King County Government, Washington has been classified as a hybrid entity. However, the public health department itself is considered a fully-covered, designated health care component.

When Public Health-Seattle & King County (PHSKC) began the process of deciding on its covered entity status, it first looked at whether the department qualified as either a health plan or a health care provider. This is particularly important for compliance with the Transactions and Code Set Rule. In the first case, although PHSKC does pay for some services (e.g., the Ryan White funds, Breast and Cervical Health), it does not need to accept electronic data transactions for payment of those services. Jail Health services also pays for health care services provided outside of the clinic; however, the jail is exempt from the requirement to accept transactions. In contrast, PHSKC does process data electronically in its capacity as a health care provider. As such, it was determined that at least some activities would be covered under HIPAA Transactions.

During the initial assessment, PHSKC considered becoming a hybrid entity, covering only those activities specifically required under HIPAA; for instance, only designating the clinical components that submit covered transactions. However, PHSKC took several issues into account. First, the entire department was already in compliance with the current state privacy law, much of which was more stringent than HIPAA. Second, there is a need to share PHI across the department (subject to minimum necessary) that would require the construction of substantial firewalls if the department adopted a hybrid model, Finally, privacy staff within PHSKC believed that HIPAA would likely guide future operations within the health care sector, at least indirectly affecting the entire department, regardless of whether particular sections were covered or not. Based on these considerations, the decision was made to make the department a fully-covered designated health care component.

King County, Washington is the eighth largest metropolitan local health department in the country. Over one-third of the state’s population resides in the county. As such, although it works closely with the state Department of Health, the city-county public health department operates autonomously.

PHSKC operates 13 full-time, direct service clinics, four of which provide primary care, and numerous satellite/specialty clinics.

Organizational Infrastructure and Privacy Administration: State Law Preemption

In 1986, the State of Washington passed the Uniform Health Care Information Act. Until the HIPAA Privacy Rule was developed, the Uniform Health Care Information Act was the basis for health care privacy in the state. In many ways, the Act is more stringent or in line with HIPAA.

When it sought to implement the HIPAA Privacy Rule, PHSKC had to reassess its implementation of state law within the context of the new federal law. In general, HIPAA sets a benchmark for privacy, which states are allowed to surpass as long as they remain in compliance with HIPAA. For a state such as Washington with strong and numerous privacy rules and regulations previously in effect, the challenge to PHSKC was to integrate the federal and state laws into one set of clear policies and procedures.

PHSKC has had many challenges in determining when it is permitted to use and disclose Protected Health Information. Some of the biggest challenges have been based on the different role PHSKC plays in the health care system.

• PHSKC provides direct treatment to clients. When providing treatment, the disclosure rules are very clear (TPO, and as permitted by law).
• PHSKC also serves as a Public Health Authority. When serving in this capacity, PHSKC is also permitted to use and disclose PHI, yet the rules are somewhat different and less clear. Examples of ambiguity include: When can information can be disclosed to the state as well as CDC?; What constitutes surveillance information?; and How do these health records tie into the designated records set, as well as the accounting of disclosure requirement?
• PHSKC is also required to use and disclose information for vital statistics such as births and deaths. These disclosures are under the guidance of the state registrar and NCVHS.
• As a Public Agency, PHSKC is also subject to Public Disclosure laws. Federal and State privacy laws often trump HIPAA, but this does not solve the problem. It means that some parts of information must be disclosed, while others must be kept private (i.e., redacted).

Public Health Authority vs. QI vs. Research -- Depending on the activity, the requirements under HIPAA and state laws are different. PHSKC has found it helpful to go back to the intent of the activity to determine if the activity is PHA, QI or Research. Once the intent is established, use and disclosure policies and procedures may be applied. Click here to see guidelines for defining research.

§ 160.202 Definitions.

For purposes of this subpart, the following terms have the following meanings:

Contrary, when used to compare a provision of State law to a standard, requirement, or implementation specification adopted under this subchapter, means:

1. A covered entity would find it impossible to comply with both the State and federal requirements; or
    
2. The provision of State law stands as an obstacle to the accomplishment and execution of the full purposes and objectives of part C of title XI of the Act or section 264 of Pub. L. 104-191, as applicable.

More stringent means, in the context of a comparison of a provision of State law and a standard, requirement, or implementation specification adopted under subpart E of part 164 of this subchapter, a State law that meets one or more of the following criteria:

1. With respect to a use or disclosure, the law prohibits or restricts a use or disclosure in circumstances under which such use or disclosure otherwise would be permitted under this subchapter, except if the disclosure is:
   (i) Required by the Secretary in connection with determining whether a covered entity is in compliance with this subchapter; or
   (ii) To the individual who is the subject of the individually identifiable health information.
    
