity; however, Business Associates are not members of your workforce.

According to the Privacy regulation, if you're a covered entity, it's your job to require that all Business Associates comply with the law, as well as any agents or subcontractors thereof. With all that said, who really qualifies as a true Business Associate? How do you locate and understand all the relationships in place in your organization? Is there one person who holds the key? Does a repository of information exist? Do you have dedicated staff for managing these relationships? In our organization, the answer to most of these questions is no.

So where do you begin and what must you consider? In our organization's attempt to tackle Business Associates, we identified methods for logically breaking down this process into more manageable pieces and have been steadily working at the process for several months. Hopefully, this document will provide some insight into one method for complying with all privacy laws and building and maintaining better Business Associate relationships.

BUILDING THE PROJECT TEAM AND SETTING DIRECTION

Our Business Associate project team was organized and includes the privacy officer, HIPAA project manager, technical writers, corporate counsel and various administrative personnel. The team is responsible for interpreting the law, defining goals related to Business Associates, creating task lists and timelines and moving the project forward.

Through discussions regarding current processes we determined that an inventory of our Business Associates was necessary and if possible, the information should be captured and stored in an online database. Creating a central database of easily accessible Business Associate information would be a strong foundation for improving our processes regarding third-party relationships. Technical staff was added to the project team to develop the database template for all Business Associates. The overall goal with the database was to provide one-stop shopping for all our Business Associate information.

The finished database template contains fields to identify historical accounts of all relationships including details regarding contract and customer ownership; contract terms; amendment history; relationship and compliance summaries; and various attributes related to the relationship. Plans for scanning physical contracts and amendments were also approved and processes were identified for creating linked PDF files. The template was created and approved, and provided the direction for conducting the inventory.

CONDUCTING THE INVENTORY AND BUILDING THE DATABASE

The next step in the process was to begin the Business Associate inventory. Technical writers were assigned to this function and began by working with our legal department to do an initial review of current contract processes and obtain reports detailing Business Associates. In theory, this seemed to be a straightforward task; however, the database template was much more specific than information that historically had been kept on Business Associates. With the recent influx of privacy laws, we made the decision to rebuild the files and to provide more detail than in the past. So, as you can see below, our inventory task became much more difficult than originally anticipated and required extensions to the original project timelines.

The following steps encompass the inventory portion of the project that are currently underway. We anticipate the inventory and database project will continue ongoing throughout the life of the project.

  • Draft a definition of Business Associates as related to the Gramm-Leach-Bliley Act (privacy of non-public information) and HIPAA.
  • Create a list of current Business Associates from legal department files or through interviews with contract relationship managers.
  • Locate and record all in-house contract relationship managers.
    This is an important step in understanding the relationships. Without in-house ownership attached to the contracts, it is difficult to understand and document the relationship.
  • Locate missing Business Associates, or relationships that have been established outside the corporate contract process, by producing accounts payable reports by cost center for the past year.
  • Eliminate obvious payees including charitable and professional organizations. Research questionable payees that fall within the structure of the database.
  • Update the database with missing Business Associate information.
  • Provide contract relationship managers with procedures and definition for determining the relationship status of each partner (Business Associate or non-Business Associate in regards to Gramm-Leach-Bliley and HIPAA).
  • Code all contracts on the database to indicate relationship status.
  • Interview contract relationship managers to capture information for the database.
  • Document relationship summaries and populate the database for each Business Associate. (The database includes fields to hold names, addresses, contract details such as length of term, amendment history, type of contract, summary of the relationship, products the contract supports, and compliance summaries).
  • Scan all contract files to PDF files and attach to the appropriate Business Associate file in the database.
  • Create programs to pull all Business Associate names and addresses for auto mailing of the Confidential Information Agreement and auto-generated cover letter.
  • Verify all Business Associate information is accurately entered to the database.

UPDATING CONTRACTS

Updating existing contracts and changing procedures for establishing new Business Associate relationships was started shortly after the research task began. The project team was broadened to include outside counsel, executive management, and steering committee members. Many questions were raised regarding the approach to take, i.e., what type of agreement to have. We weighed the pros and cons of having separate contracts in support of the chain of trust, trading partner, and Business Associate agreement, or having one contract to incorporate these along with the agreement required by Gramm-Leach-Bliley for the confidentiality of non-public information. Timeframes for compliance were also examined and the team made the decision to attempt one agreement by the July 1, 2002, Gramm-Leach-Bliley compliance date.

