audit your current policies & procedures, build your plan...

Audit Your Current Policies & Procedures, Build Your Plan of Attack 1 |

Arlene Maxim

VP of Program Development, QIRT

Audit Your Current Policies & Procedures, Build Your Plan of Attack


Conditions of Participation

Overview


CMS CoP Timeline

• On October 6, 2014, CMS released proposed changes to the Home Health Conditions of Participation (CoPs).

• This is the first time in 17 years that CMS revised the CoPs.

• CMS had a maximum of three years to issue a final version of the proposed COP changes. The deadline for comments was December 9, 2014.

• This change is a ‘sea change’ to the CoPs: every condition has either been changed or replaced.

• ALL changes must be implemented no later than July 13, 2017 (Updated to effective Jan. 2018).

2017 Copyright, DecisionHealth, an H3.Group division of Simplify Compliance LLC. All rights reserved. These materials may not be copied without written permission.


CMS Principles in Transformation

• The woven theme throughout the current proposed rule is integration, communication, and coordination.

• The following principles were used in the transformation of the Conditions of Participation for the homecare industry:– The development of a more continuous, integrated care process

across all aspects of home health.

– The process is based on a patient‐centered assessment, care planning, service delivery, quality assessment and performance improvement.

– Transition toward a patient outcome based system.

– The use of an interdisciplinary/patient centered approach. The approach will need to include the contributions of various skilled professionals and their interactions with each other to meet the patient’s needs.


Principles in Transformation

• Focus is on quality improvement by incorporating an outcome‐oriented, data‐driven quality assessment and performance improvement program specific to each agency.

• Shift of the focus away from administrative process requirements lacking adequate consensus or evidence that they are predictive of either achieving clinically relevant outcomes for patients or preventing harmful outcomes for patients

• To focus on a patient‐centered, data‐driven, outcome‐oriented process that promotes high quality patient care at all times for all patients


Extent of Revision

• The nature of the CoP changes for 2017, include:

– Revisions or expansions to Conditions

– Removal of Conditions

– New additional Conditions

• EVERY CONDITION HAS BEEN EITHER REVISED OR REPLACED.



Financial Impact

Original Projection

• CMS originally projected that the industry would have an expense with the anticipated CoP changes:– $148 million overall in the

first year

– $142 million in years two and thereafter.

Final Rule Projection

• In the Final Rule 2017, CMS states that the changes will cost the agencies much more, with the greater expense falling on the changes to patient rights:– $293.3 million in year 1

– $290.1 million in year 2 and thereafter


Agency Impact

• With the magnitude of the wave of change, agencies must prepare for an intensive revision of their internal guidance:– Agency assessment

– Policy and procedure revisions


Preparing for Policy and Procedure RevisionAgency Assessment / Evaluation



Agency Assessment

• In order to prepare for the extent of the policy and procedure revision, the agency must first conduct an evaluation of their existing policies and procedures.


Conducting an Agency Assessment

• For an assessment / evaluation of the Policies and Procedures, the agency does not need to conduct a full agency compliance audit.

– Policy and procedure review of• Administrative policies

• Human resources policies

• Education / orientation policies

• Job descriptions

• Internal processes for program reviews (QAPI, infection control and prevention, staff development, etc.)


Conducting an Agency Assessment (cont.)

• Establish a multi‐professional committee.

• Schedule meeting and establish protected calendar of review sessions.

• Allocate review assignments.

• Consider developing a policy and procedure review tool in line with the applicable CoPs.

• Establish the revision or development needs as a collaborative group.

• Develop outline and timeline for completion.



Conducting an Agency Assessment (cont.)

• Considerations for Agency

– Budget for ‘non‐productive’ time for project.

– Identify necessary resources.

– Consider outsourcing assessment and revision project.


Policy and Procedure Revision

Planning, Committee, and Resources


Planning for the Revisions

• In planning for the P&P revisions and new development (as applicable), the following are tips to make the project more efficient and streamlined:– Begin by dissecting the new CoPs.

– Take the Condition references and flag the applicable policies, procedures, workflows, processes, and departmental tools.

– Assign the review based on internal expertise, affected departments, and roles/responsibilities.

– Consider reaching out to accreditation entity for format, templates, and crosswalks.

– Collaborate with EMR provider to discuss their tools and resources.



Planning for the Revisions (cont.)

• The review for new or revised policies, should follow a cycle that brings the agency back to a compliant Condition of Participation for operations:– The condition or standard will lead to a revision or new agency

policy or procedure, as the P&P manual should be the agency guidance for operations.

– The policies and procedures will be supported or carried out by programs, workflows, processes.

– The new CoPs, and thus new P&Ps, processes and programs, will likely lead to revisions and updates to job descriptions and/or role expectations.

– This will take the agency to a point of establishing the educational needs for rolling out, as well as the anticipated cost of the process.


