The HIPAA Privacy Rule and HITECH regulations permits a covered entity to disclose protected health information to a business associate, and may allow the business associate to create or receive protected health information on its behalf, if the covered entity obtains satisfactory assurance that the business associate will appropriately safeguard the information. A person or entity qualifies as a “business associate” if the person or entity performs or assists in performing, for or on behalf of the covered entity, business support functions/services that involve the use of protected health information. UW-Madison follows the HIPAA Privacy Rule when disclosing protected health information to external parties acting as business associates. This document prescribes procedures for handling such arrangements with external parties who are UW-Madison’s business associates, as defined in the Privacy Rule.
- Business Associate Agreements Required. Each unit must ensure that its Business Associates execute a Business Associate Agreement, in the form prescribed below.
- Signatory Authority For Business Associate Agreements.
- UW-Madison Purchasing Services. The Director of Purchasing Services shall execute all Business Associate Agreements on behalf of UW-Madison, except as set forth in subsections (2) and (3), below.
- Delegated Agents. Some individuals within certain units have been granted signatory authority by Purchasing Services with respect to purchases or agreements up to a certain dollar amount. These Delegated Agents have authority to execute Business Associate Agreements in connection with any agreements within the scope of their signatory authority. A unit with a Delegated Agent may wish to appoint its Delegated Agent to be its unit Privacy Coordinator.
- Others with Signatory Authority. If necessary, any UW-Madison employee other than those listed above who has authority to sign contracts on behalf of UW-Madison may execute a Business Associate Agreement.
- Process for Negotiating and Executing Business Associate Agreements.
- Unit-Specific Arrangements. Each unit shall be responsible for identifying all unit-specific arrangements that require a Business Associate Agreement.
- The unit shall negotiate the Business Associate Agreement with the vendor or other party and shall be responsible for obtaining a signed copy of the Agreement from the vendor. (See Section IV, below, regarding the proper form of the Agreement). If questions or problems arise during the negotiation process, units should contact the Director of Purchasing Services, who shall consult as necessary with the UW-Madison Privacy Officer and/or UW-Madison Office of Legal Affairs.
- Once the signed Agreement has been obtained, it must be forwarded to the Director of Purchasing Services (or the unit’s Delegated Agent, if applicable), for counter-signature, along with a completed Contract Approval Cover Sheet (such forms are available through Purchasing Services). If the Agreement is in connection with a new arrangement that involves payment by UW-Madison for purchased services, a requisition order must also be forwarded with the Agreement.
- Once received from the unit, Purchasing Services (or the Delegated Agent) will review the Agreement, counter-sign it, and send a fully executed copy of the Agreement to the vendor or other party. A copy of the Agreement will also be sent to the UW-Madison Privacy Officer and to the unit Privacy Coordinator.
- Multiple unit or Institution-Wide Arrangements.
- Purchase Arrangements. Purchasing Services shall be responsible for identifying all existing and new institution-wide and multi-unit purchase arrangements that require a Business Associate Agreement. Purchasing Services shall work with affected units to implement such Business Associate Agreements.
- Non-Purchase Arrangements. The UW-Madison Privacy Officer shall be responsible for identifying all institution-wide and multi-unit arrangements not involving payment for services that require a Business Associate Agreement and for ensuring the execution of such Business Associate Agreements.
- Maintaining Business Associate Agreements.
- When Purchasing Services or a Delegated Agent counter-signs a Business Associate Agreement, they shall retain a copy thereof and forward the original to the UW-Madison Privacy Officer.
- Units should maintain copies of all Business Associate Agreements to which they are a party.
- The original of each Agreement shall be maintained by the Privacy Officer for a period of six years from the time the Agreement expires or is terminated.
- Form of Business Associate Agreement.
- A template Business Associate Agreement is available on the hipaa.wisc.edu website under the Forms tab. If the Business Associate seeks to negotiate alternative language or presents its own version of a Business Associate Agreement, that alternative language must be approved by the Director of Purchasing Services, who shall consult as necessary with the UW-Madison Privacy Officer and/or UW-Madison Office of Legal Affairs.
- Disclosures Prohibited.
- As of April 14, 2003, no unit, or any employee thereof, may disclose any PHI to a Business Associate unless a Business Associate Agreement has been executed.
- Violations of the Business Associate Agreements.
- Any employee of a unit who becomes aware of a pattern of activity or practice on the part of a Business Associate that violates the Business Associate Agreement shall report the violation as soon as possible to the unit Privacy Coordinator.
- When a violation is reported, the unit Privacy Coordinator shall report the violation as soon as possible to the UW-Madison HIPAA Privacy Officer.
- The HIPAA Privacy Officer and unit Privacy Coordinator shall determine whether the violation is a “material breach” of the Business Associate Agreement.
- If the violation is determined to be a “material breach,” the Privacy Officer and unit Privacy Coordinator shall decide on an appropriate course of action consistent with the Privacy Rule and the terms of the Business Associate Agreement. Such course of action must include reasonable steps to mitigate, to the extent possible, any harm caused by the violation and reasonable steps to end any continuing violation. If the Business Associate continues to engage in conduct in violation of the Business Associate Agreement, the unit shall terminate its relationship with the Business Associate. If termination is not possible, the UW-Madison HIPAA Privacy Officer shall report the violation to the Secretary of the Department of Health and Human Services.
- Termination of the Business Associate arrangement. When UW-Madison’s relationship with the Business Associate terminates, for whatever reason (e.g. early termination or end of contract term), the unit must:
- Facilitate a return of the PHI from the Business Associate;
- Obtain a certification from the Business Associate that it has destroyed the PHI; or
- If the parties agree that return or destruction is infeasible, obtain certification from the Business Associate that it will continue to protect the PHI as required under the Agreement for so long as the Business Associate maintains the PHI.
Consequences for Non-Compliance
Failing to comply with this policy may result in discipline for the individual(s) responsible for such non-compliance.
Further, the US Department Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules, and an individual’s non-compliance may result in institutional noncompliance and/or an investigation by OCR. OCR attempts to resolve investigations by obtaining voluntary compliance and entering into Corrective Action Plans and Resolution Agreements. Failures to comply with HIPAA or cooperate with OCR in an investigation may result in civil and/or criminal penalties.