The requirement to established Business Associate Agreements with all subcontracts is stronger than ever. Ensuring commitment from all levels to secure Protected Health Information (PHI) is the ultimate goal and one which will continue to be the focus as we delve deeper into e-commerce, virtual transactions and online services. Committed to protecting customer data, including Protected Health Information, MHS has prepared the following Business Associate Agreement statement to reaffirm our commitment to its compliance.
Multi-Health Systems, Inc. Business Associate Agreement Statement:
Where a Covered Entity has provided MHS as the Business Associate with Protected Health Information for the purpose of executing a service as agreed upon between the two parties in a contractual obligation, it is the intent of MHS to comply with the provisions of the Health Insurance Portability and Accountability Act (“HIPAA”), 45 C.F.R. Parts 160, 162 and 164.
- MHS will not Use or Disclose Protected Health Information except where permitted explicitly by a customer for the purposes of executing the Agreement or as required by law.
- MHS will afford an individual and/or the Covered Entity the ability to correct Personal Health Information pursuant to HIPAA regulations.
Where the use of a Subcontractor is required, MHS agrees to execute a HIPAA-compliant business associate agreement with those whose responsibilities may involve the Use of Protected Health Information.
- MHS will use appropriate physical, technical and administrative measures to prevent Use or Disclosure of Protected Health Information and ensure safeguards comply with Electronic Protected Health Information requirements.
- MHS will report any unauthorized Use, Disclosure or Breach detected to a Covered Entity in a reasonable amount of time from which it becomes aware. MHS will follow the requirements outlines in HIPAA 45 C.F.R. 164.410, including the completion of a Security Incident document.
- MHS will make available documentation related to the Use and Disclosure of Protected Health Information received from a Covered Entity or on its behalf, including but not limited to policies and procedures.
- MHS will maintain necessary records related to Covered Entity Protected Health Information.
- MHS will use agreed upon methods for encryption of transmitted Protected Health Information and/or its destruction.
Covered Entities are required to convey any restrictions related to the Protected Health Information they disclose or have generated on their behalf to ensure MHS can accommodate such requirements and remain HIPAA compliant. This includes but is not limited to the revocation of permission by an Individual to Use or Disclose Protected Health Information.
Client Access to Test Results
MHS’ position on the issue of test disclosure and the release of test results takes into consideration access rights to test information and results under the United States’ Health Insurance Portability and Accountability Act (“HIPAA”) and the Canadian Personal Information Protection and the Electronic Documents Act (“PIPEDA”). For 30 years, MHS has consistently applied and continues to maintain its non-disclosure policy of its test items, response/answer sheets (which include test items), test manuals, user guides, scoring templates, scoring keys, scoring programs and other test protocols (“Test Materials”), which is consistent with new privacy legislation in both the United States and Canada.
In the U.S. context, the HIPAA Privacy Rule provides that individuals have a qualified right of access to individually “identifiable health information” maintained in their “designated record set” by health care providers covered by HIPAA. MHS advises that Test Materials, such as test protocols, items, scoring criteria, and manuals by themselves are not “identifiable health information” and are thus not releasable. Since HIPAA does not state that the requested information should be made available in a form that is generally understandable to the client, MHS advises health care providers to retain Test Materials, such as item booklets, manuals, and scoring criteria separate from the client’s designated record set. In these circumstances, upon written request, a client may gain access to only the test results.
Even if Test Materials are considered releasable, Section 1172(e) states that health care providers are not required to disclose any information that is a trade secret or confidential commercial information. The U.S. Department of Health and Human Services (HHS) has confirmed by way of a letter dated August 6, 2003, that a client’s access request is subject to the trade secret exemption:
Any requirement for disclosure of protected health information pursuant to the Privacy Rule is subject to Section 1172(e) of HIPAA, ‘Protection of Trade Secrets.’ As such, we confirm that it would not be a violation of the Privacy Rule for a covered entity to refrain from providing access to an individual’s protected health information, to the extent that doing so would result in a disclosure of trade secrets.
MHS has confirmed that the trade secret exemption applies to proprietary Test Materials. MHS advises that its Test Materials are proprietary, copyrighted, confidential commercial information, analogous to trade secrets, and treats and protects them accordingly.
Test Materials thus fall under the exception to release in order to ensure the ongoing safeguarding of such material. To provide clients with test items, scoring criteria, and other test protocols would be to reveal trade secret information on which the scores are based and would render the Test Materials useless. Studies confirm that if test items and test protocols were readily available, the integrity of the test and scoring model could be compromised and would harm the public. There are a limited number of tests for particular purposes that cannot be easily replaced or substituted if made available upon request.