2. With respect to the rights of an individual, who is the subject of the individually identifiable health information, regarding access to or amendment of individually identifiable health information, permits greater rights of access or amendment, as applicable.
    
3. With respect to information to be provided to an individual who is the subject of the individually identifiable health information about a use, a disclosure, rights, and remedies, provides the greater amount of information.
    
4. With respect to the form, substance, or the need for express legal permission from an individual, who is the subject of the individually identifiable health information, for use or disclosure of individually identifiable health information, provides requirements that narrow the scope or duration, increase the privacy protections afforded (such as by expanding the criteria for), or reduce the coercive effect of the circumstances surrounding the express legal permission, as applicable.
    
5. With respect to recordkeeping or requirements relating to accounting of disclosures, provides for the retention or reporting of more detailed information or for a longer duration.

With respect to any other matter, provides greater privacy protection for the individual who is the subject of the individually identifiable health information. Relates to the privacy of individually identifiable health information means, with respect to a State law, that the State law has the specific purpose of protecting the privacy of health information or affects the privacy of health information in a direct, clear, and substantial way. State law means a constitution, statute, regulation, rule, common law, or other State action having the force and effect of law.

In order to comply with HIPAA, PHSKC created a project structure and approval process to oversee, advise and guide the assessment, planning, and implementation of the project in order to meet the business needs of the department. PHSKC recognized the importance of complying with the new federal law, but wanted to do so in a way that improves service delivery instead of creating more bureaucracy. There are several teams associated with the project. The steering committee was comprised of the executive leadership of all departments/divisions within PHSKC in the county. A task force was created comprised of department managers that would address and advise on the operational impact of issues, policies and procedures put in place to comply with HIPAA. The task force was divided into three subcommittees to address specific issues, including transactions, privacy, and security. See a diagram of the project structure here. Within the privacy subcommittee, meetings were held monthly to plan, problem solve and implement activities.

In addition, a project manager was hired to run the project. The person selected for the position was hired, not because of any specific knowledge of privacy, but because of the individual’s knowledge of the department and how it worked, as well as leadership skills required to move the project forward in a way that created buy-in and support. Executive leadership made this decision because they believed that consultants retained during the project used for this project already had a detailed knowledge of HIPAA; what they lacked was a clear understanding of how the department worked. As they worked with the project manager, they received thorough information about the department. In return, the consultants educated the project manager and the department about HIPAA.

Prior to development of an implementation plan for the Privacy Rule, PHSKC hired a consulting firm to conduct an analysis for compliance. Over the course of six months, the project team, including the consultants, completed the first phase of the project to develop an implementation plan. The process included:

• Needs assessment;
• Gap Analysis;
• Cost assessment for implementation of HIPAA;
• Developed an implementation plan; and
• Developed a leadership training program.

The gap analysis specifically compared the state’s privacy laws (e.g., Uniform Health Care Information Act) with the HIPAA Privacy Rule.

To perform the analysis, the consultant employed the following step-by-step approach:

1. To establish the impact of HIPAA on the PHSKC, the project team interviewed approximately 73 staff members and evaluated over 63 programs and services. The interviews identified processes inclusive of HIPAA covered transactions as well as protected health information (PHI).
    
2. The gap analysis looked at the direct impact of HIPAA. The Gap Analysis built on the Needs Assessment performed earlier, and identified the specific impact that the HIPAA rules had on the organization, and documented the distance between PHSKC’s current state and remediation required for HIPAA compliance. The project team reviewed the information collected in the Needs Assessment, and obtained additional information related to specific topics. Please note that the Gap Analysis took precedence over the Needs Assessment. As additional information was gathered, some of the findings in the Needs Assessment were found to no longer be factors in gaining HIPAA compliance. Conversely, some additional findings were present in the Gap Analysis as a result of the continued analysis completed for this task. Compliance gaps were prioritized to identify those that posed the greatest risk to the organization. These findings were used to develop compliance plans for the organization.
    
3. State law was reviewed to determine what was required of PHSKC prior to implementation of the Privacy Rule.
    
4. Other regulatory requirements were reviewed against state law and the HIPAA Privacy Law. For instance, Jail Health Services’s policies and procedures must comply with NCCHS and the Medical Examiner’s Office has it own set of standards and procedures.
    
