HHS Guide to Business Associate Contracts to Meet HIPAA Rules

By Steve Spearman, Founder and Chief Security Consultant for Health Security Solutions
Twitter: @HIPAASolutions
LinkedIn: Our HIPAA Chat Group
Host of HIPAA Chat – Join us on the next broadcast.

HHS defines a business associate as, “a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information.” This definition also applies to a business associate’s subcontractors if they create, receive, maintain, or transmit PHI on your business associate’s behalf.

The HIPAA Rules normally require covered entities and business associates establish a contract when working each other, or with other business associates. And since business associates are subject to HIPAA, they can be be charged with civil, and even criminal penalties if they use or disclose the PHI illegally or outside of their contract.

Therefore, HHS has released a guide to writing a contractual agreement with business associates. In it, they include ten requirements for your contract to meet, and even provide an example contract to give an impression of how these requirements can fit together.

Here is our paraphrase of HHS’ ten requirements. Health Data Management also offers an excellent summary.

1. Establish how your business associate is required to use and disclose PHI, as well as how they are allowed to use and disclose it.
2. Require that the business associate only use or disclose PHI according to the contract, or to the law. If the contract or the law does not say they can do it, than they are not allowed to do it.
3. Require your business associate to use appropriate safeguards to protect PHI from unauthorized use or disclosure. Furthermore, they must protect ePHI in a HIPAA compliant way.
4. Ensure that your business to report to you any PHI use or disclosure that the contract does not allow. This includes incidents a breach of unsecured PHI.
5. Require your business associate to disclose PHI in order to help a covered entity fulfill its obligation to allow individuals to access their own PHI. They must allow disclose PHI to allow you to update or amend the PHI, and incorporate those updates to their copy of the PHI. They still have to do this according to your contract, like we discussed in Requirement 1.
6. See to it that business associates to comply with the portions of HIPAA that would apply to you, if you had not hired a business associate. For example, if HIPAA requires you to protect ePHI with a firewall, than they are required to protect ePHI with a firewall.
7. Make sure that, should HHS audit you HIPAA compliance, the business associate must give HHS access to its internal practices, book, and records pertaining to the use and disclosure of PHI, and any PHI it created or held for you.
8. If feasible, require up front that, upon the contract’s termination, the business associate either return or destroy all PHI they received from you, by you, or created for you.
9. Ensure that the restrictions and conditions you’ve placed on your business associate also extends to their subcontractors, if that subcontractor has access to your PHI.
10. Give yourself the authority to terminate the contract if the business associate violates a material term of the contract. Contracts between business associates and their subcontractors are also subject to this requirement.

We hope that you find this resource helpful, and that you visit HHS’ guide for more information. We also have a sample business associate’s agreement, for anyone who would like a second example of what these agreements can look like.

Source: Sample Business Associate Agreement Provisions by OCR

This article was originally published on Health Security Solutions and is republished here with permission. Steve Spearman hosts HIPAA Chat, a show produced by HITECH Answers airing on our Internet radio station, HealthcareNOWradio.com. Learn more about HIPAA Chat or download podcasts of the show. Find out more about attending the next taping of HIPAA Chat and ask your questions directly to Steve.