DEPARTMENT OF VETERANS AFFAIRS
Washington DC 20420
May 1 4 2003
Gay Greer, Ph.D.
The American College of Surgeons Commission on Cancer
633 North Saint Clair Street Chicago, IL 60611-3211
Dear Dr. Greer:
Enclosed is a Business Associate Agreement between the Department of Veterans Affairs (VA), Veterans Health Administration (VHA), and the American College of Surgeons' Commission on Cancer.
The Privacy Rule promulgated by the U.S. Department of Health and Human Services under the Health Insurance Portability and Accountability Act (HIPAA) requires all covered health care providers to enter into a "business associate" agreement with an accrediting agency before the covered health care provider may provide the accrediting agency with access to the provider's "Protected Health Information" (PHI) during accreditation activities. 45 CFR 160.103, 164.502(e), 164.504(e).
Under the Privacy Rule, VHA must have these business associate agreements in place before April 14, 2003, unless VHA entered into a written contract or agreement with the accrediting agency before October 15, 2002, whether or not that agreement or contract met the business associate agreement requirements. If VHA entered into such an agreement, VHA has until the renewal date of the agreement or April 14, 2004, whichever is earlier, to sign a business associate agreement with the accrediting agency. 45 CFR 164.532(d), (e).
As required by HIPAA, VHA is establishing agreements with each of its accreditation organizations, certifying entities and all other similar entities that provide a service to VHA (the Covered Entity) and which requires the sharing of PHI.
It is VHA's desire to enter into a single business associate contract for the American College of Surgeons Commission on Cancer's accreditation activities relating to all programs as to which VHA is a clinical site, and the enclosed business associate contract has been prepared for that purpose. In other words, the single agreement will be between VHA Central Office and your accreditation organization, rather than a separate agreement between each VA facility and your accreditation organization. The Office of Civil Rights, Department of Health and Human Services has approved the concept of VHA entering into one business associate agreement with each accrediting body, because, although VHA facilities at various locations are clinical sites, VHA is one unitary, covered
entity.
Page 2
Dr. Greer
VHA believes that establishing the contract between the American College of Surgeon's Commission on Cancer at the corporate level and VHA Central Office is an efficient, effective vehicle through which compliance can be achieved throughout VA as well as within your organization.
I have signed the agreement.
Sincerely yours,
Robert H. Roswell, MD
Under Secretary for Health
Enclosure
5/8/2003
BUSINESS ASSOCIATE AGREEMENT
BETWEEN VETERANS HEALTH ADMINISTRATION AND
AMERICAN COLLEGE OF SURGEONS' COMMISSION ON CANCER
This Agreement governs the provision of Protected Health Information (PHI) (as defined in 45 C.F. R. §164.501) by Veterans Health Administration (Covered Entity or VHA) to American College of Surgeons' Commission on Cancer (Approving Entity or ACoS CoC) for its use and disclosure of PHI gathered as part of the process of approving the cancer program activities conducted in whole or in part in VHA facilities. For the purposes of this agreement, and to comply with the provisions in 45 C.F. R. §164.501, the terms 'accrediting' and 'approving' are used interchangeably and VHA views the process of approval the same as accreditation. The approvals process for all American College of Surgeons' Commission on Cancer Approval Programs is described in the "Standards of the Commission on Cancer: Volume I: Cancer Program Standards" and on the ACoS web site at www.facs.org, and in documents referenced therein.
Whereas, Approving Entity provides certain approval-related services to the Covered Entity and, in connection with the provision of those services, the Covered Entity discloses to Approving Entity PHI that is subject to protection under the Health Insurance Portability and Accountability Act of 1996 (HIPAA);
Whereas, VHA is a "Covered Entity" as that term is defined in the HIPAA implementing regulations, 45 C.F.R. Part 160 and Part 164, Subparts A and E, the Standards for Privacy of Individually Identifiable Health Information ("Privacy Rule");
Whereas, the approving entity, as a recipient of PHI from Covered Entity, is a "Business Associate" of the Covered Entity as the term "Business Associate" is defined in the Privacy Rule;
Whereas, pursuant to the Privacy Rule, all Business Associates of Covered Entities must agree in writing to certain mandatory provisions regarding the use and disclosure of PHI; and
Whereas, the purpose of this Agreement is to comply with the requirements of the Privacy Rule, including, but not limited to, the Business Associate contract requirements at 45 C.F.R. §§164.502(e), 164.504(e), and as may be amended.
NOW, THEREFORE, in consideration of the mutual covenants contained herein, the parties agree as follows:
1. Definitions. Unless otherwise provided in this Agreement, capitalized terms have the same meanings as set forth in the Privacy Rule.:.
2. Scope of Use and Disclosure by Approving Entity of Protected Health Information
A. Approving Entity shall be permitted to make Use and Disclosure of PHI that is disclosed to it by Covered Entity as necessary to perform its obligations under Approving Entity's established policies, procedures and requirements.