The test publishing industry considers Test Materials to be confidential information and trade secrets and protects these accordingly. To secure and protect Test Materials, MHS has required, for over 30 years, the completion of a Test User Agreement through the Qualification Process which prohibits purchasers from releasing the tests to others who are not qualified to interpret the results or who do not have the same ethical obligations to maintain test security, nor has MHS permitted its licensees, distributors, or employees to disclose such material. Furthermore, it is in the best interest of the public to protect the validity and integrity of Test Materials.
Thus, health care providers may refrain from providing access to and copies of a client’s identifiable health information, in so far as to do so would reveal valuable trade secrets and propriety information. It is MHS’ recommendation that you obtain consent from your clients and that you provide clients with summary information.
In the Canadian context, the Canadian Psychological Association (CPA) (www.cpa.ca) and MHS maintain a policy of non-disclosure of Test Materials to clients who request such material under PIPEDA and provincial legislation. Psychologists and other qualified test purchasers are encouraged to follow this policy in order to protect the integrity/validity of the assessment, protect the public, and the publisher’s intellectual property rights.
Canadian legislation is not applicable to defined intra-provincial transactions of some organizations where that province has “substantially similar” legislation to PIPEDA. The Quebec Act Respecting the Protection of Personal Information in the Private Sector, the British Columbia and Alberta Personal Information Protection Acts and the Ontario Personal Health Information Act are expected to be declared “substantially similar” by the federal Cabinet. These Acts therefore govern disclosure requests in those provinces. In practical terms, an organization in compliance with these Acts will generally be in compliance with PIPEDA. In all other provinces and territories, the federal legislation PIPEDA applies. These pieces of legislation apply to all personal information, including personal health information about an identifiable individual collected, retained, used, or disclosed in the course of commercial activities. This could include responses to items, test results, test data, reports, name, age, and gender of each client who has been administered an assessment by you, the qualified purchaser of an assessment.
Under PIPEDA, Principal 4.9 states that upon request, an individual must be informed of the existence, use, and disclosure of his or her personal information and must be given access to that information if requested. Section 9(3)(b) is an exemption provision stipulating that you are not required to give access to personal information if to do so would reveal confidential commercial information. However, under certain circumstances, access is permissible if the confidential commercial information is severable from the record containing any other information for which access is requested. In all cases, the requested information shall be provided or made available in a form that is generally understandable to the client. Section 23 (b) in the BC Act and Section 24 (2)(b) in the Alberta Acts contain a similar “confidential commercial information” exemption as described above. The Quebec Act does not contain such an exemption; however, release of personal health information may be refused on the basis that release would bring serious harm to the client, third party, or public safety, and would reveal third party personal information. Unlike PIPEDA and provincial legislation, the new Ontario Personal Health Information Act, 2004 effective November 1, 2004, at Section 51(1)(c) provides that an individual’s access rights do NOT apply to a record that contains “raw data from standardized psychological tests or assessments,” unless reasonably severable. Access can also be refused on the basis that access may cause serious bodily harm.
Regarding the release of such material to individuals who claim access rights under PIPEDA and provincial legislation, we advise that Test Materials fall outside the definition of “personal information” since these materials are not “about” the individual and are thus not releasable to a client.
Even if Test Materials are considered personal information and thereby releasable, we advise that our Test Materials are proprietary, copyrighted, confidential commercial information, analogous to trade secrets, and we treat and protect them accordingly. Test Materials thus fall under the exception to release and access under PIPEDA and provincial legislation in order to ensure the ongoing safeguarding of such material. To provide clients with test items, scoring criteria, and other test protocols would be to reveal confidential commercial information on which the scores are based and would render the Test Materials useless. Studies confirm that if test items and test protocols were readily available, the integrity of the test and scoring model could be compromised and would harm the public. There are a limited number of tests for particular purposes that cannot be easily replaced or substituted if made available upon request. Other jurisdictions such as in the United States have indicated through the U.S. Department of Health and Human Services (HHS) that the similar “trade secret” exemption under HIPAA is applicable to Testing Material which makes the application of the confidential commercial information exemption claim neither fanciful nor disingenuous in the Canadian context.
