Policies:

UMHS Policy 01-04-400

Business Associate Agreement

Effective Date: April 14, 2003 Published: November 18, 2004

I. POLICY STATEMENT

It shall be the policy of the University of Michigan Health System (UMHS) to enter into a written business associate agreement, as required by HIPAA, with any person or entity that either (1) performs for a covered entity of UMHS, or assists UMHS in performing, any activity on behalf of UMHS, involving the use or disclosure of UMHS PHI or (2) provides legal, accrediting, actuarial, accounting, consulting, data aggregation, management, administrative, or financial services to or for a covered entity of UMHS. This business associate agreement shall document assurances from the outside party that it will not use or disclose PHI except as permitted by law; and to the extent the outside party maintains PHI in the Designated Record Set, the outside party will cooperate with UMHS to honor patient rights as mandated by the Privacy Rule in accordance with the required timelines for response.

This policy primarily focuses on evaluating relationships with suppliers of products and services to UMHS who may be Business Associates of UMHS, but see Section IV.8 for the case where another covered entity asserts that UMHS is a business associate of that entity.

II. POLICY PURPOSE AND SCOPE

The purpose of this policy is to protect the patient, the clinical team, and UMHS from inappropriate dissemination of information regarding the care of individual and collective patients when PHI is transferred to a business associate.

This policy applies to all workforce members of UMHS except M-CARE, M-CAID, MHC, Kids Care, MHMC, and those subsidiaries and joint ventures of MHC that are not affiliated covered entities of the University or included in the University's organized health care arrangement. The policy refers to all information resources, whether verbal, printed, or electronic, and whether individually controlled, shared, stand alone or networked.

III. DEFINITIONS

See UMHS Policy 01-04-300 for the definitions of italicized terms. (Terms are only italicized the first time they appear in a given policy.)

IV. POLICY STANDARDS

A. Authority to Execute Business Associate Agreements. Only persons authorized by this policy to do so may execute a Business Associate Agreement, and only in compliance with the provisions of this policy.

B. Units Added to the Covered Entity. If a unit of UM is added to the covered entity, The Privacy Director or his or her designee(s), with assistance from the Office of the General Counsel as necessary, shall review that unit's contracts with outside suppliers that involve use or disclosure of PHI in order to determine whether such contracts/relationships need to include business associate agreement provisions. UMHS personnel shall forward necessary existing supplier contracts to the Privacy Director or designee for review if such contract:

1. involves the use or disclosure of UMHS PHI by the supplier, and

2. has not already been reviewed and approved by the Office of General Counsel or Privacy Director (i.e. is not a standard UM Business Associate Agreement).

C. New Contracts. The general Business Associate process is illustrated in The Business Associate Agreement Process.

1. Contracts that may require business associate agreements shall be routed to the appropriate processing unit / authorized signer as shown in The Business Associate Agreement Process:

a) Campus, Goods and Services: University of Michigan Purchasing

b) UMHS, Goods and Services: UMHS Contracts and Procurement

c) Sponsored Research and Education: Division of Research Development and Administration (DRDA)

d) Technology Transfer: Technology Management Office (TMO)

e) Offsite Clinical Professional Services, Managed Care Contracting for Clinical Services, Educational Affiliates: UMH Contracting Office

f) Agreements where UMHS has been confirmed to be a BA: UMH Contracting Office

2. All new relationships with service and product suppliers that involve the use of UMHS PHI shall be evaluated for the need of a business associate agreement consistent with the Business Associate Decision Tree. This includes not only contracts with persons who will have substantial contact with such information (e.g., a business process outsourcing to a supplier for maintenance or transcription of patient records), but also those who will have only incidental contact with PHI (e.g., janitorial, security services, and certain suppliers).

