Standards
for Privacy of Individually Identifiable Health Information
X. Sample Business Associate Contract Provisions--Appendix
March 2002 NPRM
In response to requests for guidance, the Department provided sample
language for business associate contracts. The provisions were provided
as an appendix to the preamble and were intended to serve as guidance
for covered entities to assist in compliance with the business associate
provisions of the Privacy Rule. The proposal was not a model contract,
but rather was sample language that could be included in a contract.
Overview of Public Comment
The Department received a small number of comments addressing the
sample business associate contract provisions. The comments fell
into four general categories. Most commenters were pleased with
the Department's guidance for business associate contracts and expressed
appreciation for such guidance. There were some commenters that
thought the language was insufficient and requested the Department
create a complete model contract not just sample provisions. The
third category of commenters thought the provisions went further
than the requirements in the regulation and requested specific changes
to the sample language. In addition, a few commenters requested
that the Department withdraw the sample provisions asserting that
they will eliminate the potential of negotiating or establishing
a business associate contract that is tailored to the precise requirements
of the particular relationship.
Final Modifications
This Rule continues to include sample business associate contract
provisions as an appendix to the preamble, because the majority
of commenters that addressed this subject found these provisions
to be helpful guidance in their compliance efforts with the business
associate contract requirements in the Privacy Rule.
The Department has made several changes to the language originally
proposed in response to comment. Although these are only sample
provisions, the changes, which are described below, should help
to clear up some confusion.
First, the Department has changed the name from "model language"
to "sample language" to clarify that the provisions are
merely sample clauses, and that none are required to be in a business
associate contract so long as the contract meets the requirements
of the regulation. The sample language continues to indicate, using
square brackets, those instances in which a provision or phrase
in a provision applies only in certain circumstances or is optional.
The Department has made three modifications in the Obligations
and Activities of the Business Associate provisions. First, there
are modifications to clarify that the parties can negotiate appropriate
terms regarding the time and manner of providing access to protected
health information in a designated record set, providing information
to account for disclosures of protected health information, and
for making amendments to protected health information in a designated
record set. Although the language clarifies that the terms are to
be negotiated by the Parties, the agreement must permit the covered
entity to comply with its obligations under the Privacy Rule.
Second, the Department has amended the sample language regarding
review of business associate practices, books, and records to clarify
that the contract must permit the Secretary, not the covered entity,
to have access to such records, including protected health information,
for purposes of determining the covered entity's compliance with
the Privacy Rule. The sample language continues to include the option
that parties additionally agree that the business associate shall
disclose this information to the covered entity for compliance purposes
to indicate that this is still an appropriate approach for this
purpose. The modifications also clarify that parties can negotiate
the time and manner of providing the covered entity with access
to the business associate's internal practices, books, and records.
Finally, the Department has modified the sample language to clarify
that business associates are only required to notify the covered
entity of uses and disclosures of protected health information not
provided for by the agreement of which it becomes aware in order
to more closely align the sample contract provisions with the regulation
text. The Department did not intend to imply a different standard
than that included in the regulation.
The Department has modified the General Use and Disclosure sample
language to clarify that there are two possible approaches, and
that in each approach the use or disclosure of protected health
information by a business associate shall be consistent with the
minimum necessary policies and procedures of the covered entity.
The Department has adopted one change to the sample language under
Specific Use and Disclosure that clarifies that a permitted specific
use of protected health information by the business associate includes
reporting violations of law to appropriate Federal and State authorities.
This would permit a business associate to use or disclose protected
health information in accordance with the standards in Sec. 164.502(j)(1).
We indicate that this is optional text, not required by the Privacy
Rule. Because we have included this language as sample language,
we have deleted discussion of this issue in the statement preceding
the sample business associate contract provisions.
Under Obligations of Covered Entity, the Department has clarified
that covered entities need only notify business associates of a
restriction to the use or disclosure of protected health information
in its notice of privacy practices to the extent that such restriction
may affect the business associates' use or disclosure of protected
health information. The other provisions requiring the covered entity
to notify the business associate of restrictions to the use or disclosure
of protected health information remain and have been modified to
include similar limiting language.
In the Term and Termination provisions, the Department has added
clarifying language that indicates that if neither termination nor
cure are feasible, the covered entity shall report the violation
to the Secretary. We have also clarified that the parties should
negotiate how they will determine whether the return or destruction
of protected health information is infeasible.
Finally, the Department has clarified the miscellaneous provision
regarding interpretation to clarify that ambiguities shall be resolved
to permit the covered entity's compliance with the Privacy Rule.