5. The Privacy Rule itself was reviewed to identify its specified requirements.
    
6. Both state and federal laws were compared to assess similarities and differences, and determine the changes to policies and procedures necessary for compliance with both laws.

After the gap analysis had been conducted, the project team analyzed costs and options. Based on the cost analysis, an implementation plan was developed and approved. Given that the plan was approved in February 2003, a short-term plan was developed to meet the immediate needs of the April 14, 2003 deadline specified by HIPAA. The short-term plan included creation of a privacy office within PHSKC, implementation of the notice of privacy practice, training staff regarding HIPAA, and developing a long-term implementation plan.

PHSKC decided not to use a consultant for the actual implementation because PHSKC wanted to grow a knowledge base of HIPAA (and state law) within the organization. PHSKC recognized that compliance is an ongoing activity -- not something that is performed once. Instead, PHSKC leveraged existing staff who had been involved in HIPAA and brought on new and temporary staff to help with compliance. As part of the implementation plan, the project team and other staff broke into sub-privacy teams to focus on specific areas for compliance. The various teams began to use the gap analysis to identify the policies and procedures that would have to be changed and/or created to comply with the Privacy Law. For example, PHSKC determined that its “consent form,” mandated by state law, would have to be changed to the “authorization form” set-forth under HIPAA. However, under state law, the release expires in 90 days. Because no provision in HIPAA conflicted with the 90-day expiration, PHSKC integrated the expiration into the new “authorization form.”

Since February 2003, PHSKC has continued to develop policies and procedures. PHSKC, will continue to refine policies and procedures as it works to comply with the HIPAA Security Rule. Click here to see information on PHSKC’s HIPAA Security Team.

Washington State Hospital Association

Prior to the efforts conducted by PHSKC, the Washington State Hospital Association contracted with a legal firm to conduct a pre-emptive analysis. While the analysis did not address the specific concerns of PHSKC as a public health authority, it did address issues pertaining to the department’s role as a medical care provider. This provided PHSKC with an external, unbiased resource to reference in comparing the Uniform Healthcare Information Act and HIPAA. PHSKC became informed about the pre-emptive analysis through a community forum called Community Health Information Technology Alliance (CHITA), a WEDI-SNIP discussion group.

Washington State Department of Health

Because the Washington State Department of Health (DOH) classifies only a small portion of itself as a covered entity under the Privacy Rule, its experience with HIPAA implementation was not particularly useful for PHSKC’s initial review of state and federal law, as well as implementation. However, the state has added mandatory reporting information on its HIPAA Web site. The State Department of Health has also created a DOH HIPAA Privacy Office, though it does not include a liaison for local public health agencies. PHSKC has used the mandatory reporting definition as reference for themselves and to other health care providers. PHSKC has also been able to pose questions to the state Privacy Office.

Collaboration with Other Local Public Health Agencies

Many of the local public health agencies in Washington State have developed an informal network to communicate ideas and experiences regarding implementation of the Privacy Rule. Because there is little, if any, direct validation for correct implementation of HIPAA, the network acts as a means to share interpretations and activities among local public health agencies. In the case of comparing state and federal law, PHSKC used the network to compare interpretations and the adjoining policies and procedures developed in other local public health agencies.

Outside Consultants

The outside consultants, hired by PHSKC, used at the beginning of the process brought a level of expertise that the department simply did not have. The consultants were able to educate the department about how state and federal law compared, and helped the department develop the training necessary to educate the entire staff.

Federal/State Law Variation

According to the Privacy Rule, if state law is more stringent than HIPAA then the state law takes precedence. However, the Privacy Rule is a nuanced document, that necessitates careful review. While state law may be similar to HIPAA, some of the federal requirements may not be completely identical. Slight variations between state and federal law may have significant effects.

Through its gap analysis, PHSKC determined that the State Consent to Release form, with nine separate parts, was much more comprehensive than the Authorization to Release form required by HIPAA. Therefore, changes were deemed unnecessary. However, the state form did not specifically list client rights as directed by HIPAA. Therefore, soon after the April 15^th, 2003 deadline, other agencies started to reject the authorization forms from PHSKC. PHSKC had to act quickly to produce a HIPAA and state compliant authorization.

Policies and Procedures

Prior to HIPAA, local public health agencies shied away from developing policies for fear of being held accountable to those policies, including the possibility of non-compliance with state law. With the advent of the Privacy Rule, local public health agencies were forced to develop those policies. Due to the various interpretations of HIPAA throughout PHSKC’s programs and services, the agency experienced difficulty creating policies and procedures which complied perfectly with HIPAA and also supported the agency’s many operations requirements. As a result, the release of various policies and procedures has been delayed.

