4.4.A HIPAA/Privacy: Other Requirements - Business Associate's Policy


    LHCC contracts with various outside entities and organizations to perform functions or provide services on behalf of LHCC that may involve the disclosure of PHI to the outside entity.  These outside entities are LHCC’s business associates.  LHCC’s policy is to obtain written assurances from BA’s that they will appropriately safeguard any PHI they create or receive on LHCC’s behalf.  Such written assurances will be in place before LHCC discloses PHI to the BA.

    Lister Healthcare Corporation will not disclose protected health information to a business associate, unless Lister Healthcare Corporation has, through a written contract with the business associate, that the business associate will appropriately safeguard the information. (164.502(e)(1) and (2)


    Business Associate Definition:  A business associate is a person or entity that provides certain functions, activities, or services for or to Lister Healthcare Corporation involving the use of protected health information.

    A covered entity or business associate may not use or disclose protected health information except as permitted or required as follows: 164.502(a)  Covered entities: Permitted uses and disclosures. A covered entity is permitted to use or disclose protected health information as follows: 

    • To the individual
    • For treatment, payment or health care operations as permitted by and in compliance with (164.506)
    • Treatment meaning of an individual by a healthcare provider including case management or care coordination for the individual or to direct or recommend alternative treatments, therapies, health care providers or settings of care to the individual. Including the coordination or management of health care by a healthcare provider with a third party; consultation between health care providers relating to a patient or the referral of a patient for health care from one healthcare provider to another. 
    • Payment to mean: the ability to obtain premiums or to determine or fulfill its responsibility for coverage and provision of benefits under the health plan or a health care provider to obtain or provide reimbursement for the provision of health care and to relate to the individual to whom health care is provided and include but are not limited to:
      • Determinations of eligibility or coverage, adjudication of subrogation of health benefit claims. 
      • Risk adjusting amounts due based on enrollee health status and demographic characteristics:
      • Billing, claims, management, collection activities, obtaining payment under a contract for reinsurance (including stop-loss insurance and excess of loss insurance) and related health care data processing. 
      • Review of health care services with respect to medical necessity, coverage, under a health plan, appropriateness of care or justification of charges. 
      • Utilization review activities, including precertification and preauthorization of services, concurrent and retrospective review of services. 
      • A covered entity or business associate must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure or request. 

    Contract Violations: If Lister Healthcare Corporation knows of a pattern of activity or practice of the business associated that constitutes a material breach or violation of the business associate's obligations under the contract, Lister Healthcare Corporation will take reasonable steps to cure the breach or end the violation, as applicable.  If these steps are unsuccessful, Lister Healthcare Corporation will terminate the contract, if feasible, or, after consultation with legal counsel, report the issue to the appropriate federal authorities. (164.504(e)(1)(ii)

    Revised 11/2016

  • MM slash DD slash YYYY