B. Unless otherwise limited herein, in addition to any other Uses and/or Disclosures permitted or authorized by this Agreement or required by law, Approving Entity may:
(1) use the PHI in its possession for its proper management and administration and to fulfill any legal responsibilities of Approving Entity;
(2) disclose the PHI in its possession to a third party for the purpose of Approving Entity's proper management and administration or to fulfill any legal responsibilities of Approving Entity; provided, however, that the disclosures are Required By Law or Approving Entity has received from the third party written assurances that (a) the information will be held confidentially and used or further disclosed only as Required By Law or for the purposes for which it was disclosed to the third party; and (b) the third party will notify the Approving Entity of any instances of which it becomes aware in which the confidentiality of the information has been breached;
(3) engage in Data Aggregation activities, consistent with the Privacy Rule; and
(4) de-identify any and all PHI created or received by Approving Entity under this Agreement; provided, that the de-identification conforms to the requirements of the Privacy Rule.
3. Obligations of Approving Entity. In connection with its Use and Disclosure of PHI, Approving Entity agrees that it will:
A. Use or further disclose PHI only as permitted or required by this Agreement or as required by law;
B. Use reasonable and appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement;
C. To the extent practicable, mitigate any harmful effect that is known to Accrediting Entity of a use or disclosure of PHI by Approving Entity in violation of this Agreement;
D. Promptly report to Covered Entity any Use or Disclosure of PHI not provided for by this Agreement of which Approving Entity becomes aware;
E. Require contractors or agents to whom Approving Entity provides PHI to agree to the same restrictions and conditions that apply to Approving Entity pursuant to this Agreement;
F. Make available to the Secretary of Health and Human Services Approving Entity's internal practices, books and records relating to the Use or Disclosure of PHI for purposes of determining Covered Entity's compliance with the Privacy Rule, subject to any applicable legal privileges;
G. If the information is included in a designated record set, within (15) days of receiving a request from Covered Entity, make available the information necessary for Covered Entity to make an accounting of Disclosures of PHI about an individual;
H. If the information is included in a designated record set, within thirty (30) days of receiving a written request from Covered Entity, make available PHI necessary for Covered Entity to respond to individuals' requests for access to PHI about them that is not in the possession of Covered Entity;
I. On receiving a written request from Covered Entity immediately incorporate any amendments or corrections to the PHI in accordance with the Privacy Rule;
J. Not make any Disclosures of PHI that Covered Entity would be prohibited from making.
4. Obligations of Covered Entity. Covered Entity agrees that it:
A. Has included, and will include, in Covered Entity's Notice of Privacy Practices required by the Privacy Rule that Covered Entity may disclose PHI for health care operations purposes;
B. Has obtained, and will obtain, from Individuals any consents, authorizations and other permissions necessary or required by laws applicable to Covered Entity for Approving Entity and Covered Entity to fulfill their obligations under this Agreement;
C. Will promptly notify Approving Entity in writing of any restrictions on the Use and Disclosure of PHI about Individuals that Covered Entity has agreed to that may affect Approving Entity's ability to perform its obligations under this Agreement;
D. Will promptly notify Approving Entity in writing of any changes in, or revocation of, permission by an Individual to use or disclose PHI, if such changes or revocation may affect Approving Entity's ability to perform its obligations under this Agreement.
5. Termination.
A. Termination for Cause. Upon Covered Entity's knowledge of a material breach by Approving Entity, Covered Entity shall either:
(1) provide an opportunity for Approving Entity to cure the breach or end the violation and terminate this Agreement if Approving Entity does not cure the breach or end the violation within the time specified by Covered Entity;
(2) immediately terminate this Agreement if Approving Entity has breached a material term of this Agreement and cure is not possible; or
(3) if neither termination nor cure are feasible, Covered Entity shall report the violation to the Secretary.
B. Automatic Termination. Participation in the American College of Surgeons' Commission on Cancer approved cancer programs is a voluntary process for each facility involved and is not required nor mandated by VHA, therefore each facility maintains the right to terminate or modify their approval status. This Agreement will automatically terminate for the individual participant facility upon the cessation of conducting approval activities in that facility.
C. Effect of Termination.
(1) Termination of this Agreement will result in cessation of Approving Entity conducting approval activities in all VHA facilities.
(2) Upon termination of this Agreement, Approving Entity will return or destroy all PHI received from Covered Entity or created or received by Approving Entity on behalf of Covered Entity that Approving Entity still maintains that has not been entered into the Approving Entities database and retain no copies of such PHI; provided that if such return or destruction is not feasible because of inclusion in the Approving Entities database or for other legitimate reason, the Approving Entity will give the Covered Entity a statement of reasons why the return or destruction of the PHI is infeasible. As the sole consequence of such determination, the Approving Entity will extend the protections of this Agreement to the PHI and limit further Use and Disclosure to those purposes that make the return or destruction of the information infeasible.
6. Recission. This Business Agreement voids and supercedes all other previously signed Business Agreements from Covered Entity's field facilities.
7. Amendment. Approving Entity and Covered Entity agree to take such action as is necessary to amend this Agreement for Covered Entity to comply with the requirements of the Privacy Rule or other applicable law.
8. Survival. The obligations of Approving Entity under section 5.C. (2) of this Agreement shall survive any termination of this Agreement.
9. No Third Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the parties and their respective successors or assigns, any rights, remedies, obligations or liabilities whatsoever.
10. Other Applicable Law. This Agreement does not,
and i.c; nnt intAnrlArl tn,
abrogate any responsibilities of the parties under any other applicable law.
11. Effective Date.
VHA
By:
Gay L. Vincent
Name: Robert H. Roswell, MD Name: Gay Vincent, CPA
Title: Under Secretary for Health ACoS CoC
Date: MAY 1 4 2003