Disclosure of Protected Health Information

As with other activities performed by the Department, PHSKC faced inconsistencies and confusion between state law and HIPAA affecting its role as a public health authority and its ability to disclose PHI. For example, reconciling death certificates, which are considered public records by the state, was raised in the gap analysis. Three sections in the death certificate referenced the cause of death, which may be considered PHI under HIPAA. These types of situations all needed resolution before information could be disclosed.

Despite training their own staff about HIPAA and developing policies and procedures based on the gap analysis, PHSKC also faced the problem of other agencies not understanding the disclosure rules for Protected Health Information (PHI). In many cases, other agencies were not only unaware of what HIPAA required, but were also not fully compliant with previous state law.

Federal/State Law Variation

In general, PHSKC has been forced to increase the level of scrutiny of the gap analysis to make sure that any state law deemed more stringent than HIPAA, and therefore used as the basis for policies and procedures, not miss any of the subtle differences in the Privacy Rule. In the example described above, PHSKC was forced to revise their new release form to include the client’s rights on the form. This met the HIPAA requirement and was then deemed acceptable by the agencies that had rejected the original form.

Policies and Procedures

To address the issue of creating and altering policies and procedures to comply with the Privacy Rule, all policies and procedures were created as “working drafts” during their initial release. As policies and procedures were implemented, they were altered as their impact became clear, particularly as interrelation of various policies was discovered.

By creating a draft document system, PHSKC was able to begin implementation of the policies without having to wait for finalization. This system was supported by a flexible review process. In effect, overarching concepts for policies were initially approved without fixed details. As the impact of the policies became clear, the policies and procedures in question were altered and then went through a final clearance process.

Disclosure of Protected Health Information

To facilitate its compliance, PHSKC has tried to differentiate it’s role as a direct treatment provider verses an indirect treatment provider.

• Direct treatment provider: PHSKC provides treatment to clients, and the disclosure rules are much more clear TPO, and as permitted by law. This is also where clients are to receive the Notice of Privacy Practice.
• Indirect treatment provider: PHSKC does not directly treat the client. PHSKC may work with the health care provider and advise how to handle the particular disease, or work with the client and the treating provider. This is where the role is less clear, and the disclosure issues are more difficult. In general PHSKC de-identified information whenever possible, or limits the amount of information disclosed. For instance, when working with the health care provider, PHSKC may only mention the name of the client that the provider is treating and reference other statistical numbers. When working with the media, the information is de-identified unless particular information is required to control the disease

To deal with issues related to its ability to release PHI in its capacity as a public health authority, PHSKC decided to employ pre-emptive analyses. Although delaying decisions on the release of various data by as many as three to four months, these analyses result in clear decisions on the release of PHI. In the case of the death certificates, PHSKC worked with the Washington State Department of Health (DOH) to make a determination on whether current practices regarding release of these data would violate either HIPAA or state law. In this case, the DOH’s finding, based on recommendations from NCVHS, was that the current practice was in compliance with both laws. Fortunately, PHSKC has been able to minimize the amount of time necessary to complete these pre-emptive analyses because of the baseline knowledge that has been developed over time.

To clarify misperceptions regarding disclosure of PHI among other agencies, PHSKC created a letter signed by the Public Health Director and Health Officer. Included in this letter, designed for the other agencies' own use, was information explaining both how HIPAA allows disclosure of PHI for public health and how state law requires such disclosure. PHSKC continues to provide similar information to other agencies when there is confusion. However, PHSKC has no authority to enforce reporting of information; they may only provide education.

To facilitate the integration of state and federal law and verify state law preemption, PHSKC used a number of different resources. The following is a list of resources, both generic (i.e., local public health agencies will have to find the resource specific to them) and specific (i.e., resources that can be used by various local public health agencies).

Generic Resources

• Outside consultants;
• State Law;
• Other local public health agencies; and
• Legal counsel – internal and external counsel.