Policy and Procedure Cycle

Conditions and Standards

Policies and Procedures

Workflows

Processes

Programs

Job Descriptions

Role Requirements

Budgeting

Planning

Education


Conditions of Participation

Review of Changes and Policies and Procedure Impact



Process

• Identify the revised CoP and associated standards.

• Outline every policy and procedure that falls under the CoP.

• Begin revision accordingly.


• One example of the CoP / P&P association includes §484.50 Condition of Participation: Patient Rights.– The patient and representative (if any) have the right to be

informed of the patient’s rights in a language and manner the individual understands. The HHA must protect and promote the exercise of these rights.

• Standards– Notice of rights– Exercise rights– Rights of the patient– Transfer and discharge– Investigation of complaints– Accessibility


Policy and Procedure Association

§484.50 Condition of Participation: Patient Rights

• The policies and procedures that are impacted by this one CoP revision, will be found in part or in whole, in the following chapters:– Organization and Administration

– Programs, Services and Operations

– Patient Referral, Intake, Admission and Ongoing Communication

– Patient Care and Documentation

– Documentation Retention

– Quality Assurance

– Patient Safety and Emergency Management



Policy and Procedure Association (cont.)

• The P&Ps that the agency has in place, may be titled differently, but they meet the same requirements.

• It is critical to know all of the affected areas as the program is being reviewed and revised.

• One (1) CoP may impact multiple policies and procedures.

• One (1) Policy and Procedure may encompass multiple CoPs or standards.


Programs, Workflows, and ProcessesOne revision leads to another.


P&P Revisions Lead to Program Enhancements

• The CoP revisions and/or new additions, that speak to some areas of operation, will have a major impact on the programs as they stand:

– QAPI

– Infection Control and Prevention

– Compliance



P&P Revisions Lead to Program Enhancements (cont.)

• The QAPI CoP enhancements are lengthy, comprehensive, and detailed. In addition, they touch upon other areas of operation. The QAPI program alone will undergo major edits in order to comply.

• Infection Control is now Infection Control and Prevention, thus adding another layer of responsibilities, enforcement and planning requirements. Again, this will impact the program function and demand revision.


Job Descriptions and Roles

Definition Changes May Lead to Operational Changes with Major Positions


Job Descriptions and Role Change Requirements

• The new CoPs and definition/language edits will impact other job related areas:

– Job description revisions• Supervising Nurse language changed to Clinical Manager. Many agencies have Clinical Managers (plural) who serve a different purpose as the Supervising Nurse as defined previously. This may require a job description and title change of the affected personnel.

– Role revisions• The administrator definition has been changed, and it is clear that the expectation is that the role be served by a full‐time employee (of the agency).



Planning and Budgeting

Preparing for the Revisions, Roll‐Outs and Overall Education


The Financial Impact is Multifold

Initial Phase

• Planning– Non‐productive time for committee

– Preparing for educational initiatives

• Initial launch– Anticipate a higher volume of education

and follow up resources

• Written publications of materials– P&Ps

– Program materials

– Forms, tools, documents

– Educational literature

– Workflows

– Processes

Ongoing

• Committee allocation and duties

– Ongoing maintenance of program

– Revisions to program

• Ongoing staff development

– Reinforcement

– New employee training

– Revisions to educational materials

• Written materials

– Maintenance of all noted materials


Summary

• Agency policies and procedures will be in continual scrutiny to ensure compliance and understanding.

• The Policies and Procedures, being the working guide to operate by, will impact additional departments, materials and requirements.

• There is a real cost to these enhancements that must be accounted for.

• Start preparing now.

• Agencies do not have to recreate the wheel…allow a third‐party company of experts assist you in the review and revision of the program



Disclaimer:

• QIRT (Quality in Real Time)© presentations are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the participants individually and, unless expressly stated and identified to the contrary, are not the opinion or position of the bodies that govern and regulate healthcare. Attendees should note that sessions are audio‐recorded and may be published in various media, including print, audio and video formats without further notice.


Thank You

Questions?


JOB DESCRIPTION Administrator JOB SUMMARY: The Administrator ensures quality and safe delivery of home health care services; coordinates services that reflect the Agency's philosophy and standards of care; and plans, develops, implements and evaluates Agency services, programs and activities. QUALIFICATIONS: 1. A person who is a licensed physician, or 2. Is a registered nurse, or 3. Has training and experience in health services administration and at least five (5) years of

supervisory or administrative experience in home health care or related health program. 4. Demonstrated ability in or application of organizational/communication skills. 5. Ability to deal effectively with high levels of stress. 6. Ability to enlist the cooperation of many people in furthering a program. RESPONSIBILITIES: 1. Organizes and directs the Agency’s ongoing liaison among the Governing Body, Quality

