Oklahoma State University Center for Health Sciences
OSU-CHS Centernet

Privacy Policies & Procedures

Section 2 - Uses and disclosures: Organizational Requirements

 

Title: Business Associate Contracts Policy: PRV-02.01
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.504(e)(1)
Standard: Uses and disclosures: Organizational Requirements Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To establish the content of what must be in the Business Associate Agreement between OSU and it Business Associates.

Policy

A contract between OSU and a business associate must:  §164.504(e)(2)

  1. Establish the permitted and required uses and disclosures of protected health information by the business associate.  The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of the Privacy Rule, if done by OSU, except that:  §164.504(e)(2)(i)
    1. The contract may permit the Business Associate to use and disclose protected health information for the proper management and administration of the business associate, and  §164.504(e)(2)(i)(A)
    2. The contract may permit the business associate to provide data aggregation services to the health care operations of OSU.  §164.504(e)(2)(i)(B)
  2. Provide that the business associate will:  §164.504(e)(2)(ii)
    1. Not use or disclose the information other than as permitted or required by the contract or as required by law;  §164.504(e)(2)(ii)(A)
    2. Use appropriate safeguards and comply, where applicable, with the Security Rule with respect to electronic protected health information, to prevent use or disclosure of the information other than as provided for by its contract;  §164.504(e)(2)(ii)(B)
    3. Report to OSU any use or disclosure of the information not provided for by its contract of which it becomes aware, including breaches of unsecured protected health information as required by §164.410 Notification by a Business Associate§164.504(e)(2)(ii)(C)
    4. In accordance with §164.502(e)(1)(ii), ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such information;  §164.504(e)(2)(ii)(D)
    5. Make available protected health information in accordance with §164.524 Access of Individuals to protected health information;  §164.504(e)(2)(ii)(E)
    6. Make available protected health information for amendment and incorporate any amendments to protected health information in accordance with §164.526 Amendment of PHI§164.504(e)(2)(ii)(F)
    7. Make available the information required to provide an accounting of disclosures in accordance with §164.528 Accounting of Disclosures of PHI§164.504(e)(2)(ii)(G)
    8. To the extent the business associate is to carry out OSU’s obligation under the Privacy Rule, comply with the requirements of the Privacy Rule that apply to OSU in the performance of such obligation.  §164.504(e)(2)(ii)(H)
    9. Make its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, OSU available to the Secretary for the Department of Health and Human Resources for purposes of determining OSU’s compliance with the Privacy Rule; and  §164.504(e)(2)(ii)(I)
    10. At termination of the contract, if feasible, return or destroy all protected health information received from, or created or received by the business associate on behalf of, OSU that the business associate still maintains in any form and retain no copies of such information or, if such return or destruction is not feasible, extend the protections of the contract to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible.  §164.504(e)(2)(ii)(J)
  3. Authorize termination of the contract by OSU, if OSU determines that the business associate has violated a material term of the contract.  §164.504(e)(2)(iii)
Procedure

The HIPAA Compliance Office will work the OSU-Tulsa Business Affairs Office in ensuring that the current version of the Business Associate Agreement is current on all applicable HIPAA requirements.

The current version of the BAA does contain all the above mentioned elements.

Reference

§160.103 Definition of Business Associate


top of page top

 

 

Title: Other Arrangements  Policy: PRV-02.02
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.504(e)(3)(i)
Standard: Uses and disclosures: Organizational Requirements Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To establish what other types of documents and what conditions may satisfy the requirement of having a Business Associate Contract.

Policy

Since OSU is a State (governmental) agency, and if the business associate is a governmental agency, then:  §164.504(e)(3)(i)

  1. OSU may comply with §164.314(a)(1) Business Associate Contracts, if applicable, by entering into a memorandum of understanding with the business associate that contains terms that accomplish the objectives of policy PRV-02.01 Business Associate Contracts and §164.314(a)(2).  §164.504(e)(3)(A)
  2. OSU may comply with this implementation specification and §164.314(a)(1), if applicable, if other law (including regulations adopted by OSU or its business associate) contains terms that accomplish the objectives of Policy PRV-02.01 and §164.314(a)(2), if applicable.  §164.504(e)(3)(B)
    • If a business associate is required by law to perform a function or activity on behalf of OSU or to provide a service described in the definition of business associate in §160.103 of the HIPAA Administrative Simplification law to a covered entity, such covered entity may disclose protected health information to the business associate to the extent necessary to comply with the legal mandate without meeting the requirements of this paragraph and § 164.314(a)(1), if applicable, provided that the covered entity attempts in good faith to obtain satisfactory assurances as required by Policy PRV-02.01 and § 164.314(a)(1), if applicable, and, if such attempt fails, documents the attempt and the reasons that such assurances cannot be obtained.  §164.504(e)(3)(B)(ii)
    • OSU may omit from its other arrangements the termination authorization as required in policy PRV-02.01 Business Associate Contracts, if such authorization is inconsistent with the statutory obligations of OSU or its business associate.  §164.504(e)(3)(B)(iii)
    • OSU may comply with this language in the policy and §164.314(a)(1) if OSU discloses only a limited data set to a business associate for the business associate to carry out a health care operations function and OSU has a data use agreement with the business associate that complies with §164.514(e)(4) Data Use Agreement and §164.314(a)(1), if applicable.  §164.504(e)(3)(B)(iv)
Procedure