Specific Resources

• Community Health Information Technology Alliance (CHITA) – CHITA held a number of forums during which local agencies could talk about their efforts. CHITA also brought in the Physicians Insurance Group to talk about insurers’ perspectives on what was required for HIPAA implementation;
• Foundation for Health Care Quality – This is the foundation that oversees CHITA;
• HIPAA Summit – This was a national summit held on HIPAA in Seattle with experts from around the county.
• Washington State Hospital Association Preemptive analysis;
• CMS Covered Entity Decision Tool – This site was used to assist with the covered entity decision making process;
• Office of Civil Rights, U.S. Department of Health and Human Services;
• AHIMA (includes information regarding medical records and privacy issues, privacy officer job descriptions, and the local chapter in Washington state); and
• OCR Privacy Forum – hear all questions.

Contracts/Agreements – Business Associate Agreements

In order to comply with requirements in the HIPAA Privacy Rule, PHSKC’s legal department advised that business associate requirements be included as a standard in all contracts. This way, whenever PHI is used or disclosed it would be protected per the contract. Originally PHSKC, thought that this would address most of the business associate requirements. However, given that PHSKC is a large complex organization, operating under the county’s large complex organization, the blanket solution was not completely effective.

§ 164.502 Uses and disclosures of protected health information: general rules.

(e)(1) Standard: disclosures to business associates.

(i) A covered entity may disclose protected health information to a business associate and may allow a business associate to create or receive protected health information on its behalf, if the covered entity obtains satisfactory assurance that the business associate will appropriately safeguard the information.

(ii) This standard does not apply:

(A) With respect to disclosures by a covered entity to a health care provider concerning the treatment of the individual;

(B) With respect to disclosures by a group health plan or a health insurance issuer or HMO with respect to a group health plan to the plan sponsor, to the extent that the requirements of § 164.504(f) apply and are met; or

(C) With respect to uses or disclosures by a health plan that is a government program providing public benefits, if eligibility for, or enrollment in, the health plan is determined by an agency other than the agency administering the health plan, or if the protected health information used to determine enrollment or eligibility in the health plan is collected by an agency other than the agency administering the health plan, and such activity is authorized by law, with respect to the collection and sharing of individually identifiable health information for the performance of such functions by the health plan and the agency other than the agency administering the health plan.

(iii) A covered entity that violates the satisfactory assurances it provided as a business associate of another covered entity will be in noncompliance with the standards, implementation specifications, and requirements of this paragraph and § 164.504(e).

(2) Implementation specification: documentation. A covered entity must document the satisfactory assurances required by paragraph (e)(1) of this section through a written contract or other written agreement or arrangement with the business associate that meets the applicable requirements of § 164.504(e).

§ 164.504 Uses and disclosures: organizational requirements.

(e)(1) Standard: business associate contracts.

(i) The contract or other arrangement between the covered entity and the business associate required by § 164.502(e)(2) must meet the requirements of paragraph (e)(2) or (e)(3) of this section, as applicable.

(ii) A covered entity is not in compliance with the standards in § 164.502(e) and paragraph (e) of this section, if the covered entity knew of a pattern of activity or practice of the business associate that constituted a material breach or violation of the business associate’s obligation under the contract or other arrangement, unless the covered entity took reasonable steps to cure the breach or end the violation, as applicable, and, if such steps were unsuccessful:

(A) Terminated the contract or arrangement, if feasible; or

(B) If termination is not feasible, reported the problem to the Secretary.

(2) Implementation specifications: business associate contracts. A contract between the covered entity and a business associate must:

(i) Establish the permitted and required uses and disclosures of such information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that:

(A) The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section; and

(B) The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity.

(ii) Provide that the business associate will:

(A) Not use or further disclose the information other than as permitted or required by the contract or as required by law;

(B) Use appropriate safeguards to prevent use or disclosure of the information other than as provided for by its contract;

(C) Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware;

(D) Ensure that any agents, including a subcontractor, to whom it provides protected health information received from, or created or received by the business associate on behalf of, the covered entity agrees to the same restrictions and conditions that apply to the business associate with respect to such information;

(E) Make available protected health information in accordance with § 164.524;

(F) Make available protected health information for amendment and incorporate any amendments to protected health information in accordance with §164.526;

(G) Make available the information required to provide an accounting of disclosures in accordance with § 164.528;

(H) Make its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, the covered entity available to the Secretary for purposes of determining the covered entity's compliance with this subpart; and

(I) At termination of the contract, if feasible, return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity that the business associate still maintains in any form and retain no copies of such information or, if such return or destruction is not feasible, extend the protections of the contract to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible.

(iii) Authorize termination of the contract by the covered entity, if the covered entity determines that the business associate has violated a material term of the contract.

(3) Implementation specifications: other arrangements.