Committees, Oversight Panels and staff. 2. Employees qualified personnel and ensures adequate staff education and evaluations. 3. Ensures the accuracy of public information materials and activities. 4. Implements an effective budgeting and accounting system; assures accuracy for billing

procedures. 5. Shares copies of philosophy with all employees. 6. Consistently follows Agency policies and procedures to set an example for employees. 7. Reviews Agency manuals once per year for completeness. 8. Assesses employees on an ongoing basis to ascertain their understanding of policies and

procedures. 9. Assists employees to support policies and achieve necessary changes. 10. Uniformly enforces policies and procedures. 11. Maintains two way communication with employees and fair administration of personnel

policies. 12. Documents employee problems in personnel files. 13. Disciplines employees as necessary. 14. Directs the Agency's ongoing functions. 15. Monitors budget hours and does not exceed allowance each year. 16. Monitors equipment abuse and takes steps to keep it to a minimum. 17. Evaluates effectiveness and efficiency of the Agency. 18. Uses statistical data to determine quality and quantity of services.


Job Description – Administrator…continued

19. Maintains compliance with applicable federal, state, The Joint Commission and local rules

and regulations. 20. Supervises all business affairs. 21. Develops, implements and evaluates financial policies and procedures and records. 22. Develops, implements and evaluates budget plan and cost control policies and procedures. 23. Develops and implements salary program within approved policies and procedures. 24. Participates in personal professional growth and development. 25. Plans and directs operations to ensure the provision of adequate and appropriate care and

services. 26. Fiscal planning, budgeting and management. 27. Recruits employees and retains qualified personnel to maintain appropriate staffing levels. 28. Establishes and maintains effective channels of communication. 29. Ensure Agency personnel have current clinical information and current practices. 30. Evaluates services and programs. 31. Ensures staff development including orientation, inservice education and continuing

education. 32. Coordinates with other program areas and management as appropriate. 33. Maintains current knowledge of local trends and issue. 34. Ensures that appropriate service policies are developed and implemented. 35. Directs staff in performance of their duties including admission, discharge and provision of

service to patients. 36. Assures appropriate staff supervision during all operating hours. 37. Ensures the accuracy of public information materials and activities. 38. Appoints a similarly qualified alternate to be available at all times during operating hours in

the absence of the Administrator. WORKING ENVIRONMENT: Works indoors in the Agency office. JOB RELATIONSHIPS: 1. Supervised by: Governing Body/Professional Advisory Committee 2. Workers Supervised: All home care staff RISK EXPOSURE: Low risk


Job Description – Administrator…continued

LIFTING REQUIREMENTS: Ability to perform the following tasks if necessary:

Ability to participate in physical activity.

Ability to work for extended period of time while standing and being involved in physical activity.

Moderate lifting. Ability to do extensive bending, lifting and standing on a regular basis.

I have read the above job description and fully understand the conditions set forth therein, and if employed as an Administrator, I will perform these duties to the best of my knowledge and ability.

Date Signature


All policies, procedures and forms should be updated immediately following the release of the Interpretive Guidelines for the new Home Health Conditions of Participation

Patient Bill of Rights ______________________ POLICY

The Agency will provide each patient with a written notice of the patient’s rights in advance of furnishing care to the patient or during the initial evaluation visit before the initiation of treatment. ______________________ PURPOSE

The Agency protects and promotes the rights of everyone in its care. _____________________ REFERENCE

§484.50 Condition of Participation: Patient Rights [Insert Accreditation Reference] ______________________ RELATED DOCUMENTS

“Patient’s Bill of Rights/Responsibilities” form [Insert Agency Bill of Rights] ______________________ PROCEDURE

1. The Agency protects and promotes the rights of everyone. In advance of furnishing care to the patient or during the initial evaluation visit before the initiation of treatment, the patient is informed both verbally and in writing of all rights including: To have your cultural, psychosocial, spiritual and personal values, beliefs and

preferences respected. To have complaints investigated made by the patient, patient’s family or guardian

regarding treatment or care that is (or fails to be) furnished, or regarding the lack of respect for patient’s property by anyone furnishing services on behalf of the Agency. You will not be subject to discrimination for doing so. Agency must document both the existence of the complaint and the resolution of the complaint.

To have your property treated with respect. To be informed of the procedure you can follow to lodge complaints with the Agency

about the care that is, or fails to be, furnished, and regarding a lack of respect for property. To lodge complaints, call us at ________________________ (Agency specific phone number).

To know about the disposition of such complaints. To voice their grievances without fear of discrimination or reprisal for having done so.



To be advised of the telephone number and hours of operation of the state’s Home Health Agency hotline, that receives complaints or questions about local home care agencies. The hours are 24 hours a day, seven (7) days a week and the telephone number is ________________________. The hotline also receives complaints about advance directives.

To personal dignity. To effective communication. To be free from mental, physical, sexual and verbal abuse, neglect and exploitation. To refuse to participate in investigational, experimental, research or clinical trials. To be notified in advance about the care that is to be furnished, the types (disciplines)

of the caregivers who will furnish the care and the frequency of the visits that are proposed to be furnished.