Each entity should carefully analyze each of the sample provisions
to ensure that it is appropriate given the specific business associate
relationship. Some of the modifications are intended to address
some commenters concerns that the sample language is weighted too
heavily in favor of the covered entity. Individual parties are reminded
that all contract provisions are subject to negotiation, provided
that they are consistent with the requirements in the Privacy Rule.
The sample language is not intended to, and cannot, substitute for
responsible legal advice.
Response to Other Public Comments
Comment: Several commenters noted that the sample language
was missing certain required contractual elements, such as an effective
date, insurance and indemnification clauses, procedures for amending
the contract, as well as other provisions that may be implicated
by the Privacy Rule, such as the Electronic Transactions Standards.
Some of these commenters requested that the guidance be a complete
model contract rather than sample contract provisions so that the
covered entity would not need legal assistance.
Response: The Department intentionally did not make this
guidance a complete model contract, but rather provided only those
provisions specifically tied to requirements of the Privacy Rule.
As stated above, this guidance does not substitute for legal advice.
Other contract provisions may be dictated by State or other law
or by the relationship between the parties. It is not feasible to
provide sample contracts that would accommodate each situation.
Parties are free to negotiate additional terms, including those
that may be required by other laws or regulations.
Comment: Some commenters requested that use of the sample
business associate contract language create a safe harbor for an
entity that adopts them.
Response: The sample business associate contract provisions
are not a safe harbor. Rather, the sample language is intended to
provide guidance and assist covered entities in the effort required
to enter into a business associate agreement. Use of the sample
provisions or similar provisions, where appropriate, would be considered
b evidence of compliance with the business associate contract provisions
of the Privacy Rule. However, contracts will necessarily vary based
on State law and the relationship between the covered entity and
the business associate.
Comment: Some commenters were concerned that the sample
provision permitting a covered entity to have access to the practices,
books, and records of the business associate would impose an audit
requirement on the covered entity.
Response: The sample business associate contract provisions
do not impose any additional requirements on covered entities. Only
the regulation imposes requirements. Therefore, the inclusion of
the provision that the business associate shall allow the covered
entity access to the business associate practices, books, and records
does not indicate that the Privacy Rule imposes an audit requirement
on the covered entity. We have stated numerous times that the Privacy
Rule does not require covered entities to monitor the activities
of their business associates.
Comment: One commenter noted that the business associate
should not be required, under the contract, to mitigate damages
resulting from a violation.
Response: We disagree. In order for a covered entity to
be able to act as it is required to under the Privacy Rule when
a business associate is holding protected health information, the
covered entity must require the same activities of the business
associate through the contract.
Comment: One commenter noted that the Privacy Rule does
not explicitly direct that a covered entity provide its notice of
privacy practices to its business associates.
Response: We agree and have modified the language in the
sample provision accordingly. However, in order for the business
associate to act consistently with the privacy practices of the
covered entity, which is required by the Privacy Rule, the parties
may find it necessary to require disclosure of these policies. To
the extent that parties can craft an alternate approach, they are
free to do so.
Comment: One commenter indicated that traditional contract
terms such as "term" and "termination" should
not be included in the sample language if the Department's intention
is to address only those terms required by the Rule.
Response: Because termination of the business associate
agreement is specifically addressed in the Privacy Rule, we have
retained these provisions in the sample language. As with all other
provisions, parties are free to negotiate alternative Term and Termination
provisions that meet their unique situations and concerns, provided
that they meet the requirements of the Privacy Rule.
Comment: Another commenter indicated that the sample language
should not require the return or destruction of protected health
information in the possession of subcontractors or agents of the
business associate.
Response: We have retained this language as this is consistent
with the Privacy Rule. Section 164.504(e)(2)(ii)(D) requires that
the business associate contract include a provision that the business
associate ensures that any agents, including subcontractors, agree
to the same restrictions and conditions as the business associate.
Generally, the contract must require the business associate to return
or destroy protected health information; therefore, the contract
also must require the business associate to have agents and subcontractors
to do the same. This is reflected in the sample contract language.
Comment: One commenter requested that the sample language
include a provision that the covered entity may impose monetary
damages on a business associate for violation of its privacy policies.
Response: We have not included such a provision because
the Privacy Rule does not address this issue. The Privacy Rule would
not prohibit a monetary damages provision from being included in
the contract. This, again, is a matter to be negotiated between
covered entities and their business associates.
Comment: One commenter suggested that specific references
to sections in the Rule be deleted and either replaced by a general
statement that the contract shall be interpreted in a manner consistent
with the Rule or supplemented with clarifying language with examples.
Response: We believe that using section reference is a valid
and expeditious approach as it incorporates changes as modifications
are made to the Privacy Rule. A business associate contract may
take a different approach than using section references to the Privacy
Rule.
|