(i) If a covered entity and its business associate are both governmental entities:

(A) The covered entity may comply with paragraph (e) of this section by entering into a memorandum of understanding with the business associate that contains terms that accomplish the objectives of paragraph (e)(2) of this section.

(B) The covered entity may comply with paragraph (e) of this section, if other law (including regulations adopted by the covered entity or its business associate) contains requirements applicable to the business associate that accomplish the objectives of paragraph (e)(2) of this section.

(ii) If a business associate is required by law to perform a function or activity on behalf of a covered entity or to provide a service described in the definition of business associate in § 160.103 of this subchapter to a covered entity, such covered entity may disclose protected health information to the business associate to the extent necessary to comply with the legal mandate without meeting the requirements of this paragraph (e), provided that the covered entity attempts in good faith to obtain satisfactory assurances as required by paragraph (e)(3)(i) of this section, and, if such attempt fails, documents the attempt and the reasons that such assurances cannot be obtained.

(iii) The covered entity may omit from its other arrangements the termination authorization required by paragraph (e)(2)(iii) of this section, if such authorization is inconsistent with the statutory obligations of the covered entity or its business associate.

(4) Implementation specifications: other requirements for contracts and other arrangements.

(i) The contract or other arrangement between the covered entity and the business associate may permit the business associate to use the information received by the business associate in its capacity as a business associate to the covered entity, if necessary:

(A) For the proper management and administration of the business associate; or

(B) To carry out the legal responsibilities of the business associate.

(ii) The contract or other arrangement between the covered entity and the business associate may permit the business associate to disclose the information received by the business associate in its capacity as a business associate for the purposes described in paragraph (e)(4)(i) of this section, if:

(A) The disclosure is required by law; or

(B)(1) The business associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person; and

(2) The person notifies the business associate of any instances of which it is aware in which the confidentiality of the information has been breached.

To be in compliance with HIPAA, PHSKC had to develop a plan to address both existing contracts, as well as new contracts.

Existing contracts:

There are several types of agreements in place at PHSKC. In order to meet the business associate requirement, PHSKC had to look at the various types of agreements and attempt to implement a process to capture existing agreements, as well as those developed in the future. Below is the outline by agreement:

• Boilerplate Contracts: standard contract and business associate language is included. This language was added to all contacts being created or renewed in 2003. The original thinking was that this would address most contracts. What was found was that there were many that did not get addressed through the process.
• Contracts let by King County where PHSKC may access services through a direct voucher: The County will include the business associate language in the agreement or send a stand alone agreement.
• “Stand-alone” Business Associate Agreements (BAA): to be used when the contract itself is current and not being renewed or with no-money contracts.
• Memorandum’s of Understanding (MOU): Agreements where no money is exchanged, but agreements are in place for indemnification and liability. Business associate language has been added to the template, but these contracts often extend over a longer period of time.
• PHSKC is the business associate of another entity: PHSKC incorporates the language from it’s agreement, or works through legal counsel to review and approve the language set forth by the other agency.

New contracts:

In addition, processes were modified so that program and contract monitors can notify contracts of any new agreements that would be consider business associates. There is now a check box for business associate and criteria on all contract forms (County let, MOU, Boilerplate, etc), and the contracts systems will track contracts with the business associate agreement.

Business Associate Agreements

PHSKC has numerous arrangements with community and other organizations, including vendors, schools, and universities. As per HIPAA, many of these arrangements would be considered business associate agreements. However, because of the variation in the agreement types it employs and the impact of state law on these arrangements, PHSKC could not simply offer one-size-fits-all method to make these arrangements compliant with HIPAA.

Business Associate Agreements

For contractual agreements that involve money for services, PHSKC decided to include standard business associate language in all of the contracts. For some of these contracts, the language is not necessary. However, PHSKC determined that there was no harm caused by including the language.

PHSKC also employs memoranda of understanding when money is not involved. In these cases, PHI disclosure may still occur. Contract monitors with PHSKC now review these agreements and insert business associate language when it is deemed necessary. Contract monitors also make sure that contracts made by the County on behalf of all the departments include business associate language if PHI is affected.

On top of adding language to new contracts and some of the memoranda of understanding, PHSKC also revisited existing contracts, particularly those that did not expire. Staff with the HIPAA office worked with the procurement office to identify a list of contracts that might need the business associate language. These contracts were then reviewed and selected contracts were pulled because they need the business associate language. Contractors were then sent a letter indicating that the business associate language would be added to their contracts as a contract amendment to be in compliance with HIPAA. Forensic labs fell into this category of contractor.