The result was a single Confidential Information Agreement that reflects our company's commitment to maintain the confidentiality of information it has developed, or has been entrusted to it. The agreement states our company's obligation to keep information confidential arises from various laws, regulations, contractual commitments and company policy. This agreement when accepted by both parties will become an addendum to the original contract for all existing Business Associates and will satisfy compliance requirements for both laws. The agreement will also become a part of new Business Associate relationships as they're established. The agreement is easy to understand, and clearly identifies three separate privacy issues.

  • Confidentiality of Health Information
  • Personally Identifiable Financial Information
  • Business Confidential Information (covers proprietary information)

Although our Business Associate agreement is still in the draft stage, we believe once approved by the project team, it will serve all purposes under Gramm-Leach-Bliley and HIPAA and will protect our proprietary information.

In addition, new procedures are being developed for in-house relationship managers to facilitate discussions with new Business Associates if we are unable to reach agreement on the terms and conditions of the Confidential Information Agreement.

The steps involved in updating existing contracts include:

  • Develop and obtain approval of Confidential Information Agreement.
  • Create an automated address file from Business Associate database.
  • Develop Business Associate cover letter explaining agreement.
  • Develop a follow-up letter and auto generation if no response received in 30 days.
  • Develop internal automated processes for generating the cover letter and all subsequent follow-up letters.
  • Mail agreements to all Business Associates.
  • Develop a process for receiving and recording returned mail and signed responses.
  • Develop a process for negotiating contractual language with Business Associates.
  • Develop an automated process for audit trail on the database to indicate mailing and acceptance dates.
  • Scan all signed contracts and link to appropriate Business Associate file on the database.
  • Complete database fields related to compliance for Gramm-Leach-Bliley and HIPAA.

IMPLEMENTING NEW PROCESSES

With research and implementation underway, we found it was time to consider new processes for maintaining better relationships with our Business Associates. Through project definition and task lists, we have been able to easily establish these processes. Once refined, they will be presented to the HIPAA steering committee and executive management for review and approval with implementation in 2002. The following tasks represent new process ideas. It is anticipated that this list will continue to grow as work continues on the overall project.

  • Define responsibility for maintenance of the database and all third-party relationships. Determine if dedicated staff exists or a contract administrator is required.
  • Define contract control procedures by documenting processes required by all in-house contract relationship managers to complete a thorough and consistent contract review before a contract is signed or renewed. Steps to be considered include guidelines for reviewing basic contract provisions for such things as termination, mutual indemnification, confidentiality, exclusivity, reciprocity, and attention to all state laws.
  • Create process by which authorized staff review and approve all pending contracts. Applicable parties should include staff from corporate financial, executive, and legal.
  • Publish and maintain a list of qualified contract signers/in-house relationship managers.
  • Establish procedures for the contract administrator or dedicated staff to build and maintain relationship files in the database as new relationships are formed and existing relationships are renewed.
  • Develop reports to flag renewals, terminations, and missing relationship information.
  • Establish annual review procedures for existing contracts and relationships. Work with in-house relationship managers to verify all information is accurate.
  • Establish procedures for contract termination and file archiving on the database.

MAINTAINING RELATIONSHIPS AND MEETING COMPLIANCE REQUIREMENTS

Overall, when it comes to maintaining Business Associate relationships, we now believe we should be able to easily answer these questions:

  • Do we understand the term "Business Associate" as it relates to privacy laws?
  • Do our Business Associate contracts comply with all privacy laws?
  • Do we have auditing procedures in place to assure compliance?
  • Do we have dedicated staff to manage third-party relationships and Business Associates?
  • Do we have a repository of information regarding all third-party relationships and Business Associates?
  • Do we have procedures in place for interacting with third parties on a regular basis?
  • Do we have procedures in place for establishing new relationships and maintaining existing relationships?

If the answer to any of these questions is "no," it's time to review our practices, revisit the project plan, assign resources, and complete the unfinished tasks. The answer must be yes to move forward.

When we look at this project, we see HIPAA as a means for helping us define procedures for making us better third-party relationship managers. As with many projects related to HIPAA, they just make good business sense! However, given the compliance date and the number of projects, most companies are not equipped to manage so many "good practice projects" in the same year. Good luck and we hope this is helpful for those of you in the early stages of defining your Business Associate project.

DeDee Birdsall is an Assistant Vice President at American Republic Insurance Company and serves as its HIPAA Project Manager. American Republic Insurance Company offers a variety of major medical, Medicare supplement, life, annuity and critical care/cancer care products.

Go to TOP