14.18 Business Associates & Business Associate Agreements
14.18.1 POLICY STATEMENT
The Health Plan may disclose protected health information (PHI) to business associates, or allow business associates to create or receive protected health information (PHI), provided the business associate executives sign a written agreement to appropriately safeguard such PHI.
14.18.2 POLICY INTERPRETATION AND IMPLEMENTATION
| Definition of Business Associate | A business associate means a person or entity who is not an employee or workforce member of the Health Plan; who performs or assists in the performance of a function or activity on behalf of the Health Plan that involves the use or disclosure of PHI; or provides legal, actuarial, accounting, consulting, data compilation, management, administrative, accreditation, or financial services. |
| Definition of Employee/Workforce Member | An employee/workforce member, for the purposes of this policy, means any employee, trainee, volunteer, or any other person(s) whose conduct, in the performance of work for the Health Plan, is under the direct control/supervision of the Health Plan, regardless of payment source. |
| Identification of Business Associates | It is the Health Plan’s obligation to ensure that all of the Health Plan’s business associates have a written valid business associate agreement. |
| Content of Business Associate Agreements | The business associate agreement between the Health Plan and the business associate establishes permitted and required uses or disclosure of PHI. Pursuant to the agreement the business associate must agree to at least:Not use or disclosure PHI;Develop safeguards to prevent unauthorized use or disclosure of information;Promptly report unauthorized access, use or disclosure of information to the HIPAA Privacy Officer;Require any subcontractors to adhere to the same requirements as outlined in the agreement between the Health Plan and business associate;Make information available for access by the individual or his/her representative as permitted by law;Allow individuals to amend medical information and incorporate such amendments as part of the PHI;Develop a process that allows for an accounting of uses and disclosures of information in accordance with current law;Make its internal practices. books and records relating to its receipt or creation of PHI available to the Office of the U.S. Secretary of Health and Human Services for purposes of determining the Health Plan’s compliance with HIPAA regulations;Develop a process for returning or destroying all PHI upon termination of the business associate agreement; andDevelop a process for continuing the full protection of PHI for as long as the business associate retains any PHI. |
| Record Retention | A copy of all HIPAA covered information and any revisions shall be maintained for a period of at least six (6) years. Such retention may be in printed or electronic format, or both. |
| Privacy Officer | The Privacy Officer is responsible for the development and implementation of the HIPAA policies and procedures. The Privacy Officer is also the contact person for any questions or complaints regarding HIPAA. Questions or concerns about your HIPAA rights should be directed to the Privacy Officer during regular business office hours Monday through Friday, except holidays, at (651) 696-6280. |
| Violations | Violations of this policy will be subject to discipline. |