A key concern for physician executives gearing up to comply with HIPAA privacy guides is how to deal with various business entities that help them provide or get paid for providing patient care.
"What is still very problematic for the office medical practice is the business associate provision," says David Kibbe, M.D., director of health information technology for the American Academy of Family Physicians and a professor of medicine at the University of North Carolina.
The massive HIPAA administrative simplification regulations require that all healthcare entities subject to HIPAA certify that all of their business associates comply with the rules when they handle protected health information.
But often, practices are unsure exactly what constitutes a business associate.
"We are seeing a couple of areas where there has been some confusion," says David Szabo, partner and co-chair of the healthcare practice at the Boston law firm of Nutter, McClennen & Fish. "Some payers are saying all providers are business associates. That's not true."
For example, Szabo says members of utilization review panels, quality control consultants and others who are not privy to personally identifiable, protected health information may not be business associates for HIPAA purposes.
"Labs and MRI centers are not business associates," Szabo says. "Those are other covered entities."
The problem of defining business associates often is a logistical one, according to Szabo. Each covered entity first must identify all its partners, then determine if each relationship needs a written agreement.
"Primary care physicians and primary care offices have lots and lots and lots of contracts with potential business associates," Kibbe says.
Kibbe, who also is president-elect of the North Carolina Healthcare Information and Communications Alliance and chairman and founder of Canopy Systems, a hospital care management software application service provider in Chapel Hill, N.C., says that many current business agreements are informal and verbal. To get proper written contracts could entail "huge costs" for legal services, he cautions.
"Probably a lot of lawyers are going to be business associates," says Szabo.
"Smaller practices can put as their No. 1 suspect their billing company," Szabo advises. Next on the list ought to be transcription services and any other business partners related to medical record keeping.
Still, the distinction is not always so cut-and-dried.
Donna Eden, senior attorney in the CMS division of the HHS Office of General Counsel and the lead government lawyer on development of HIPAA regulations, says practice executives and compliance officers often mistakenly neglect the transactions and security regulations when making a list of HIPAA business associates.
"'Business associates' has become associated with the privacy rule, but it is a HIPAA-wide rule," she says.
Moreover, trading partners, which are different from business associates in that they do not handle patient data, do not need a written contract, just an agreement that they will conform to HIPAA rules and applicable state laws.
Proposed modifications to the privacy rule that HHS issued in March and expects to complete this fall contain model language for a business associate agreement.
HHS estimates that this model contract will save healthcare providers an aggregate of $35 million from the previously forecast $103 million initial-year expenditures in drafting HIPAA-compliant agreements.
The proposed changes also include a grandfather clause so practices will not have to renegotiate all existing contracts right away.
"If you have a written agreement with a vendor prior to the (proposed modifications) becoming final, you have an automatic one-year extension" until April 2004, Szabo says.
Seeking ways to simplify the process of signing up business associates, CareScience, a Philadelphia-based, online care management company, is piloting a hub-and-spoke style transaction service for sharing clinical data in Santa Barbara County, Calif.
The Santa Barbara County Care Data Exchange Council, formed in 1998, is a policy-setting board made up of various alliances of healthcare trading partners.
"We're the central business associate," says David Brailer, M.D., chairman and CEO of CareScience.
Each client signs single a business associate agreement with CareScience that applies to relationships with other members of the council. The pact generally spells out procedures for dispute resolution and defines proper uses for any shared data, Brailer says.