November 6, 2013 Leave a comment
What are the business associate requirements?
The Privacy Rule requires covered entities to obtain satisfactory assurances from its business associates (business associates must get the same assurance from their sub-contractors who are now considered business associates) that the business associates will appropriately safeguard the protected health information it creates, receives, maintains, or transmits on behalf of the covered entity. The satisfactory assurance must be documented either in the form of a written contract or other written agreement between the covered entity and the business associate.
What should be in the contract? The elements of a business associate contract are specified in the HIPAA Omnibus Rule at 45 CFR 164.504(e). The following lists a few of the requirements:
1. Description of the permitted and required uses of protected health information.
2. Statement that protected health information will not be used or further disclosed beyond what is specifically permitted or required by the business associate contract or law.
3. Requirement that appropriate safeguards will be implemented by the business associate to prevent the use or disclosure of protected health information beyond what is permitted or required by the business associate contract.
4. Statement that the business associate will notify the covered entity if it discovers any unauthorized use or disclosure of protected health information.
5. Requirement that the business associate will make protected health information available to the covered entity or the individual in accordance with an individual’s right to access, amendment, and accounting of disclosures.
6. Statement that the business associate contract will be terminated if a material breach or violation of the contract by the business associate becomes known and steps to cure the breach or end the violation are unsuccessful.
Sample Business Associate Contract: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html1
Good to Know
Electronic Contracts. HIPAA permits the use of electronic documents to satisfy the requirement of written documents, in most cases. However, there are currently no standards under HIPAA for the use of electronic signatures. Covered Entities must ensure that electronic contracts meet applicable requirements of State contract law and that electronic signatures, when used, result in a contract that is legally binding under State or other law.2
Individual Rights. Covered Entities, not business associates, are responsible for satisfying the individual rights requirements of HIPAA. HIPAA requires a statement in the business associate contract that a business associate must make available protected health information held by the business associate so that a covered entity can satisfy the requirements of HIPAA as it pertains to individual rights. This includes the rights of access, amendment, and accounting. The contract must also specify that a business associate is required to amend protected health information when requested by the covered entity. In all cases, a covered entity and its business associate may agree through the business associate contract that, when appropriate, the business associate will provide access, amendments, or accounting directly to individuals.3
Notice of Privacy Practices. A business associate is not required to create a notice of privacy practices. However, a covered entity must ensure by way of its contract that a business associate’s practices and its uses and disclosures of protected health information are consistent with the privacy policies described in the covered entity’s notice of privacy practices.4
Covered Entity Liability. A covered entity is required by HIPAA to establish a written contract or other agreement with its business associate that they will safeguard protected health information. If a business associate fails to meet the requirements of the contract, the covered entity is not liable or responsible for the business associate’s actions as long as the covered entity take steps to cure any breach or end any violation of which it becomes aware. If unable to do this, the covered entity must terminate the contract with the business associate or report the issue with HHS if termination is not possible.5
Business Associate Liability. Under the HIPAA Omnibus Rule, business associates are liable for any use or disclosure of protected health information that does not meet the requirements of its business associate agreement or the HIPAA Privacy Rule. More specifically, business associates are now directly liable for: unauthorized uses and disclosures of protected health information, failure to provide breach notification to the covered entity, failure to provide access of electronic protected health information either to the individual or the covered entity, failure to disclose protected health information to the Secretary, failure to provide an accounting of disclosures, and failure to comply with the requirements of the HIPAA Security Rule.6
Health Insurance Portability and Accountability Act of 1996 relevant Standards and Implementation Specifications:
§ 164.502(e) – Uses and disclosures of protected health information: general rules (Disclosures to Business Associates)
§ 164.504(e) – Uses and disclosures: Organizational requirements (Business Associate Contracts)
§ 164.532(d)&(e) – Transitions Provisions (Effect of prior contracts or other arrangements with business associate & Deemed Compliance)
U.S. Department of Health and Human Services Resources:
1. “Sample Business Associate Agreement Provisions,” hhs.gov, published January 25, 2013, http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html.
2. “Would business associate contracts in electronic form, with an electronic signature, satisfy the HIPAA Privacy Rule’s business associate contract requirements?” hhs.gov, last modified March 14, 2006, http://www.hhs.gov/ocr/privacy/hipaa/faq/business_associates/247.html.
3. “Does the HIPAA Privacy Rule require a business associate to provide individuals with access to their protected health information or an accounting of disclosures, or an opportunity to amend protected health information?” hhs.gov, last modified March 14, 2006, http://www.hhs.gov/ocr/privacy/hipaa/faq/business_associates/246.html.
4. “Does the HIPAA Privacy Rule require a business associate to create a notice of privacy practices?” hhs.gov, last modified March 14, 2006, http://www.hhs.gov/ocr/privacy/hipaa/faq/business_associates/390.html.
5. “Is a covered entity liable for, or required to monitor, the actions of its business associates?” hhs.gov, last modified March 14, 2006, http://www.hhs.gov/ocr/privacy/hipaa/faq/business_associates/236.html.
6. “HIPAA Omnibus Rule Summary,” hipaasurvivalguide.com, published February 3, 2013, http://www.hipaasurvivalguide.com/hipaa-omnibus-rule.php.