To be advised in advance of the right to participate in planning care or treatment and in planning changes in care before the change is made.

To be informed of rights under state law to make decisions concerning medical care, including the right to accept or refuse treatment and the right to formulate advance directives.

To be informed of policies and procedures for implementing advance directives, including any limitations if the Agency cannot implement an advance directive on the basis of conscience.

To receive care without condition on, or discrimination based on, the execution of advance directives.

To refuse care without fear of reprisal or discrimination and in accordance with law and regulation. If you are not legally responsible, your surrogate decision maker may refuse care on your behalf as permitted by law.

To exercise his/her rights as a patient of the Agency. The patient’s family or guardian may exercise the patient’s rights when the patient

has been judged incompetent. To confidentiality of your medical record as well as information about their health,

social and financial circumstances and about what takes place in the home. To expect the Agency to release information only as required by law or authorized by

the patient and to be informed of procedures for disclosure. To access, request an amendment to and receive an accounting of disclosures

regarding your own health information as permitted under applicable law. To be informed of the extent to which payment may be expected from Medicare,

Medicaid or any other payor known to the Agency. To be informed of any charges that will not be covered by Medicare. To be informed of the charges for which the patient may be liable and to receive this

information, orally and in writing, before care is initiated and within 30 calendar days of the date the Agency becomes aware of any changes.

To have access upon request to all bills for service the patient has received, regardless of whether the bills are paid out-of-pocket or by another party.

To be admitted by the Agency only if it has the resources needed to provide the care safely and at the required level of intensity, as determined by a professional assessment. The Agency with less than optimal resources may nevertheless admit the patient if a more appropriate provider is not available, but only after fully informing



the patient of the Agency’s limitations and the lack of suitable alternative arrangements.

To effective pain management. 2. Agency maintains documentation in the patient’s medical record demonstrating

compliance with informing patient about rights. 3. Patients will be informed of their rights on an ongoing basis as indicated.


INDEPENDENT CONTRACTOR AGREEMENT FOR HEALTH CARE PROVIDERS

This Independent Contractor Agreement (“Agreement”) is made this _____ day of ______________, 20___, between [Agency Name], its employees, officers, trustees, affiliates, regional campuses, agents and representatives (hereinafter referred to as “Agency”) and _________________________________ (hereinafter referred to as “Provider”). In consideration of the mutual promises herein contained, the parties agree as follows: 1. Independent Contractor. Provider agrees to provide the professional services described herein as an independent contractor. It is mutually understood and agreed that Provider is at all times acting and performing these duties and functions in the capacity of an independent contractor; that [Agency] shall neither have nor exercise any control or direction over the methods by which Provider performs Provider’s services, nor shall [Agency] and Provider be deemed partners. [Agency] shall have the right to determine what services shall be provided, but not the manner in which services shall be provided. It is expressly agreed by the parties hereto that no work, act, commission or omission by Provider pursuant to the terms and conditions of this Agreement shall be construed to make or render Provider the agent, employee or servant of [Agency]. Provider shall be responsible for the payment of all federal, state and local taxes incurred as a result of this Agreement, and further agrees to indemnify and hold [Agency] harmless from the same. 2. Services. Provider agrees to provide professional health care services to [Agency] at ______________________________________________ (name of provider and location), as requested by [Agency]. Provider agrees to perform such services, at all times, in strict accordance with currently approved and accepted methods and practices in his or her profession. Provider agrees to maintain the applicable professional licensure and to practice within the scope of the applicable professional standards of care and scope of practice. Provider further agrees to provide services in a professional, timely and competent manner, and to comply with all applicable procedures and policies of [Agency] and the clinic. Provider agrees to provide such services as may be requested by [Agency] and as needed to discharge the duties and obligations of this Agreement. [Agency] and Provider will agree in advance upon a mutually acceptable schedule for Provider’s services to [Agency]. 3. Licensure and Professional Liability Insurance. As a condition of this Agreement, the Provider shall maintain all applicable licenses and certification requirements and shall at all times during the term of this Agreement, meet all requirements of the State of [State] or other regulatory entity for such licensing, certification or credentialing. Provider shall maintain in force throughout the term of this Agreement such policies of professional liability insurance as shall be required to qualify Provider for coverage under the [State] Medical Malpractice Act (the “Act”), and to insure Provider against any claim or claims for damage arising by reason of personal injuries or death occasioned directly or indirectly in connection with the performance or any service provided hereunder in such amount as shall be required from time to time under the Act. Provider shall demonstrate proof of such insurance coverage by providing [Agency] with the applicable certificate or policy. 4. Representations of Provider. Provider represents and warrants that, except as previously disclosed in writing to [Agency], the following are true with respect to each Provider (if applicable):


