We recently wrote about what types of third parties are considered812-post-Doctor-with-Paper-Form-ThinkstockHlib-Shabashnyi-300x184 “Business Associates” and we mentioned that, in short, a “Business Associate is any individual or company that ‘performs, or assists in the performance of’ any function or activity on behalf of a Covered Entity that involves the use or disclosure of protected health information.”

We also mentioned that, in order to protect your patients’ Protected Health Information (PHI), you should always use a Business Associate Agreement when working with BAs. In addition to being a good business practice, the Health Insurance Portability and Accountability Act requires Covered Entities to have a BA Agreement with each Business Associate.

 

The Ten Basic Requirements

The U.S. Department of Health and Human Services has ten general requirements that each BA Agreement must contain. Specifically, your BA Agreement must:

  1. “Establish the permitted and required uses and disclosures of” PHI by the BA.
  2. State that the BA “will not use or further disclose the information other than as permitted or required by the contract or as required by law.”
  3. Require the BA “to implement appropriate safeguards to prevent unauthorized use or disclosure” of the PHI, and implement the “requirements of the HIPAA Security Rule with regard to electronic PHI.”
  4. Require the BA “to report to the covered entity any use or disclosure of the information not provided for by its contract, including incidents that constitute breaches of unsecured PHI.”
  5. Require the BA “to disclose PHI as specified in its contract to satisfy a Covered Entity’s obligation with respect to individuals’ requests for copies of their PHI, as well as make available PHI for amendments (and incorporate any amendments, if required) and accountings.”
  6. “To the extent the BA agreed to carry out a covered entity’s obligation under the Privacy Rule, require the BA to comply with the requirements applicable to the obligation.”
  7. Require the BA “to make available to HHS its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by the BA on behalf of, the Covered Entity for purposes of HHS determining the Covered Entity’s compliance with the HIPAA Privacy Rule;
  8. “At termination of the contract, if feasible, require the BA to return or destroy all PHI received from, or created or received by the BA on behalf of, the Covered Entity.”
  9. Require the BA “to ensure that any subcontractors it may engage on its behalf that will have access to PHI agree to the same restrictions and conditions that apply to the BA with respect to such information.”
  10. “Authorize termination of the contract by the Covered Entity if the BA violates a material term of the contract.”

 

Additional Terms

While the HHS list contains the items your BA Agreement must contain, it should also address other legal concepts,  including identification of the parties, the term of the agreement, termination rights of the parties, and other significant terms.

If your practice needs a Business Associate Agreement or if you have an old Business Associate Agreement that needs review by an attorney, you should call one of our Health Care Attorneys today!

Image: Thinkstock/ Hlib Shabashnyi

*This article is very general in nature and does not constitute legal advice. Readers with legal questions should consult with an attorney prior to making any legal decisions.