[ Wednesday, March 27, 2002 ]
Model Business Associate Agreement (“BAA”) Included in Revisions to Privacy Rule
. I’ve had a chance to take a look at the revisions to the Privacy Rule published in yesterday’s Federal Register (I’ve looked at it in the form submitted, not in the form it appears in the Fed Reg; once I’ve looked at that, I’ll add references here), and was surprised to find a model BAA included. I’ve read it over, and I’m neither impressed nor distressed. Like I said, the language in the Privacy Rule wasn’t too confusing on what needed to be in a BAA. The model BAA looks like you’d expect it to. There’s one bad piece to it if you decide to use it: the term states that it ends when all of the Protected Health Information (“PHI”) has been returned. In the text of the Privacy Rule, once a BAA is terminated, the business associate must destroy or return the PHI; the way the language appears in the model BAA, the BAA can’t terminate until the PHI is returned. That makes a chicken-and-egg problem.
The Big Change
. The big change in the Privacy Rule is the removal of the requirement that a consent be signed for treatment, payment or healthcare operations (sometimes reduced to the shorthand “TPO”), so long as the covered entity gets an acknowledgement from the patient that the patient had received a copy of the covered entity’s notice or privacy policies.
A covered entity can still get a consent; most providers already get consents to the disclosure of patient information for payment or treatment purposes, since it’s generally a good idea. Physicians have an ethical, and in most jurisdictions a legal, obligation to maintain the confidentiality of a patient’s medical information, so a normal part of a visit to a physician’s office includes signing a consent for the physician to disclose the information to insurance companies and other physicians. This will still probably be the case.
In the original draft of the Privacy Rule, covered entities were free to use PHI for TPO, and in fact were prohibited from obtaining a consent for those purposes. The idea was to clearly distinguish normal uses (TPO) from abnormal uses (marketing, etc.) that need authorization (keep in mind: consents are for normal uses, authorizations are for unusual or unexpected uses). Those requirements were revised in the rule that became the final Privacy Rule, out of recognition that it is common practice for providers to get consents. This revision is just somewhere in between.
There are some good reasons for this revision. Imagine you’re a patient at your PCP. You’ll probably sign a consent. If your doctor calls in a prescription for you, the pharmacist should be able to fill the prescription, so long as he gets your consent later or at least gives you his notice of privacy practices. Same with a referral to a specialist; the specialist ought to be able to treat you when you need treatment and get your consent (or acknowledgement of receipt of his privacy practices) later.
. What’s surprising, as well as disappointing, is the fairly idiotic public reaction to these revisions by such luminaries as Loriann Goldman (the chief Georgetown Privacy Nazi) and Ted Kennedy. I’m not too surprised to see USA Today
editorialize that “HHS weakens protections.” The editorial gives three examples of recent breaches of confidentiality as justification for the pre-revised rules. One classic breach of logic: those breaches already violated state laws in place prior to the passage of HIPAA. If providers would break state laws, what makes the editors of USA Today think that yet another law will fix the problem?
Jeff [10:32 PM]
Blogger: HIPAA Blog - Edit your Template