LOS ANGELES COUNTY
DEPARTMENT OF MENTAL HEALTH
  Policy 507.01 HIPAA Business Associates
 
Policy Category:  Administrative
Distribution Level:  Directly Operated
Responsible Party:  Contract Monitoring
 
Approved by Marvin J. Southard, DSW, Director on April 14, 2003
 
I.  PURPOSE
 
To protect clients’ Protected Health Information (PHI) transferred to, created or received by the business associates of the Department of Mental Health (DMH) by including contractual provisions requiring the Business Associate to safeguard the PHI and use the PHI only as permitted by the Business Associate Arrangement in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

This policy relates to relevant Board of Supervisors’ Agreements and Purchase Orders executed by DMH for services by vendors that perform functions, activities or services, other than client care services, on behalf of DMH that involve the use and/or disclosure of PHI.
 
II.  DEFINITIONS
 
Business Associatemeans a person or entity that perform certain functions, activities or services on behalf of DMH, other than a member of the Department’s workforce, requiring the use and/or disclosure of PHI. These functions include, but are not limited to:
Claims Processing or Administration
Accounting
Data Analysis
Consulting
IT Services
Data Aggregation
Quality Assurance
Management Support
Billing
Administration Support
Benefits Management
Accreditation
Practice Management
Financial Services
Legal
Training
Actuarial
Transcription
 
 
Document Destruction

Protected Health Informationmeans information that is (i) created or received by a health care provider; (ii) relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual; and (iii) identifies the individual, or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
 
III.  POLICY
 
DMH shall execute appropriately drafted agreements with its designated Business Associates, in accordance with the requirement of the HIPAA Privacy Rule at 45 C.F.R. § 164.50(e) 1. DMH and its officers, workforce members and agents shall not disclose client PHI to any Business Associate in the absence of a written agreement. The agreement shall state how the Business Associate may use or disclose the PHI and their obligations to safeguard the PHI.

Business Associate provisions are not required for disclosures by DMH to a health care provider concerning the treatment of a client.

DMH may be designated and act as a Business Associate of other covered entities. DMH will receive appropriate Business Associate provisions received from contractors and it will comply with those accepted provisions. County Counsel will review and approve appropriate Business Associate provisions.

DMH is not liable for privacy violations of its Business Associates. DMH is not required to actively monitor or oversee the means by which the Business Associates carry out safeguards of the extent to which the Business Associate abides by the requirements of the contract.

DMH will document and retain the executed agreements containing Business Associate provisions for both Board of Supervisor approved agreements and DMH Purchase Orders containing Business Associate provisions for a period of at least six (6) years from the date of its creation or the date when it was last in effect, whichever is later.
 
IV.  PROCEDURES
 
Procedures - HIPAA Business Associates
 
V.  AUTHORITY