LOS ANGELES COUNTY
DEPARTMENT OF MENTAL HEALTH
  Policy 507.01 HIPAA Business Associates
 
  PROCEDURES
 

  1. Managing Business Associate Agreements

 

  1. The DMH Chief Deputy Director, or designee, shall be responsible for managing all agreements with Business Associates assuring that required provisions are included in all appropriate agreements and that such provisions are current and in compliance with the requirements of the HIPAA Privacy Rules. 
     

  2. The provisions of the Business Associate Agreement to be used by DMH are detailed in the Board Letter, approved on January 7, 2003, entitled, APPROVAL OF THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) AGREEMENT PROVISIONS FOR LOS ANGELES COUNTY AS A COVERED HYBRID ENTITY”. All Business Associate Agreements (Attachment I) executed after October 14, 2002 shall include the Business Associate language. If the contract requires the use or disclosure of PHI to a vendor for non-treatment purposes, DMH must include the Board approved “Business Associate” language with or within the contract. If it is in relation to a purchase order, DMH must request ISD to submit this language with or within the purchase order.
     

    1. If the contract involves the use or disclosure of PHI to a health care provider for treatment purposes, DMH may include the Board approved “Health Care Provider” language with or within the contract. If it is in relation to a purchase order, DMH may request ISD to submit this language with or within the purchase order. This language informs the health care provider that if it is a covered entity, it must also adhere to the necessary HIPAA provisions.
       

    2. If the contract does not involve the disclosure of PHI to a vendor, DMH may include the Board approved “Inadvertent Medical Record Access” (Attachment III) language with or within the contract. If it is in relation to a purchase order, DMH may request ISD to submit this language with or within the purchase order. This language informs the vendor that if any of its employees or subcontractors inadvertently gains access to PHI, it must report it to DMH and not further disclose its findings.
       

    3. DMH is responsible for tracking and managing all of its Business Associate agreements.
       

  3. No changes or modifications to the language of the Business Associate Agreement may be made without prior legal review and authorization by County Counsel and the Chief Information Privacy Officer.
     

  4. DMH managers shall notify the designated Privacy Officer of any potential service agreement with a Business Associate to whom client PHI will be disclosed prior to the execution of the service agreement. Failure to notify the designated Privacy Officer of such impending agreements shall be cause for disciplinary action.

 
  1. The Department’s Responsibility to Business Associates
 

  1. With regard to the use and/or disclosure of PHI by Business Associates, DMH shall provide the necessary information and documentation to assure the Business Associate complies with the privacy practices of DMH and acts in accordance with the wishes of the client regarding his/her PHI.
     

  2. The designated Privacy Officer shall make available the relevant HIPAA Privacy policies and procedures and forms to its Business Associates upon request, to assure that its Business Associates understand the basics of how DMH is executing the HIPAA Privacy Rule, the Department’s legal obligations and the expectations of DMH regarding the activities of its Business Associates to assure compliance with the HIPAA Privacy Rule.
     

  3. The designated Privacy Officer shall notify Business Associates in writing within the (10) workdays of any arrangements permitted or required by DMH that may impact the use or disclosure of PHI by its Business Associates.

 
  1. Business Associate Obligations to DMH
 

  1. At the request of and in the time and manner specified by the designated Privacy Officer, Business Associates shall provide access to PHI to DMH, the client or his/her personal representative, to whom such PHI relates in order to meet a request under the Client’s Right to Access Health Information Policy.
     

  2. At the request of an in the time and manner specified by the designated Privacy Officer, Business Associates shall make any amendments to PHI that DMH approves and directs as detailed in the Client’s Right to Amend Health Information Policy.
     

  3. At the request of and in the time and manner specified by the designated Privacy Officer, Business Associates shall provide an accounting of disclosure to DMH, the client or his/her personal representative to whom the PHI relates, in order to meet a request under the Client’s Right of Accounting of Disclosure of Protected Health Information Policy.
     

  4. Business Associates shall not use or disclose PHI, except as permitted by the agreement or required by law. The agreement recognizes that a Business Associate may use or disclose PHI for the proper management and administration of its business and as required by law.
     

  5. The Business Associate shall take reasonable steps to ensure that it is receiving only the minimum necessary amount of PHI to provide the contracted services to DMH.
     

  6. Business Associates shall use appropriate safeguards to prevent an unauthorized use or disclosure of PHI.
     

  7. Business Associates shall report violations to the designated Privacy Officer within forty-eight (48) hours upon learning of any unauthorized use or disclosure of PHI.
     

  8. Business Associates shall ensure that their employees and agents, including subcontractors, agree to the same restrictions and conditions on the use or disclosure of PHI that apply to the Business Associate.
     

  9. Business Associates shall make its internal practices, books and records related to the use or disclosure of PHI available to the Secretary of the United States Department of Health and Human Services for the purposes of determining the Department’s compliance with the HIPAA Privacy Rule.

 

  1. In the event the Business Associate relationship is terminated, the Business Associates shall, if feasible, return or destroy all PHI in its possession relating to any DMH client. The Business Associate shall also recover, return or destroy and PHI in the possession of its subcontractors or agents. If it is not feasible to return or destroy the PHI, the provisions of the agreement shall be extended to protect the PHI so that no one has access to, or can use or disclose, that PHI.
     

  2. If DMH becomes aware of a pattern or practice of the Business Associate that constitutes a material breach or violation of the Business Associate’s obligations under the agreement, the designated Privacy Officer shall require the Business Associate to take prompt and reasonable steps to cure the breach or to end the violation. Reasonable steps will vary with the circumstances and nature of the relationship. The designated Privacy Officer shall coordinate activities to address the violation.
 

  1. If efforts fail to cure the breach or end the violation of contract obligations, the County will terminate the agreement with the Business Associate.
     

  2. If circumstances exist that make termination of the Business Associate Agreement not feasible (for example, when there are no other viable business alternatives for DMH), the problem shall be reported to the Chief Information Privacy Offices and to the Office of Civil Rights (OCR).
     

 
  1. When appropriate and necessary, DMH may act in the capacity of a Business Associate for other, external covered entities. The Department’s Chief Deputy Director or designee, shall be responsible for managing all service agreements in which DMH is performing as a Business Associate by assuring the Business Associate provision contained or attached to such an agreement are necessary, appropriate and in compliance with the requirements of the HIPAA Privacy Rule.
 

  1. If the Business Associate provisions are in conjunction with a Board agreement, the Department’s Chief Deputy Director or design, shall obtain the approval of County Counsel before signing and accepting any agreement containing Business Associate provisions. Upon Acceptance, DMH will adhere to all provisions outlined in the agreement.
     

  2. If the Business Associate provisions are in conjunction with a Purchase Order, the Internal Services Department (ISD) representative shall obtain the approval of County Counsel before signing and accepting the agreement. Upon acceptance, DMH will adhere to all provisions outlined in the agreement.
     

  3. If the Business Associate provisions are not in conjunction with either a Board of Supervisors Agreement or a Purchase Order, the Department’s Chief Deputy Director or designee, shall obtain the approval of County Counsel before signing and accepting the agreement.Upon acceptance, DMH will adhere to all provisions outlined in the agreement.