A. Provider’s license or certification in any state has never been suspended, revoked, restricted, or deemed to be probationary; B. Provider has never been reprimanded, sanctioned, or disciplined by any licensing or accrediting board; C. There has never been entered against Provider a final judgment in a professional liability action and no action, based on an allegation of professional liability or malpractice by the Provider has ever been settled by payment to the plaintiff; D. Provider has never been denied membership or reappointment of membership on the medical staff of any hospital, and no clinical privileges of the Provider have ever been suspended, curtailed, or revoked; and E. As of the date hereof, Provider has not been the subject of any report or disclosure submitted to the National Practitioner Data Bank. 5. Contract Rate. Provider shall be compensated for services performed under this Agreement as follows: ___[insert per visit rate or hourly rate for services]_______ _. Provider shall be paid only for work actually performed by Provider under the terms of this Agreement, and Provider shall not be entitled to any additional compensation or other benefits of any kind. 6. Billing. Provider shall invoice [Agency] each month, which invoice shall be due and payable 30 days from receipt. Invoices should be sent to the following [Agency] individual: [Agency] Contact Name: ___________________________________________ Address: _________________________________________________ Departmental Area: ______________________________________________ 7. Compliance with Laws. Provider agrees to comply with all federal, state and local laws and regulations applicable to the services to be provided under this Agreement. The parties further agree that they will protect and secure the privacy and confidentiality of patient information and will comply with the requirements contained in the attached Business Associate Addendum. 8. Debarment. Provider represents and warrants that Provider has never been sanctioned by the Office of Inspector General (“OIG”) of the Department of Health and Human Services, barred from federal or state procurement programs, or convicted of a criminal offense with respect to health care reimbursement. Provider shall notify [Agency] immediately if the foregoing representation becomes untrue, or if Provider is notified by the OIG or other enforcement agencies that an investigation has begun which could lead to such sanction, debarment, or conviction. 9. Confidentiality. The parties hereby acknowledge and agree that the terms of this Agreement shall be kept confidential and that neither party shall disclose matters related to this Agreement without the expressed written consent of the other party, unless required to disclose such information by statute, regulation or court order. In addition, during the term of this Agreement, each of the parties hereto may receive intentionally or unintentionally certain proprietary and confidential information (which may include confidential medical information and records) not otherwise a part of public domain through no fault of a party hereto (“Proprietary Information”), the disclosure of which would be extremely detrimental to the business affairs of the other. Therefore, each of the parties hereto (for itself and its employees, agents and representatives) agrees to keep the Proprietary Information of the other in the strictest confidence and each agrees not to


duplicate any Proprietary Information of the other and not to directly or indirectly divulge, disclose, reveal, report or transfer such Proprietary Information without the prior written consent of the other. This provision shall survive the termination of this Agreement. 10. Indemnity. Provider agrees to indemnify and hold harmless [Agency], its employees, officers, trustees, affiliates, regional campuses, agents and representatives from and against any losses, costs, damages, and expenses resulting from claims for bodily injury or property damage arising out of the Provider’s services under this Agreement. 11. Term. This Agreement shall be effective for a term of ____________ beginning on _________________________, unless terminated earlier in accordance with this Agreement. 12. Termination. Either party may terminate this Agreement by providing thirty (30) days prior, written notice to the other party. Either party may terminate this Agreement immediately as a result of a breach of any of the provisions or terms of this Agreement by the other party if the breaching party fails, after ten (10) days written notice, to cure such breach to the reasonable satisfaction of the non-breaching party. [Agency] may terminate this Agreement immediately if any of the representations of Provider in paragraphs 3, 4 or 8 of this Agreement become untrue. 13. Notice. Any notice required to be provided to any party to this Agreement shall be considered effective as of the date of deposit with the United States Postal Service by certified or registered mail, postage prepaid, return receipt and addressed to the party at the following address: 4 If to [Agency]: If to Provider: ________________________ ___________________ ________________________ ___________________ ________________________ ___________________ 14. Governing Law and Venue. The validity, construction and effect of this Agreement, and all extensions and modifications thereof, shall be construed in accordance with the laws of the State of [State] without regard to its choice of law rules, and Tippecanoe County, [State] shall be the exclusive venue for any suit, litigation or alternate dispute resolution brought pursuant to this Agreement. 15. Medical Records. Provider agrees to complete all required charting in the medical record in a prompt and timely manner and in accordance with any applicable policies and procedure of [Agency]. The ownership and right of control of all reports, records and supporting documents prepared in connection with the services contemplated herein shall vest exclusively with [Agency] and shall remain, at all times, at the clinic where services are provided; provided, however, that Provider shall have such right of access to such reports, records and supporting documentation as necessary for the provision of professional services hereunder. 16. No Assignment. Neither this Agreement nor any rights or obligations hereunder shall be assigned by either party without the prior written consent of the non-assigning party. 17. Entire Agreement. This Agreement constitutes the entire agreement of the parties with respect to the matters contained herein, and supersedes any and all other discussions, statements and understandings regarding such matters. This Agreement shall be amended only upon the execution of a written agreement by both parties hereto. Any attempt to


