Info for Consumers
9.00 Business Associate Agreements

I. Purpose:
To issue instructions to all ADAMH workforce members regarding the necessity for and the required content of agreements with business associates (including in some cases other governmental entities) relating to the business associate's receipt of protected health information (PHI) from or on behalf of ADAMH workforce members.

II. Applicability:
This policy applies to all ADAMH workforce members.

III. Authority:
45 CFR Parts 160 & 164

IV. Definitions:
Disclosure means the release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information.

Use means with respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information.

Business Associate (BA) means a person or entity who, on behalf of ADAMH, but not in the capacity of a workforce member; performs or assists in the performance of a function or activity that involves the use or disclosure of protected health information (PHI); or provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services.

Protected Health Information (PHI) means individually identifiable information relating to the past, present or future physical or mental health or condition of an individual, provision of health care to an individual, or the past, present or future payment for health care provided to an individual.

Workforce Members means Board of Trustees members, employees, volunteers, trainees, and other persons whose conduct, in the performance of work for ADAMH, is under the direct control of ADAMH, regardless of whether they are paid by ADAMH.
IV. Policy:
  1. Generally: ADAMH may disclose PHI to a BA if ADAMH first obtains adequate assurance that the BA will appropriately safeguard the PHI. This requirement does not apply with respect to: disclosures made to a provider concerning the individual's treatment, or; uses or disclosures made to another governmental agency for purposes of public benefit eligibility or enrollment determinations where such agency is authorized by law to make these determinations.

    ADAMH must document these assurances through a written agreement or as follows. If the BA is another governmental entity, the entity may comply with this requirement by executing a Memorandum of Understanding or like document covering the required terms or, by relying on other law that imposes upon the BA the requirements specified herein. If the BA is required by law to perform a function, activity or service on behalf of ADAMH, ADAMH may disclose PHI to the extent necessary to comply with that mandate as long as the entity documents an attempt to obtain the required assurances and the reasons that such assurances could not be obtained.
  2. Content Requirements: The agreement between ADAMH and the BA must meet the following requirements, as applicable:
    1. Establish permitted and required uses or disclosures of PHI that are consistent with those authorized for ADAMH, except that the agreement may permit the BA to use or disclose PHI for its own management and administration, if such use or disclosure is required by law or the BA obtains reasonable assurance that the confidentiality of the PHI will be maintained.
    2. Provide that the BA will:
      1. Not use or disclose the PHI except as authorized under the agreement or required by law.
      2. Use appropriate administrative, technical, and physical safeguards to prevent unauthorized use or disclosure.
      3. Report unauthorized uses or disclosures to ADAMH.
      4. Will take reasonable steps to mitigate the potentially harmful effects of any breach.
      5. Pass on the same obligations relating to protection of PHI to any subcontractors or agents.
      6. Make PHI available for access by the individual or his/her personal representative, in accordance with relevant law and policy.
      7. Make PHI available for amendment, and incorporate any approved amendments to PHI, in accordance with relevant law and policy.
      8. Make information available for the provision of an accounting of uses and disclosures in accordance with relevant law and policy.
      9. Make its internal practices, books and records relating to its receipt or creation of PHI available to the Office of the U.S. Secretary of Health and Human Services for purposes of determining the entity's compliance with HIPAA regulations.
      10. If feasible, return or destroy all PHI upon termination of contract; if any PHI is retained, continue to extend the full protections specified herein as long as the PHI is maintained.
      11. Authorize termination of the agreement by ADAMH upon a material breach by the BA. (this element of the agreement may be omitted if the BA is another governmental entity and the termination would be inconsistent with the statutory obligations of ADAMH or the BA.)
  3. Oversight Responsibilities: If ADAMH knows of a pattern or practice of the BA that amounts to a material violation of the agreement, ADAMH must attempt to cure the breach or end the violation, and if such attempt is unsuccessful, terminate the agreement, if feasible, and, if not, report the problem to the Office of U.S. Secretary of Health and Human Services.
Info for Consumers

Consumer and Family Advocacy Council Minutes

Success Stories

HIPAA

Consumer Advocate: Phil Hedden

Cultural Competency

Solutions Page

CFAC Calendar

Just for Today Choir

Eli Lilly HELP Center

Housing

The P.E.E.R. Center Calendar
 


Sign up for ADAMH e-newsletters :
Home · Get Immediate Help · Info for Consumers · Learn About ADAMH ·
ADAMH Accountability · Our Support Network · Franklin County
© 2004 ADAMH Board of Franklin County · 447 East Broad Street, Columbus, OH 43215
Phone: (614) 224-1057 · Fax: (614) 224-0991 · Site by Grip Technology