The test publishing industry considers Test Materials to be confidential information and trade secrets and protects these accordingly. To secure and protect Test Materials, we have required, for the past 30 years, the completion of a Test User Agreement which prohibits purchasers from copying and releasing the tests to others who are not qualified to interpret the results or do not have the same ethical obligations to maintain test security, nor have we permitted licencees, distributors, or employees to disclose such material.
The CPA acknowledges that it is in the best interest of the public to protect the validity and integrity of Test Materials. As such, CPA and MHS encourage you to apply the confidential commercial information exemption under PIPEDA to access requests to ensure the ongoing safeguarding of Test Materials. Release of such material would compromise the validity and utility of the tests with resulting significant negative impact on the health of Canadians, lead to the violation of purchase agreements, and infringe on the intellectual property rights of MHS and Harcourt Assessment. Ontario legislation appears to recognize the inherent difficulty in releasing raw data including test protocols from assessments and has specifically denied access right to this material unless severable from the record.
In accordance with PIPEDA and provincial legislation, MHS and CPA’s policy supports the release of test results provided that the test results can be severed from the confidential commercial information embedded in the Test Materials and released in an understandable form. This policy permits the release of test results with an explanation of the results in a summary format (such as a feedback summary) that does not reveal the protected test items and other test protocols. Under no circumstances are individuals requesting results or other information entitled to copies of Test Materials.
Upon written request for access and release of Test Materials from your clients under PIPEDA and provincial legislation, the following steps should be followed:
- Provide the client with a detailed description/interpretation of the test results and offer to meet with the client.
- If the client wants a copy of the item booklet, or response sheet that also contain the items, and/or any materials that contain the scoring criteria, algorithm, model, or other test protocols, explain to them in writing that release of these materials is not possible as it will compromise the integrity of the tests and goes against the policy of the CPA and test developers. The requested materials are considered confidential commercial information of the test developers, and are therefore exempt from disclosure under PIPEDA or provincial legislation. Release of such materials may breach the conditions of the Test User Agreements, invalidate the assessment, and/or lead to a violation of intellectual property rights.
- You may release the client’s test results provided you are able to remove test items and scoring criteria, or other test protocols that may be attached to the results or within the document, which are considered confidential commercial information. The test results must be issued in an understandable form, such as a summary format. We suggest the provision of a detailed description/ interpretation of the test results as stated in step 1, which does not release any confidential commercial information, is sufficient for the purposes of PIPEDA and provincial legislation.
- Contact us for support if the client appeals your decision to deny access and release of Test Materials to the Privacy Commissioner of Canada, Alberta, BC, Quebec, and Ontario as the case may be.
For more information regarding CPA’s policy regarding PIPEDA and provincial legislation go to their website www.cpa.ca. For information regarding release of Test Materials in the litigation context see below.
Release of Test Materials in the Litigation Context and Ethical Obligations
We recognize that, given the nature of our legal system, compelling reasons for disclosure of secured testing material may arise. To abide by the terms of purchase, we expect purchasers to do all they can to protect copyright material and to protect the items and scoring criteria as confidential, copyrighted, and trade secret material in response to written requests and/or subpoenas. An exception to releasing test data by a subpoena exists when the qualified purchaser obtains a court order extinguishing, also known as “quashing” or modifying, the subpoena. In this case, we require qualified purchasers to bring to the court’s attention concerns regarding test security and to take steps to resolve the conflict in a responsible manner. When faced with a subpoena or court order for the reproduction of Test Materials, you should secure a court order or protective agreement (to the extent possible) containing the following requirements:
- restricted access to materials and the testimony regarding materials to the most limited audience possible, preferably only to individuals who satisfy the test publisher’s qualification policy;
- restricted copying of Test materials;
- assurance of the return or destruction of the materials at the conclusion of the proceeding (and confirmation of such return or destruction); and
- the sealing of and/or removing from the record to the extent any portion of such materials are disclosed in pleadings, testimony, or other documents in order to safeguard the integrity of the assessments. It is crucial that the Test Materials do not become part of the public record.
In the absence of a protective court order, we do not support the release of Test Materials to unqualified users who do not have an interest in maintaining the security of the test for the reasons stated above. You may wish to consult a lawyer to assist you with the above.
If you have any questions or concerns about the release of protected test materials, please contact MHS by calling 1-800-456-3003.
For further questions related to MHS, its compliance to HIPAA or privacy related inquiries please contact the Privacy Officer:
- Multi-Health Systems Inc. 3770 Victoria Park Ave. Toronto, ON, M2H 3M6