3. The U-M Business Associate Agreement shall be presented to suppliers as the preferred option as required by this Policy and the Business Associate Review Decision Tree.

a) Purchasing may process the UM Business Associate Agreement as long as no material changes are made.

b) Approval of the Privacy Office is required if:

1) There is any material deviation from the UM Business Associate Agreement; or

2) The supplier's business associate agreement is used instead of the UM Business Associate Agreement

D. Exceptions. Certain parties performing activities involving UMHS PHI may be exempt from the requirement to sign a business associate agreement. UMHS designated personnel should consult the Business Associate Decision Tree and further consult with the Privacy Director and/or the Office of General Counsel as needed. Some examples of categories of persons who may be exempt include:

1. Health care providers (e.g. other physicians, hospitals, clinics, healthcare facilities, pharmacies or ambulance companies) who receive UMHS PHI only for treatment purposes;

2. Certain device manufacturers who only need PHI to counsel a surgeon on or determine the appropriate size or type of prosthesis for the surgeon to use during a patient's surgery, or otherwise assist the doctor in adjusting a device for a particular patient, in which case HIPAA treats the device manufacturer as health care providers;

3. Payors who receive PHI only for payment of a claim;

4. Official investigators (e.g. of the Food and Drug Administration, Centers for Medicaid and Medicare Services "CMS" or Office of Civil Rights, etc.) who receive PHI in the course of an official investigation and are not, therefore, performing a function on UMHS' behalf (NOTE: disclosures to these agencies must be tracked);

5. Certain workers who are not employed by UMHS, but work mostly on-site at UMHS, and who are deemed to be UMHS workforce members (these personnel are required to undergo UMHS HIPAA training and sign the UMHS Code of Conduct (Confidentiality) Statement and Certification form.

6. Certain entities participating in an Organized Health Care Arrangement with UMHS;

7. Certain persons performing legally required functions or activities on behalf of UMHS, provided that UMHS shall attempt to obtain satisfactory assurances that the PHI shall be held confidential as required by 45 C.F.R § 164.504(e), and, if no such assurance is obtained, the UMHS shall document its attempts and the reason that assurances could not be obtained

E. Disclosures to Business Associates. UMHS may disclose PHI to a business associate, though only as necessary to enable the business associate to carry out its function.

1. The business associate agreement shall require the business associate to safeguard the PHI in accordance with the requirements of the HIPAA Privacy Standards at 45 C.F.R. § 164.504(e)(1). See http://www.umich.edu/~purch/Forms/DB_BUSINESS_ASSOCIATE_ADDENDUM.doc for standard business associate agreement provisions.

2. UMHS shall inform a business associate of changes to its use and disclosures of PHI in its notice if it affects the business associate's use or disclosure.

F. Uses and Disclosures by Business Associates. A business associate may use and disclose PHI only:

1. as permitted for the purposes set forth in the business associate agreement;

2. for the proper management and administration of the business associate;

3. if expressly permitted by the terms of the business associate agreement, the business associate may provide data aggregation services relating to UMHS's health care operations;

4. to carry out the legal responsibilities of the business associate; and

5. as otherwise specified in the business associate agreement.

G. Violation of Business Associate Agreements. UMHS is not required to monitor its business associates for compliance with their business associate agreements. If UMHS obtains knowledge that a business associate has engaged in activity that is a material violation of the business associate's obligations under the business associate agreement, UMHS shall take reasonable steps to cure the breach or end the violation. If continuing violations occur, UMHS shall terminate the contract, if feasible, or if it is not feasible to terminate the agreement, shall report the violation to the Secretary of Health and Human Services.

H. UMHS as Another Entity's Business Associate. Where another HIPAA covered entity asserts that UMHS or UMHS personnel is their business associate, UMHS personnel must:

1. Obtain a written explanation from that covered entity justifying their designation of UMHS as their business associate and

2. Forward the following information to the Privacy Director or designee for review

a) the written request and justification

b) any business associate agreement form provided by the outside covered entity

c) a detailed description of the underlying relationship

3. Refrain from signing the agreement until they have received permission to do so from the Privacy Director or designee

V. PROCEDURE/ACTIONS

None

VI. EXHIBITS

Business Associate Agreement Process
Business Associate Review Decision Tree
U-M Form Business Associate Agreement

VII. REFERENCES

None

Author: UMHS Compliance Office, 615-8350

Approved provisionally by: The Health System Executive Group - April 10, 2003
Approved by: UMHS Compliance Officer - November 16, 2004;
and the Director and CEO, UMHHC, and Associate Vice President, UMHS - November 18, 2004

Original policies are held by Carolyn Ladd, Policy Coordinator, Office of the Director and CEO, UMHHC, telephone 647-2510

[an error occurred while processing this directive]