HIPAA Privacy Policies and Procedures
This policy applies to all Department of Elder Affairs (DOEA) employees, volunteers, agents and Business Associates that perform duties in conjunction with the access, distribution, dissemination, modification, and management of Protected Health Information (PHI). It is DOEA’s policy to ensure compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule by including HIPAA compliance requirements in contracts, agreements and purchase orders with Business Associates to whom DOEA discloses PHI.
A Business Associate is a person or entity that is not a member of the work force and who, on behalf of DOEA through legal agreement, performs or assists in the performance of a function or activity involving the use of individually identifiable health information.
Business Associate Contract
A contract or agreement between DOEA and the Business Associate must establish the permitted uses and disclosures of such information by the Business Associate. The contract or agreement must prohibit the Business Associate from using or disclosing the information in a manner that would violate the Privacy Rule. The contract or agreement must also authorize termination of the contract or agreement by DOEA, if DOEA determines that the Business Associate has violated a material term of the agreement.
They must also provide that the Business Associate will:
Noncompliance by a Business Associate
DOEA is in violation of the Privacy Rule if DOEA knew of a pattern of activity or practice of the Business Associate that constituted a material breach or violation of the Business Associate’s obligation under the contract or agreement or other arrangement, unless DOEA takes reasonable steps to cure the breach or end the violation, and if unsuccessful has either:
1. Terminated the contract or agreement or arrangement, if feasible; or
2. If termination is not feasible, reported the problem to the Secretary of HHS.
For each Business Associate with whom DOEA shares PHI, DOEA shall ensure that there is a contract or agreement in place between DOEA and the Business Associate, in which the associate agrees to comply with the requirements of the Privacy Rule. The contract or agreement shall provide that the Business Associate must receive written approval from DOEA before the Business Associate may share the information with any other entity.
All employees shall verify that there is a contract or agreement in place with the Business Associate before disclosing any PHI to the associate. Ask Contract Administration if you are uncertain whether there is a contract or agreement in place.
If any employee receives information or otherwise becomes aware that a Business Associate is failing to adequately safeguard PHI that is provided to the associate by DOEA, the employee should notify his or her supervisor and DOEA Privacy Officer, Office of the General Counsel.
If DOEA accepts an amendment to a client’s PHI, DOEA must make a reasonable effort to inform Business Associates it knows have the PHI that is the subject of the amendment and which may have relied on the information to the detriment of the client.
If DOEA accepts restrictions on the use or disclosure of an individual’s PHI, DOEA’s Business Associates must honor the restriction.
Disclosures to Business Associates are subject to minimum necessary requirements.
Business Associates are included in policy updates, provided by DOEA or a vendor for stakeholders, and compliance audits, by the HIPAA Administrator through the Contract Administration unit.
DOEA ensures all Business Associates uphold consistent privacy practices and training Programs for employees. DOEA might include a training requirement in Business Associate contracts as means of protecting the PHI provided to them. DOEA is including HIPAA compliance in the monitoring process of the agency.
DOEA must be sure those responsible for administering policy and maintaining contracts are aware of all Business Associate relationships and have a mechanism to be notified of the changes to those relationships. New contracts and agreements must be reviewed by the General Counsel for HIPAA compliance.
DOEA is not considered to have violated Privacy Rule requirements if a Business Associate discloses PHI as a whistleblower.
DOEA must mitigate as best it can harmful effects from uses and disclosures by its Business Associates that violate DOEA privacy policies and procedures.
Violations must be reported to DOEA Privacy Officer, the General Counsel.
45 CFR 164.502(e)
45 CFR 164.524
45 CFR 164.504(e)
Return to Top