amend or modify this Agreement in any manner other than by written instrument executed by the parties shall be void. 18. No Third Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the parties and the respective successors or permitted assigns of the parties, any rights, remedies, obligations, or liabilities whatsoever. 19. Miscellaneous. A. If any provision of this Agreement is held by a court of competent jurisdiction to be invalid, void, or unenforceable, the remaining provisions will nevertheless continue in full force without being impaired or invalidated in any way. B. Each party to this Agreement acknowledges that no representations, inducements, promises or agreements, orally or otherwise, have been made by either party, or anyone acting on behalf of either party, which are not embodied herein, and that no other arrangement, statement or promise not contained in this Agreement shall be valid or binding. C. In addition to those remedies provided for herein, both parties shall have available all remedies provided by law.

IN WITNESS WHEREOF, the parties have caused their duly authorized representatives to

execute this Agreement. [AGENCY NAME] PROVIDER

___________________________ ______________________________ Signed ___________________________ _______________________________ Printed _________________________ _______________________________ Title


[AGENCY NAME]

BUSINESS ASSOCIATE ADDENDUM This Business Associate Addendum is entered into by and between [Agency] University (“Agency”) and ___________________________________ (“Business Associate”) (each “Party”, collectively “Parties”). The Parties have a prior written agreement, dated ___________________, (“the Primary Agreement”) under which the Business Associate regularly receives, uses and/or discloses Protected Health Information in its performance of the services described in the Primary Agreement. This Addendum sets forth the obligations and agreements of the Parties relating to compliance with the Standards for Privacy of Individually Identifiable Health Information (“the Privacy Regulation”), 45 C.F.R. Parts 160 and 164, and the Security Regulations (45 C.F.R. Parts 160, 162, and 164), promulgated under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health (“HITECH”), and the [State] statutes governing social security numbers, I.C. 4-1-10-1 et. seq. This Addendum applies to all Protected Health Information created or received by Business Associate from [Agency] or from another person or entity on behalf of [Agency], and governs how such Protected Health Information may be used or disclosed. The Parties hereby agree as follows: 1. PERMITTED USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION 1.1 Business Associate shall be permitted to use and/or disclose Protected Health Information created or received on behalf of [Agency] for all purposes necessary to provide the services and to perform its obligations under the Primary Agreement, provided that said use and/or disclosure complies with the requirements of HIPAA. Business Associate acknowledges that under the requirements of HITECH, the HIPAA Privacy and Security Regulations apply to business associates and the additional privacy requirements set forth in HITECH apply to Business Associate to the same extent that they apply to covered entities under HIPAA. The requirements of the HITECH statutes are incorporated herein by reference. In accordance with the applicable requirements of HITECH, any uses or disclosures of PHI must be limited, to the extent practicable, to the Limited Data Set, or, if needed to accomplish the purposes of this Addendum, to the minimum necessary to accomplish the intended purpose of such use or disclosure. 1.2 Subject to paragraph 1.1, Business Associate may use Protected Health Information created or received by Business Associate from or on behalf of [Agency], if necessary, for the proper management and administration of the Business Associate and to fulfill any current or future legal responsibilities of the Business Associate. 1.3 Subject to paragraph 1.1, Business Associate may disclose Protected Health Information created or received by Business Associate on behalf of [Agency], if necessary, for the proper management and administration of the Business Associate and to fulfill any current or future legal responsibilities of the Business Associate, provided: 1.3.1 The disclosure is Required by Law, or


1.3.2 Business Associate obtains satisfactory assurances from the person or entity to whom the Protected Health Information is disclosed that (i) the Protected Health Information will be held confidentially and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person or entity; and (ii) the Business Associate will be notified of any instances of which the person is aware in which the confidentiality of the information is breached. 1.3.3 As of the effective date of the applicable HITECH regulations, Business Associate shall not directly or indirectly receive remuneration in exchange for any Protected Health Information of an individual unless Business Associate has obtained from the individual a valid authorization that includes specification of whether the Protected Health Information can be further exchanged for remuneration by the Business Associate. 2. RESPONSIBILITIES OF BUSINESS ASSOCIATE WITH RESPECT TO PROTECTED HEALTH INFORMATION 2.1 Business Associate agrees not to use or disclose Protected Health Information except as expressly permitted by this Addendum, HIPAA, or as Required by Law. 2.2 Business Associate hereby agrees to maintain the security and privacy of all Protected Health Information in a manner consistent with [State] and Federal laws and regulations, including but not limited to the HIPAA Privacy Regulations and the Security Regulations(45 C.F.R. Parts 160, 162, and 164) and HITECH and I.C. 4-1-10-1 et. seq., and Business Associate further agrees to use appropriate safeguards and security procedures to prevent use or disclosure of Protected Health Information not permitted by this Addendum. 2.3 Business Associate shall not disclose Protected Health Information to any member of its workforce unless such member of its workforce has a need to use such Protected Health Information, and Business Associate has advised such person of Business Associate’s privacy and security obligations under this Addendum, including the consequences for violation of such obligations. Business Associate shall take appropriate disciplinary action against any member of its workforce who uses or discloses Protected Health Information in violation of this Addendum or applicable law. 2.4 Business Associate shall require all of its subcontractors and agents that receive or use, or have access to, Protected Health Information under this Addendum to agree, in writing, to adhere to the same restrictions and conditions on the use or disclosure of Protected Health Information that apply to the Business Associate pursuant to this Addendum. 2.5. Business Associate agrees to maintain a record of all disclosures of Protected Health Information, including disclosures not made for the purposes of this Addendum, and further agrees within ten (10) days of a written request from [Agency], to provide to [Agency] such information as is necessary to permit [Agency] to respond to a request by an individual for an accounting of the disclosures of the individual’s Protected Health Information in accordance with 45 C.F.R. § 164.528. Business


