Defining the business associate provision of HIPAA

Q: Your column in the June 2002 issue of MLO seems to take the position that a lab is required by HIPAA to enter into a business associate contract with any entity that may have, at any time, potential access to patient information, including cleaning services, maintenance, and service support personnel. The position taken in your column represents a significantly broader application of the business associate provisions than I had envisioned. I am now in the process of developing a policy for the implementation of the business associate provisions of HIPAA for our organization. I want to make sure that we are compliant with
HIPAA, but I do not want to burden our large organization with more obligations than are necessary for compliance. Any insight you can provide on these issues would be greatly appreciated.

A: There is no question that there is diversity of opinion on who needs business associate agreements, and the rule and preamble that are supposed to define such matters are very unclear a chronic problem with HIPAA and all such related legislation. Each organization needs leaders who understand the complexities of the rule and its interpretations, and who can then decide the degree of risk to assume and the strength of changes it wishes to institute.

Maintenance and cleaning personnel do not handle patient information in the way that attorneys, consultants, and dictating services do, but they do come into regular contact with the information as a result of their jobs. The problem is that maintenance people who handle equipment with patient information encoded, including handling, copying, and revising computer discs, and reviewing entered data and cleaning people who regularly manage the trash which contains copies of patient care information including duplicate slips, billing information, and so on have rather direct and often unsupervised access.

I can understand the reluctance of larger organizations to take on the job of getting business associate agreements with the wide variety of contacts that enter into a lab on a regular basis, but I would also be mindful of the risks of exposure of sensitive information through those routes and the potential embarrassment even if there are no HIPAA complications if it happens.

An institution must have in place security measures to prevent access to patient information, a considerable challenge in itself. HIPAA actually has two components: confidentiality and its twin brother, security. Managing any kind of information conduit defined for purposes of determining business associate contracts also requires the establishment of a secure environment for it. It is incumbent on an organization to keep patient information secure from access by regular nonpatient care contacts in order to maintain the confidentiality of the information. The question then becomes how best to do that. In law offices, for example, it is common to require that all files be stored away and locked up at the end of the day. That is one solution, but not always a practical one in places that have huge amounts of information in files that are difficult to lock up, and it certainly does not work as well when you have someone working in the innards of an instrument that stores information internally. It also fails to address the problem of written material that has been disposed of without being shredded.

An organization can also accomplish both confidentiality and security, without necessarily applying an overly broad interpretation of the business associate provisions, by using confidentiality agreements that are not within the scope or definition of business associate agreements. Such confidentiality agreements should require contractors such as janitorial services to maintain the confidentiality of individually identifiable health information incidentally discovered in the course of providing services, but can avoid the specific contractual provisions required for business associate agreements under HIPAA.

General security provisions such as limiting physical access to especially sensitive areas, providing for visitor sign-in and escorts, controlling access keys and badges, and shredding documents, are measures which laboratories can and should adopt as part of their HIPAA strategy and which would complement both business associate and confidentiality agreements.

If an organization decides to rely on two different sorts of arrangements business associate agreements and confidentiality agreements there should be a clear designation of the individual responsible for deciding which of the two is applicable, a decision which may require the assistance of an attorney both familiar with the details of HIPAA andup to date on interpretations of the rules. 

My thanks to Donald E. Horton Jr., Counsel, Laboratory Corporation of America Holdings, for raising the question of overly broad application of business associate contracts, for his assistance in preparing this column, and for his suggestion concerning confidentiality agreements, incorporated above.