OSU, if unable to, or if the situation requires other arrangements than a business associate agreement, will either use the limited data set as long as the data use agreement is in place and meets all required specifications as described in the above policy, or will have language in memorandum of understanding (MOU) or other legal document that meets the specifications required.

Reference

§160.103 Definition of Business Associate


top of page top

 

Title: Other Requirements for Contracts and Other Arrangements  Policy: PRV-02.03
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.504(e)(4)
Standard: Uses and disclosures: Organizational Requirements Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose
To establish what other requirements OSU has to abide by and what conditions may satisfy the requirement of having a Business Associate Contract or other arrangement.
Policy

The contract or other arrangement between OSU and the business associate may permit the business associate to use the protected health information received by the business associate in its capacity as a business associate to OSU, if necessary:  §164.504(e)(4)(i)

  1. For the proper management and administration of the business associate; or  §164.504(e)(4)(i)(A)
  2. To carry out the legal responsibilities of the business associate.  §164.504(e)(4)(i)(B)

The contract or other arrangement between OSU and the business associate may permit the business associate to disclose the protected health information received by the business associate in its capacity as a business associate for the purposes described in the first paragraph of this policy, if:  §164.504(e)(4)(ii)

  1. The disclosure is required by law; or  §164.504(e)(4)(ii)(A)
  2. The business associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person; and  §164.504(e)(4)(ii)(B)(1)
  3. The person notifies the business associate of any instances of which it is aware in which the confidentiality of the information has been breached.  §164.504(e)(4)(ii)(B)(2)
Procedure

OSU will have language in the business associate agreement, or other arranged legal document that will allow for the business associate to conduct for their proper management and administration and to carry out the legal responsibility of their entity.

OSU will also have language that requires the business associate to obtain reasonable assurances from any downstream contractor or subcontractor or other to whom the business associate discloses information that the information will be held in confidence, and should any breach of confidentiality occur the downstream entity would follow appropriate breach notification protocols.

Reference

§160.103 Definition of Business Associate


top of page top

 

Title: Business Associate Contracts with Subcontractors.  Policy: PRV-02.04
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.504(e)(5)
Standard: Uses and disclosures: Organizational Requirements Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose
To establish the responsibilities subcontractors have under HIPAA.
Policy

Policies PRV-02.01 through PRV-02.03 apply to the contract or other arrangements required by §164.502(e)(1)(ii) Disclosures to Business Associates between a business associate and a business associate that is a subcontractor in the same manner as such requirements apply to contracts or other arrangements between OSU and business associates.  §164.504(e)(5)

Procedure

OSU will have language in its business associate agreements or other arrangements that place the responsibility on subcontractors (if any) just as they would apply to a business associate of OSU in regards to disclosure of protected health information under the Privacy Rule.

Reference

§160.103 Definition of Business Associate


top of page top

 

Title: Requirements for a Covered Entity with Multiple Covered Functions.  Policy: PRV-02.05
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.504(g)
Standard: Uses and disclosures: Organizational Requirements Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To establish the responsibilities of OSU since we operate multiple covered functions under HIPAA

Policy

OSU performs multiple covered functions that would make OSU any combination of a health plan, a covered health care provider, and a health care clearinghouse, must comply with the standards, requirements, and implementation specifications of the Privacy Rule, as applicable to the health plan, health care provider, or health care clearinghouse covered functions performed.  §164.504(g)(1)

OSU performs multiple covered functions and may use or disclose the protected health information of individuals who receive the health plan or health care provider services, but not both, only for purposes related to the appropriate function being performed.  §164.504(g)(2)

Procedure

OSU is a hybrid entity and operates as a covered health care provider and as a clearinghouse in two separate functions.  OSU does not operate a health plan of any kind, and as such will not need to follow the rules specifically for health plans.

OSU’s health care providers and the clearinghouse are two distinct organizational departments under the OSU umbrella.  The OSU health care provider claims information does get sent to OSU’s clearinghouse.  The clearinghouse is for adjunct faculty who provide teaching opportunities to OSU medical students and OSU’s Residency Doctor program.

Reference

§160.103 Definition of Business Associate

SEC-03.01 Isolating Health Care Clearinghouse Functions


top of page top

OSU-CHS on Facebook OSU-CHS on Twitter OSU Medicine on You Tube