Incorporating HIPAA-relevant language into new vendor agreements

Q: I have been appointed to a hospital committee on HIPAA. One of the tasks I have been charged with is helping to identify vendors and other business partners for business associates agreements, and to help draft the departmental policies to help make sure that any agreements with new vendors include HIPAA-relevant language. Whats the best way to proceed?

A: HIPAA requires an institution not only to insure the confidentiality of information within its walls, but also to take steps to insure that outside vendors, consultants, and associates who may have access to confidential information know that they are obligated to maintain the confidentiality of the information as well. Laboratories deal almost exclusively in confidential patient information, and, because of outside relations with reference labs and technical vendors who may have access to confidential data, it is especially important that steps are taken to insure that no outside resources breach patient confidentiality.

Certainly, the first step is to identify those business associates who have any relationship with the lab, and of that group, identify those that may have, at any time, potential access to patient information. Suppliers of test tubes, for example, probably will not have access to patient information, but a variety of others will: cleaning services; maintenance and service support personnel; reference labs; even the physician who serves as medical director. Proper identification of all potential contacts with patient care data, even if not in the ordinary course of business (such as the cleaning staff who may inadvertently see patient information left lying on a supervisors desk) is the starting point for drafting and obtaining the proper business associate contracts.

The next step is to identify and complete a chain of responsibility for maintaining privacy. In many cases, existing contracts may already include language that requires the associate to follow privacy rules and regulations, and if so, the details of the contracts should be examined to insure that they comply with the revised and expanded requirements of HIPAA. In some cases, a separate privacy agreement must be drafted. Its a good idea to give final authority for contract review to one person, but to seek input from all divisions of the laboratory to see that all potential business contacts are recognized.

HIPAA has specific requirements for each business associate. Business associates must agree to:

  • Maintain the confidentiality of any patient information they have or receive, subject to the same disclosure requirements imposed on the hospital itself by HIPAA.
  • Report any disclosures that are not permitted by HIPAA to the primary institution. This requirement also implies that the business associate must be able to assess its own employee compliance with HIPAA regulations and must have an adequate surveillance and reporting system to insure that confidentiality requirements are met. It is not the responsibility of the hospital to enforce or to supply such a compliance program to a business associate, but if a business associate proves inadequate in its management of confidential information, continuing a business relationship is risky.
  • In the same way hospitals must require business associates to respect confidentiality, so must business associates insure that their subcontractors maintain privacy safeguards. It is not the responsibility of your hospital to make certain these are met, but to make clear in a contract that the vendor must take steps to protect patient information from improper release.
  • If the business relationship involves actual transfer of personal information, the business associate must return or destroy all protected information at the termination of the contract. 
  • As is required of the hospital, the business associate must make available its records about handling of protected information upon demand by HHS, must make provisions for releasing protected information to the patient (especially important in reference lab situations), and must keep a record of disclosures. For most business associates of a laboratory, other than reference labs, there should be few permitted disclosures, making this provision relatively innocuous.
  • The contract must permit termination of the agreement if the business associate fails to maintain proper standards of privacy for protected information. Because this may impact laboratory performance, lab input into determining when a breach has occurred, and a back-up plan to replace terminated vendors, may be critical.

Ultimately, the decisions about how to write business associate agreements and which relationships require them will be a legal one, made by the hospital attorney. Understanding the basis on which those decisions will ultimately be made will assist you in providing the necessary information so that proper agreements can be drafted and no potential privacy leak goes unplugged. 

Barbara Harty-Golder is a pathologist-attorney in Sarasota, FL. She directs the clinical laboratory at Health South Rehabilitation Hospital in Sarasota, and maintains a law practice with a special interest in medical law. She writes and lectures extensively on healthcare law, risk management, and human resources management.

© 2002 Nelson Publishing, Inc. All rights reserved.