Associate further agrees to comply with the requirements of HITECH to provide [Agency] with an accounting of all disclosures made for treatment, payment and health care operations when the HITECH statute requiring such an accounting becomes applicable to [Agency]. [Agency] agrees to notify Business Associate in advance of the applicability of this requirement. 2.6. Business Associate agrees to report to [Agency] any unauthorized use or disclosure of Protected Health Information by Business Associate or its workforce, agents or subcontractors and the remedial action taken or proposed to be taken with respect to such use or disclosure in accordance with the specific provisions of Section 2.11. 2.7 Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of Protected Health Information received from [Agency], or created or received by Business Associate on behalf of [Agency], available to the Secretary of the United States Department of Health and Human Services, for purposes of determining [Agency]’s compliance with HIPAA. 2.8. Within thirty (30) days of a written request, Business Associate shall allow a person who is the subject of Protected Health Information, such person’s legal representative, or [Agency] to have access to and to copy such person’s Protected Health Information maintained by Business Associate. Business Associate shall provide Protected Health Information in the format requested by such person, legal representative, or practitioner unless it is not readily producible in such format, in which case it shall be produced in standard hard copy format. Business Associate acknowledges that HITECH requires [Agency] and Business Associate to provide electronic health records to the individual in electronic format, and Business Associate agrees that to the extent applicable, Business Associate will produce any Protected Health Information in electronic format in a manner requested by [Agency] or by the individual who has made the request. 2.9 Within ten (10) days of a written request by [Agency], Business Associate shall make available to [Agency] Protected Health Information received from or on behalf of [Agency] for amendment in accordance with 45 C.F.R. § 164.526. Business Associate further agrees to make such amendment to Protected Health Information as directed by [Agency] within thirty (30) days of a written request by [Agency]. 2.10 Business Associate shall implement and document appropriate administrative, physical and technical safeguards in order to preserve the confidentiality, integrity and availability of all Protected Health Information and to prevent any unauthorized use or disclosure of Protected Health Information, or any breach or security incident, or other material breach or violation of an underlying contract, this Addendum, HIPAA and HITECH involving said Protected Health Information. Business Associate shall further: 2.10.1 Establish administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of any electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of the covered entity as required by § 164.314 of the Security Regulations. Business Associate represents and warrants that its security


program is periodically reviewed and appropriate updates are implemented to address any gaps identified in its security program. Business Associate agrees to make its security policies and procedures available to [Agency] upon reasonable request. 2.10.2 Require all of its subcontractors and agents that receive, use or have access to Protected Health Information to implement reasonable and appropriate security safeguards to protect it from unauthorized use or disclosure, and to report any improper use or disclosure of Protected Health Information in the time and manner required of Business Associate herein. 2.10.3 Immediately report to [Agency] any unauthorized or improper use or disclosure of Protected Health Information, including without limitation, any security or privacy incident or breach involving the Protected Health Information (“Incident”) without unreasonable delay, and not more than twenty-four (24) hours after Business Associate becomes aware of the Incident by Business Associate or its workforce, agents or subcontractors, and to provide [Agency] with notice and a report containing all information necessary to permit [Agency] to timely comply with HIPAA notification provisions and its implementing rules or any other applicable reporting law, if necessary. Said report shall identify: (i) the known facts and circumstances related to the Incident; (ii) the individuals affected; (iii) the Protected Health Information that is known to be the subject of the Incident; (iv) the persons who are known to have information about the Incident; and (v) the corrective action that Business Associate took or will take to mitigate any deleterious effects of the Incident and to prevent future incidents. Business Associate further acknowledges that it is familiar with the requirements of I.C. 4-1-11 concerning breaches of security and notification of disclosures of social security numbers. To the extent Business Associate must make its own notification involving any disclosure of Protected Health Information, Business Associate agrees to cooperate with [Agency] regarding the notification process prior to making such notification. 2.10.4 Implement reasonable policies and procedures designed to detect and provide appropriate response to relevant “Red Flags” that identity theft may be occurring (as defined in 16 CFR 681.2) or that may arise in the performance of Business Associate’s activities, if Business Associate has access to information protected under the Red Flag Rules. Business Associate agrees that policies and procedures to detect relevant “Red Flags” are updated periodically. Business Associate further agrees to notify [Agency] of the detection of a Red Flag and to implement reasonable steps to prevent or mitigate identity theft.


