The Basics on Business Associates and Contract Agreements

The Basics on Business Associates and Contract Agreements


Published: October 24th, 2016

What is a Business Associate?

Business associates are considered any third-party contractor that performs work or activities on behalf of a healthcare organization or covered entity that involve the use or disclosure of protected health information (1). A few examples may include: 

  • Example of business associates: lawyer’s working on a case, a medical transcription or medical billing companies, document storage or disposal companies, answering services, software vendors, and consultants, patient safety and accreditation organizations, health information exchanges, etc.)
  • Examples NOT typically considered business associates: an employee, a healthcare provider, maintenance or repair personnel, a financial or banking institution that only performs payment activities or a janitorial service. 

What are Business Associate Agreements?

HIPAA and HITECH require practices to sign a business associate agreement (BA) with business associates that ensures they will protect all patient's PHI. The contract protects personal health information (PHI) by HIPAA guidelines. Business associates can be held accountable for any data breach and penalized for noncompliance (1). 

Why are Business Associates Agreements important?

Business associate contracts are not only necessary for staying in compliance; they are crucial for the adequate protection of patient PHI. The following are HIPAA requirements for business associate agreements:

  1. Establish the permitted and required uses and disclosures of protected health information by the business associate.
  2. Provide that the business associate will not use or further disclose the information other than as permitted or required by the contract or as required by law.
  3. Require the business associate to implement appropriate safeguards to prevent unauthorized use or disclosure of the information, including implementing requirements of the HIPAA Security Rule about electronic protected health information.
  4. Require the business associate to report to the covered entity any use or disclosure of the information not provided for by its contract, including incidents that constitute breaches of unsecured protected health information.
  5. Require the business associate to disclose protected health information as specified in its contract to satisfy a covered entity’s obligation with respect to individuals' requests for copies of their protected health information, as well as make available protected health information for amendments (and incorporate any amendments, if required) and accountings. 
  6. To the extent the business associate is to carry out a covered entity’s obligation under the Privacy Rule, require the business associate to comply with the requirements applicable to the obligation.
  7. Require the business associate to make available to HHS its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, the covered entity for purposes of HHS determining the covered entity’s compliance with the HIPAA Privacy Rule.
  8. At termination of the contract, if feasible, require the business associate to return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity.
  9. Require the business associate to ensure that any subcontractors it may engage on its behalf that will have access to protected health information agree to the same restrictions and conditions that apply to the business associate with respect to such information.
  10. Authorize termination of the contract by the covered entity if the business associate violates a material term of the contract.  Contracts between business associates and business associates that are subcontractors are subject to these same requirements. (1)

Covered entities may face hefty fines if they fail to define a business associate agreement. For example, North Memorial Health Care of Minnesota was fined $1.5 million for failing to identify its business associate agreement. Therefore, it is critical that all covered entities ensure the proper business associate agreements are in place if utilizing the services of a third-party contractor. If your organization or practice has a question regarding business associate agreements, contact the experts at MedSafe at 1-888-MEDSAFE or visit our website at www.medsafe.com.

References:

1) http://www.hhs.gov/hipaa/for-professionals/covered...