Section 3.8 Select
Section 3 Select—Participation Data Sharing Agreements - 1
Participation Data Sharing Agreements
As part of selecting a vendor for your electronic health record (EHR), health information exchange (HIE) service, or other health information technology (HIT) you will need to execute various agreements.
Time needed: 2 hoursSuggested other tools: Section 3.7 Vendor of Choice and Contract Negotiation for EHR and HIE
How to Use
- Identify the nature of legal agreements into which you must enter to acquire and use EHR, HIE, and other HIT.
- Consult with legal counsel to ensure that agreements meet your needs and represent your interests.
Types of Legal Agreements
· Business Associate Contract/Agreement (BAC/BAA)
- Requirement of HIPAA Privacy and Security Rules when other businesses require access to protected health information (PHI) on a routine basis to perform work for a covered entity.
- Under the Omnibus Rule that became effective in 2013, business associates are held directly accountable to the HIPAA Security Rule and certain provisions of the Privacy Rule. Although many business associates in the past requested that their form of business associate agreement be signed by the provider receiving the services this is likely to become even more prevalent. As a covered entity, however, you still have the right and responsibility to ensure that any BAC you sign conforms to the HIPAA requirements and that you are comfortable with any additional clauses included.
- A sample BAC is available from the federal government’s Office for Civil Rights at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html This sample agreement provides a number of options for several of the provisions in the agreement and directions on where they should be included.
· Data Use Agreement
- A HIPAA requirement for a party to use a limited data set (data that are partially but not fully de-identified) for research, public health, or health care operations. The HIPAA Privacy Rule (available at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html) provides the specific details of what must be in a data use agreement.
- The federal government does not offer a sample data use agreement. A number of examples are available on the Internet by searching “data use agreement.”
· Data Use and Reciprocal Support Agreement (DURSA)
- The legal, multi-party trust agreement that is entered into voluntarily by all entities, organizations and federal agencies that want to engage in electronic HIE using an agreed upon set of national standards, services and policies developed in coordination with the Office of the National Coordinator for Health IT (ONC).
- The DURSA describes the mutual responsibilities, obligations and expectations of all participants under the agreement. This creates a framework for safe and secure health information exchange, and is designed to promote trust among participants and protect the privacy, confidentiality and security of health data that is shared.
- The DURSA is based upon the existing body of federal, state, and local law covering privacy and security of health information. It supports of the current policy framework for health information exchange. The DURSA is intended to be a legally enforceable contract. It reflects consensus among the government and private entities that developed DURSA regarding the following issues:
• Multi-Party Agreement
• Participants Actively Engaged in Health Information Exchange
• Privacy and Security Obligations
• Requests for Information Based on a Permitted Purpose
• Duty to Respond
• Future Use of Data Received from Another Participant
• Respective Duties of Submitting and Receiving Participants
• Autonomy Principle for Access
• Use of Authorizations to Support Requests for Data
• Participant Breach Notification
• Mandatory Non-Binding Dispute Resolution
• Allocation of Liability Risk
For additional information on the DURSA, see: http://www.nationalehealth.org/dursa#sthash.jqWUPaaN.dpuf
The current version of the DURSA is available at: http://www.nationalehealth.org/ckfinder/userfiles/files/Restatement%20I__DURSA_5_3_11_FINAL_for%20PARTICIPANT%20SIGNATURE.pdf
· State or local health information exchange organization (HIO) equivalent of the DURSA.
- Each state or other entity establishing an HIO may opt to establish its own form of DURSA, potentially naming it something else and including additional clauses. Ensure that you consult legal counsel as you consider entering into such an agreement See an example, the CHIC Data Exchange and Support Agreement (DESA) at: http://www.hiebridge.org/PDF/CHIC%20HIEBridge%20DESA%20Agreement%20- %20FINAL%2011-29-2011.pdf
Copyright © 2013 Updated 03-14-13
Section 3 Select—Participation Data Sharing Agreements - 2