3. TERM AND TERMINATION 3.1 This Addendum shall commence as of the date first signed below, and the obligations set forth in this Addendum shall continue in effect as long as Business Associate uses, discloses, creates, receives or otherwise possesses any Protected Health Information created or received from or on behalf of [Agency] and until all such Protected Health Information is destroyed or returned to [Agency] pursuant to the terms of this Addendum. 3.2 [Agency] may immediately terminate this Addendum and the Primary Agreement if [Agency] determines that the Business Associate has breached a material term of this Addendum. Alternatively, [Agency] may choose to: (i) provide Business Associate an opportunity to cure said alleged material breach to the satisfaction of [Agency] within ten (10) days. The Business Associate’s failure to cure shall be grounds for immediate termination of this Addendum. [Agency]’s remedies under this Addendum are cumulative, and the exercise of any remedy shall not preclude the exercise of any other. 3.3. Upon termination of this Addendum, Business Associate shall return or destroy, by rendering the Protected Health Information unusable, unreadable or undecipherable or beyond the ability to recover, all Protected Health Information received from [Agency], or created or received by Business Associate on behalf of [Agency] and that Business Associate maintains in any form, and Business Associate shall retain no copies of such information. If the parties mutually agree that return or destruction of Protected Health Information is not feasible, Business Associate shall continue to maintain the security and privacy of such Protected Health Information in a manner consistent with the obligations of this Addendum and as required by applicable law, and shall limit further use of the information to those purposes that make the return or destruction of the information infeasible. The duties hereunder to maintain the security and privacy of Protected Health Information shall survive the termination of this Addendum. 4. AMENDMENT TO ADDENDUM [Agency] may amend this Addendum by providing ten (10) days prior written notice to Business Associate in order to maintain compliance with [State] or Federal laws or regulations. Such amendment shall be binding upon Business Associate at the end of the ten (10) day period and shall not require the consent of Business Associate. Business Associate may elect to terminate the Addendum within the ten (10) day period, but Business Associate’s obligations to maintain the security and privacy of Protected Health Information as required herein shall survive such termination. [Agency] and Business Associate may otherwise amend this Addendum by mutual written agreement. 5. INDEMNITY Business Associate shall, to the fullest extent permitted by law, protect, defend, indemnify and hold harmless [Agency] and his/her respective employees, directors, and agents (“Indemnitees”) from and against any and all losses, costs, claims, penalties, fines, demands, liabilities, legal actions, judgments, and expenses of every kind (including reasonable attorney’s fees, including at trial and on appeal) asserted or imposed against any Indemnitees arising out of the acts or omissions of Business Associate or any subcontractor of or consultant of Business Associate or any of


Business Associate's employees, directors, or agents related to the performance or nonperformance of this Addendum 6. NO THIRD PARTY BENEFICIARIES Nothing express or implied in this Addendum is intended to confer, nor shall anything herein confer, upon any person other than the Parties and the respective successors or permitted assigns of the Parties, any rights, remedies, obligations, or liabilities whatsoever. 7. LIMITATION OF LIABILITY NEITHER PARTY SHALL BE LIABLE TO THE OTHER PARTY FOR ANY INCIDENTAL, CONSEQUENTIAL, SPECIAL, OR PUNITIVE DAMAGES OF ANY KIND OR NATURE, WHETHER SUCH LIABILITY IS ASSERTED ON THE BASIS OF CONTRACT, TORT (INCLUDING NEGLIGENCE OR STRICT LIABILITY), OR OTHERWISE, EVEN IF THE OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGES. 8. DEFINITIONS 8.1 Limited Data Set. “Limited Data Set” shall have the meaning set out in 45 C.F.R. § 164.514(e)(2), as amended from time to time. 8.2 Protected Health Information. “Protected Health Information” shall have the meaning set out in 45 C.F.R. §160.103, as amended or revised from time to time. The term shall also include any social security numbers provided or made available to Business Associate. 8.3 Required by Law. “Required by Law” shall have the meaning set forth in 45 C.F.R. §164.103, as amended or revised from time to time. [AGENCY NAME] BUSINESS ASSOCIATE By:_____________________________ By:_____________________________ Print Name:______________________ Print Name:______________________ Print Title:________________________ Print Title:_______________________ Date:____________________________ Date:___________________________
